The United States Marshals Service Judicial Security Process

Evaluation and Inspections Report I-2007-010
September 2007
Office of the Inspector General


In March 2004, the Department of Justice (Department), Office of the Inspector General (OIG) issued a report on the United States Marshals Service’s (USMS) judicial security process.7 The OIG found that:

The OIG conducted this current review to follow up and examine the USMS’s progress since our March 2004 report.

The USMS judicial security operations examined in this report encompass three broad areas: the assessment of reported threats made against USMS protectees; the development of a protective intelligence capability to identify potential threats; and recent measures to improve judicial security and to enhance the USMS’s capability to respond to judicial security incidents.


One of the critical missions of the USMS is to protect the members of the judiciary. The USMS is responsible for protecting approximately 2,200 federal judges and 5,500 other individuals who work alongside the federal judiciary, including prosecutors and jurors, at over 400 court facilities nationwide. The primary duties the USMS performs to ensure the security and safety of its protectees and the judicial process are providing personal protection, providing physical security in courthouses, safeguarding witnesses, and transporting and producing prisoners for court proceedings. USMS protectees can include:

According to the USMS, in performing its judicial security mission in fiscal year (FY) 2006 it:

According to the USMS, the number of reported inappropriate communications and threats against members of the judiciary has continued to increase since FY 2002. The USMS defines an inappropriate communication as any communication directed to a USMS protectee that warrants further investigation. The USMS defines a threat as “any action, whether explicit or implied, of intent to assault, resist, oppose, impede, intimidate, or interfere with any member of the federal judiciary or other USMS protectee, including staff and their family.”8 Inappropriate communications and threats can be delivered in writing, electronically, telephonically, verbally, through an informant, or through some suspicious activity around the protectee. Chart 1 illustrates the number of reported inappropriate communications and threats from FY 2002 to FY 2006. The USMS expects to receive between 1,200 and 1,300 such communications by the end of FY 2007, although this number is not fully comparable to prior years’ numbers because of a procedural change implemented in FY 2007. Office of Protective Intelligence managers told us that in FY 2007 they began coordinating and consolidating investigations involving mass mailings and habitual letter writers across districts, which reduced the number of new investigations recorded in the Warrant Information Network/Justice Detainee Information System (WIN/JDIS) by approximately 100 cases.9

Chart 1: Number of Reported Inappropriate Communications
and Threats, FY 2002 Through FY 2006

FY 2002: 565, FY 2003: 592, FY 2004: 665, FY 2005: 953, FY 2006: 1111.

Source: USMS FY 2008 Performance Budget

Table 1 shows the 10 USMS districts with the largest number of reported inappropriate communications and threats for FY 2006.10

Table 1: Districts With the Highest Number of Reported
Inappropriate Communications and Threats in FY 2006

Ranking District Number
1 Nevada 227
2 Central California 46
3 Northern Georgia 44
4 Southern Texas 35
5 Northern California 32
6 Southern Florida 30
7 Southern New York 29
8 Northern Illinois 28
9 Eastern Louisiana 25
10 Middle Florida 20

Source: USMS

According to the USMS, of the 1,111 inappropriate communications and threats reported in FY 2006:

USMS Headquarters Operations

Judicial Security Division

The USMS Judicial Security Division (JSD) is responsible for the USMS’s federal judicial security programs, including protective intelligence operations, physical protection of judicial facilities, personal protection, and technical security operations for the judiciary. The JSD’s strategic plan for 2007-2011 states that the JSD:

The JSD consists of two operational components – Judicial Services and Judicial Operations – and an Office of Management and Administration (see Figure 1).

Figure 1: Judicial Security Division

[Image Not Available Electronically]

Source: USMS 12-16-06

Judicial Services

The Judicial Services component has oversight for the USMS judicial security programs, which are funded by the Administrative Office of the United States Courts’ (AOUSC) court security appropriation. This funding provides for the Court Security Officer program, security equipment and systems for space occupied by the judiciary, and for USMS employees to administer the daily functions. The Judicial Services component is responsible for overseeing four areas:

Judicial Operations

The Judicial Operations component utilizes a national network of operational personnel (Inspectors) and physical security specialists to manage personal and facility security issues for the judiciary. The Judicial Operations component is responsible for overseeing three areas:

The Office of Protective Intelligence

On June 1, 2004, the USMS Director realigned existing resources and established the OPI within the JSD.12 The goals of the OPI are to:

The OPI comprises three components: the Investigations Branch, the Intelligence Branch, and the Threat Management Center (see Figure 2). The JSD requested six Inspector positions for FY 2008 for the Threat Management Center. In the interim, the JSD plans to staff the Threat Management Center with personnel from the Investigations Branch.

Figure 2: Office of Protective Intelligence

[Image Not Available Electronically]

Source: USMS June 2007

Investigations Branch

The Investigations Branch’s primary duty is to provide investigative oversight and analysis of inappropriate communications and threats reported by the districts to the OPI. Investigations Branch staff also produce and disseminate judicial security-related information to the districts, including alert notices, information bulletins, and foreign travel briefs. The Investigations Branch staff comprises six circuit teams.14 Each team is responsible for 2 of the 12 judicial circuits and the respective USMS districts that fall within the circuit court structure.

Intelligence Branch

The Intelligence Branch is responsible for the collection and review of information and intelligence from USMS districts, through its liaisons with other federal law enforcement entities, and from other sources. Additionally, this branch is responsible for oversight of the USMS program involving its representatives assigned to the Federal Bureau of Investigation’s (FBI) Joint Terrorism Task Forces (JTTF).15

As of July 2007, the Intelligence Branch had six full-time staff assigned. One Branch Chief and a JTTF Program Coordinator operate out of USMS headquarters. In addition, four Inspectors were assigned as full-time liaisons with other federal law enforcement entities. These Inspectors coordinate with the FBI’s National Joint Terrorism Task Force; the FBI Washington Field Office’s JTTF; the Federal Bureau of Prisons’ Sacramento Intelligence Unit; the Supreme Court Police; the U.S. Capitol Police; the District of Columbia Metropolitan Police Department; and the Department of Homeland Security Office of Intelligence and Analysis.16

In addition to assigning full-time liaisons to these law enforcement agencies, the USMS also has established other contacts and working relationships to obtain and share information with the U.S. Secret Service; the Central Intelligence Agency; the National Security Agency; the Department of State’s Diplomatic Security Service; the Defense Intelligence Agency; the Pentagon Force Protection Agency; the Drug Enforcement Administration; the Bureau of Alcohol, Tobacco, Firearms and Explosives; the Federal Air Marshal Service; the Transportation Security Administration; Immigration and Customs Enforcement; Customs and Border Protection; and numerous state and local fusion centers, such as those in Virginia, New York, and Texas.17

Threat Management Center

At the time of the OIG review, the Threat Management Center was not yet operational, but was scheduled to initiate operations on September 14, 2007. It is organizationally located in the JSD and will eventually be staffed 24 hours a day. The Threat Management Center will initially be staffed by Investigations Branch personnel, but six Inspector positions have been requested for FY 2008 to permanently staff the Threat Management Center. The Threat Management Center is housed within a sensitive compartmented information facility so that information classified as Top Secret can be analyzed and retained. The Threat Management Center will serve as the single point of entry for the reporting of all threats, inappropriate communications, incidents and suspicious activities from the 94 USMS districts and 12 judicial circuits as well as from other law enforcement agencies. According to the USMS, the Threat Management Center will conduct record checks and provide recommendations for protective investigations to the districts. Once the Threat Management Center is operational, the USMS will internally review and assess its capabilities, then create, revise, and formalize the necessary policies and procedures to ensure its effective operation.

USMS District Operations

When a USMS district has either identified or had an inappropriate communication or threat reported to it by a member of the judiciary, the initial information gathered during the protective investigation is entered into WIN/JDIS and forwarded electronically to the OPI for research and analysis. The districts are responsible for conducting protective investigations and determining the threat management strategy needed to reduce or control any potential risk to protectees. The district offices are also responsible for making the final assessment of the level of risk.

In the districts, Judicial Security Inspectors oversee the protective investigations, which are conducted by District Threat Investigators.

Judicial Security Inspectors

In FY 2002, Congress appropriated funding for hiring 106 new Judicial Security Inspector positions within the 94 judicial districts and the 12 circuit courts.18 Judicial Security Inspectors are senior-level Deputy Marshals that:

District Threat Investigators

The District Threat Investigators, in consultation with the district Judicial Security Inspectors, conduct protective investigations into inappropriate communications or threats made against USMS protectees. The District Threat Investigator’s primary goal is to devise and implement a threat management strategy to mitigate any potential risk to the protectee.

According to the USMS, as of March 2007 there were 338 Deputy Marshals who had been designated as District Threat Investigators in the 94 districts. The number of District Threat Investigators in a district ranges from 1 to 10 with an average of 4 per district. Because of staffing levels, multiple USMS missions, and variations in the number of reported threats in a district, in some districts the District Threat Investigator duty is a collateral duty. Of the 338 District Threat Investigators, 55 have been designated as full time, and 283 performed the District Threat Investigator function as a collateral duty.

USMS Threat Management Program

Upon being notified of a suspicious activity, event, or communication, the District Threat Investigator makes the initial determination whether it meets the criteria of an inappropriate communication or threat. If it meets the criteria, the district Judicial Security Inspector and District Threat Investigator work as a team to implement the USMS’s threat management program, which involves three elements:

Interim Protective Measures

While an inappropriate communication is being assessed by the OPI, the district determines what level or type of protective response is appropriate based on the information known. Some steps the district may take are:

After assessing the risk and using risk-based standards, USMS district officials also may initiate a protective detail. The districts are responsible for providing Deputy Marshals, administrative support, and any other resources needed during the first 72 hours of a protective detail. If the protective detail lasts longer than 72 hours, the districts may request additional staffing and funding from the JSD’s Office of Protective Operations. The office reviews protective detail funding and staffing requests to ensure the appropriate protective and investigative measures are maintained.

Protective Investigations

A protective investigation is the systematic collection and assessment of available information to determine the individual’s or group’s true intent, motive, and ability to harm or pose a threat to a USMS protectee. A protective investigation begins immediately at the district upon receipt of an inappropriate communication or threat.

The USMS and the FBI both have responsibility for assessing and investigating threats. The USMS directives state that the USMS reports all threats to the FBI, which has the primary responsibility for conducting criminal investigations of threats to USMS protectees for the purpose of prosecution.19 The USMS conducts protective investigations that focus on mitigating the potential for harm to a protectee, regardless of the possibility for prosecution. If a protective investigation determines that a threat is likely to be carried out, the district develops a plan that incorporates a range of tactics and strategies designed to identify, assess, and mitigate any potential risk of harm to a protectee. Tactics may include:

Threat Assessments

The district prepares an investigative report on a USM-550 form and forwards it to the OPI for research and analysis to assist the district in making an assessment.20 District personnel also create a case record and enter investigative information and any details, including any supporting documentation (such as photographs), directly into WIN/JDIS. Once the initial case information is in WIN/JDIS, the district uses the system to manage and monitor the progress of the case. District management can also use the system to track and generate reports of how many inappropriate communications have been received, investigated, and closed. Any subsequent information gathered by the district during the protective investigation is entered into the WIN/JDIS record and is also provided to the OPI on a USM-11 form.21

OPI staff may be asked to confirm that the communication meets the criteria required for an inappropriate communication. If the criteria are met, the OPI begins its analysis (see Figure 3). The process starts with queries of specific agencies and databases, including the U.S. Secret Service’s threat database (called TAVISS), to determine whether the individual or group has made previous threats or has any law enforcement records. These queries may provide information about the individual’s or group’s possible intent, motive, or ability to carry out the threat.

JSD managers told us that for cases that are “more serious or threatening,” they have established a “major case category.” Some of the criteria for these cases are (1) the threatener continues to demonstrate intent, motive, and ability; (2) the threatener is being released from custody following a conviction for threats, stalking, or assault on a USMS protectee; or (3) the threat involves mass mailings crossing over several districts. For major cases, the district closes the case in WIN/JDIS, and OPI staff reopen the case using a new case code and assume management of the case. OPI staff routinely notify other districts of threateners that send mass mailings and that are active in multiple districts.

Figure 3: OPI Threat Assessment Process

[Image Not Available Electronically]

Source: USMS

The OPI conducts two computer-based analyses using the information from the district and its database queries. The first analysis is a comparative analysis that compares the case’s known characteristics with previous threat cases maintained in the USMS’s historical threat database. This database contains inappropriate communications and threat cases that have been closed and assigned an outcome of false, enhanced, or violent. The result of the comparative analysis is expressed in a score that indicates how closely the characteristics of the case being assessed match those of prior cases.

The second analysis is called a MOSAIC assessment. Using the investigative information to answer established questions about the case being assessed, the OPI applies the MOSAIC proprietary software to produce a numerical rating and information quotient. The numerical rating is expressed on a scale of 1 to 10. The higher the rating, the more the case under review resembles past cases that have escalated or resulted in violence. The information quotient, which is expressed on a scale of 0 to 200, is based on the number of questions that have been answered by the investigation at that point. The more questions that have been answered, the more reliable the result.

Once the two analyses have been completed, the record in WIN/JDIS is updated with the scores, and the results are sent to the district. The two analyses should have similar outcomes. If the comparative analysis score indicates low risk, then the proprietary analysis score should indicate low risk as well. When the two analyses do not show a similar outcome, the OPI can attempt to resolve the disparity by requesting additional investigative information from the district and reassessing the threat, or it can provide possible explanations for the disparity to the district.

The district can use the scores to help determine if the necessary protective measures have been taken and if the protective investigation is on the correct path. If significant new information on the case is collected during the course of the protective investigation after the assessment scores have been disseminated, the district can request that the OPI reassess the threat. The USMS has indicated that both scores are viewed as “tools” to assist the district in making a determination of the potential risk the threat does or does not present to the protectee.

The OPI expects to depart from reporting only the scores that result from this process at the end of FY 2007. OPI officials said that beginning in October 2007, they will work more collaboratively with the districts on assessing threats over the length of the protective investigations through an ongoing exchange of information between the District Threat Investigator and the investigator/analyst team in the OPI.

March 2004 OIG Report on Judicial Security

In our March 2004 report, we evaluated the USMS’s efforts after September 11, 2001, to improve its protection of the federal judiciary. We focused specifically on the USMS’s ability to assess threats and determine appropriate measures to protect members of the federal judiciary during high-threat trials and when they are away from the courthouse. We found that:

Consequently, the OIG made six recommendations to the USMS:

  1. Ensure that all threats to the judiciary are assessed within established time frames.

  2. Update the historical threat database or develop a new database to perform comparative assessments.

  3. Assign full-time representatives to all 56 FBI field office JTTFs and ensure effective USMS liaison with other intelligence agencies.

  4. Create a centralized capability to identify, collect, analyze, and share intelligence.

  5. Ensure that all Chief Deputy Marshals and all JTTF representatives have Top Secret clearances and ensure that each district has operational secure communication equipment.

  6. Revise USMS guidance to establish risk-based standards and require after-action reports for high-threat trials and protective details.

The USMS concurred with all six of the recommendations and during the next 2 years reported to the OIG the steps it had taken to implement them. The USMS stated that it had revised its established time frames for assessing threats; updated the historical threat database; increased the number of liaisons with other law enforcement and intelligence agencies and requested additional resources to increase representation on the JTTFs; established an OPI; increased the number of Top Secret security clearances and secure communications equipment in the districts; and issued revised judicial security directives that included risk-based standards and after action reports.

  1. Department of Justice, Office of the Inspector General, Review of the United States Marshals Service Judicial Security Process, Report I-2004-004, March 2004.

  2. USMS Directive 10.16, Protective Investigations, April 2006.

  3. WIN/JDIS consolidates judicial threat data with warrant, criminal history, prisoner scheduling, and booking information in a single database. As the USMS’s central law enforcement information system, WIN/JDIS is used to manage records and information collected during fugitive investigations and protective investigations involving potential threats made against the federal judiciary. WIN/JDIS contains current and historical case data for all USMS investigations. It is also used to access the National Law Enforcement Telecommunication System and National Crime Information Center systems to obtain criminal record information from other federal, state, local, and foreign law enforcement agencies.

  4. Based on information contained in the USMS’s Warrant Information Network (WIN/JDIS) system that was provided to the OIG for analysis in November 2006, there were 1,059 reported threats in FY 2006. The USMS explained that the data it provided to the OIG does not match the 1,111 threats it reported to Congress in January 2007 (Chart 1) because WIN/JDIS allows case records to be updated or deleted and, therefore, the number of threats recorded in WIN/JDIS changes on a regular basis.

  5. In the District of Nevada, a USMS official estimated that between 180 and 190 of the 227 reported inappropriate communications or threats in FY 2006 were attributable to one high-profile case.

  6. The USMS reported the date of June 1, 2004, to the OIG in response to a recommendation in the OIG’s March 2004 report, Review of the United States Marshals Service Judicial Security Process. On other occasions, the USMS has also cited July 1, 2005, as the date the OPI began operations, which is when the threat analysis and protective investigation functions were transferred from the Investigative Services Division’s Analytical Support Unit to the OPI.

  7. OPI presentation made to USMS Protective Investigations Training Program participants, Federal Law Enforcement Training Center, July – August 2006.

  8. When fully staffed, each team will consist of one Intelligence Research Specialist and one Criminal Investigator.

  9. In September 2006, the USMS formalized its JTTF Program to collect and disseminate pertinent and timely intelligence to best support USMS core missions and programs. There are currently over 100 FBI JTTFs operating throughout the United States. Each JTTF includes members from federal, state, and local law enforcement organizations. The JTTFs are intended to enhance the collection and sharing of information and intelligence, and to work on specific FBI domestic and international terrorism investigations. The USMS began participating on JTTFs in July 2001 when it entered into a Memorandum of Understanding with the FBI.

  10. One additional position is assigned to the Department of Homeland Security and reports directly to the Deputy Assistant Director for the JSD.

  11. Fusion centers blend relevant law enforcement and intelligence information analysis and coordinate security measures to reduce threats in local communities. According to the Department of Homeland Security, fusion centers provide critical sources of unique law enforcement and threat information and facilitate sharing information across jurisdictions and function.

  12. The 94 district Judicial Security Inspectors report directly to the U.S. Marshal or Chief Deputy U.S. Marshal in their assigned district. The 12 Circuit Court Inspectors report to the Chief, Office of Protective Operations, Judicial Security Division. The Judicial Security Inspector Program became operational in May 2003.

  13. A criminal investigation focuses on the collection of evidence that shows that the individual made a threat. The FBI conducts the criminal investigations, though in some instances, it may decline to proceed and the USMS conducts the investigation. A protective investigation by the USMS can run concurrently with a criminal investigation and can continue after the criminal investigation is closed. The goal of a criminal investigation is to prosecute, and the goal of a protective investigation is to mitigate the threat.

  14. The USM-550 Preliminary Threat Report is a form is submitted by the district in conjunction with a WIN/JDIS entry during the process of initiating a protective investigation. The USM-550 supplements the data in WIN/JDIS so that the OPI can conduct a more thorough threat analysis.

  15. The USM-11 Report of Investigation is a form submitted by the district to update information on a previously reported inappropriate communication.

« Previous Table of Contents Next »