DoD working on cyber ‘warfighter scorecards’ for COCOMs’ weapons systems
The move comes as the department is pushing to bolster its cybersecurity for weapons systems in other areas, such as establishing zero trust for weapons systems by 2035.
U.S. Army Sgt. Matthew Talty (left), and Cpt. Timothy Naudet (right), both assigned to the 101st Airborne Division (Air Assault), train with the new Anduril Ghost-X Medium Range Reconnaissance (MRR) Small Uncrewed Aerial System (SUAS) at Fort Campbell, Ky., May 2, 2025. (U.S. Army photo by Pfc. Richard Ortiz)
WASHINGTON — The Department of Defense is working on creating cybersecurity assessment tools, or “scorecards,” to determine the cyber posture of weapons systems within the combatant commands, a defense official said.
David McKeown, who is performing the duties of the DoD’s deputy chief information officer for cyber and chief information security officer, said the “warfighter scorecards” will help servicemembers better understand where their weapons systems fall vulnerable — something they are not fully adept at yet, he said. Right now such assessments exist, but are not as comprehensive as a scorecard would be.
“They [the COCOMs] need to know the risks that they’re incurring across all of those systems. We do an analysis of a weapons system, and we publish it, but I don’t think the combatant commands really understand the impacts of their mission. So we’re going to try to drive in more mission impact analysis,” McKeown said Thursday during the Potomac Officer’s Club Cyber Summit.
In addition to the current assessments lacking mission impact analysis, the department also does not properly communicate the severity of risk that a lack of cybersecurity can pose to weapon systems down to the warfighter, McKeown said.
“We have a variety of governance across the department, lots of good work being done through the Strategic Cybersecurity Program, looking at critical infrastructure, understanding where the systems are vulnerable. We don’t do a good job of exposing that to the warfighter though,” he told Breaking Defense on the sidelines of the event. “We do all this work, but we don’t scrape off the important risk information and present it to the warfighter.”
McKeown said the plan is to present the warfighters in various COCOMs with the scorecards to run tests on their weapon systems, with the results to be returned to McKeown and his colleagues, who will later share further analysis. However, McKeown said they will only share the “red” areas, otherwise known as risk areas, with the warfighters.
Related: DoD floats 2035 as goal for zero trust in weapons systems
With this information, he said, the warfighters should participate in war games where they will integrate the cyber vulnerability and then practice taking the affected component out of the weapons system so they can determine how the systems would operate if it were to be attacked by a threat-actor in a real-world scenario.
This will require the warfighter to “decompose” their mission to figure out how to operate without certain cyber functions in place, McKeown said.
“You’re gonna have to do the mission decomposition out of all these building blocks that we’re studying,” he told Breaking Defense. “They need to know how they fit together. Like, if I pull out that building block because of a cyber attack, what’s the effect on the system?”
McKeown said the department is still in the process of constructing the scorecards, which will be completed in his offices as well as within the Strategic Cybersecurity Program and the department’s acquisition and sustainment arm.
The move to create the scorecards for weapon systems comes as the department is pushing to bolster its cybersecurity for weapons systems in other areas. As Breaking Defense previously reported, the Pentagon announced its goal of establishing zero trust for all its weapons systems by 2035.
