In the latest development around the cyberattack impacting Johnson Controls International (JIC), officials at the Department of Homeland Security (DHS) are now reportedly concerned that the attack may have affected sensitive physical security information.

Johnson Controls serves as a government contractor, providing building automation services to facilities, such as HVAC, fire, and security equipment. Due to the nature of those services, officials at DHS are raising concerns about compromised information such as DHS floor plans. According to media reports, officials detailed in an internal memo that Johnson Controls holds “classified/sensitive contracts for DHS that depict the physical security of many DHS facilities.”

It is still unclear as to what information was accessed in the breach, which is believed to be a ransomware attack, but the memo stated that “until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers.”

Concerns are more heightened due to a potential government shutdown, which could begin this coming Sunday, making the incident not only a security issue, but a time sensitive one. More than 80% of the Cybersecurity and Infrastructure Security Agency (CISA) workforce will be furloughed should this shutdown go into effect, and cyberattacks across the nation’s software supply chain would put critical infrastructure at risk.

“There is absolutely a trend emerging in ransomware attacks with cybercriminals going deeper into their victims’ systems to deal a more crippling blow,” noted John Gunn, CEO at Token, in an emailed statement, underscoring the harsh levels cybercriminals are willing to go to in their attacks, including those against government agencies.

This incident highlights the executive order President Biden issued in 2021 for federal agencies to bolster their cybersecurity safeguards, and brings into question the security of third-party suppliers and contractors.