Malicious cyber criminals use all techniques at their disposal—fair or foul—to access valuable data from private and public organizations. Global cybersecurity firms (such as Coalfire) involved in technical testing are professionally contracted to simulate real-world attacks using the same techniques any attacker may use to test the company’s defenses so that they can remedy their vulnerabilities before a real-world attack occurs.

Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

Links below are to the contract documents with allowable redactions

Requirements and Assumptions

Service Order—Redacted

Rules of Engagement—Redacted

Social Engineering Authorization—Redacted

Master Agreement—Redacted