Is America’s Cyber Infrastructure Engineered To Hold?
The U.S. Cyber Architecture and Engineering Report Card grades how well industries protect private data and critical services by examining the architecture patterns behind breaches and outages.
Release Schedule:
Quarterly Progress Updates
Full Annual Report Card (Q4)
What is the U.S. Cyber Architecture and Engineering Report Card?
The U.S. Cyber Architecture and Engineering Report Card, or U.S. CAE Report Card, is an independent assessment of how key U.S. industries design and operate the digital systems that handle money, health records, government services, communications, and more.
Instead of counting tools or policy statements, the report examines underlying architecture and engineering practices and asks a simple question: are these systems structured in a way that can reasonably protect the public against modern attacks?
The result is a clear, accessible “report card” that summarizes how different sectors are performing and where structural weaknesses continue to put people, businesses, and critical services at risk.
Why a CAE Report Card is Urgently Needed?
Each year, millions of people in the United States are affected by data breaches, leaks, and disruptive cyber incidents that expose personal information, halt essential services, and damage trust. Public statements often describe what was stolen or how long systems were offline, but rarely explain how the design of those systems allowed the failure in the first place.
The U.S. CAE Report Card fills that gap. It focuses on:
-
How well industries protect the data and services that the public relies on every day.
-
Where recurring architectural patterns lead to repeated types of incidents.
-
Which sectors are strengthening their foundations, and which remain fragile?
This is not about blame for individual organizations. It is about giving the public, policymakers, and leaders a clearer picture of how well the nation’s digital infrastructure is being engineered to protect them.
What The Report Examines
The report draws on publicly available information, regulatory disclosures, major incident reports, independent research, and sector-level analysis. For each industry, it considers factors such as:
-
The resilience of core systems that process payments, health records, government data, and critical services.
-
Patterns in recent breaches and outages that reveal design weaknesses, not just operational mistakes.
-
The maturity of identity, cloud, data, and monitoring architectures should prevent minor issues from becoming national news.
The evaluation approach is grounded in established cybersecurity architecture and engineering practice, including formal standards developed by ISAUnited.org. Those standards provide a reference for what sound design looks like, but the report card itself remains focused on public safety, service reliability, and protection of private data.
How is the Report Card Graded?
The U.S. CAE Report Card uses the Defensible 10 Standards (D10S) as the grading backbone. D10S defines 10 cybersecurity architecture and engineering domains that determine whether modern environments can protect private data, contain attacker movement, and sustain critical services under real-world pressure. Each industry grade reflects how incident patterns, disclosures, and publicly visible signals map to these domains across the whole year.
D10S is used here as an engineering reference model, not as a product framework.
Independent and Vendor Neutral
No products. No paid placement. No tool agenda.
Many annual cyber reports in the market are written or sponsored by vendors whose business depends on promoting specific tools, platforms, or managed services. That can make it difficult for boards, executives, and practitioners to separate marketing from signal.
The U.S. CAE Report Card takes a different path:
-
It is vendor-neutral and tool agnostic.
-
It does not sell rankings, sponsorships, or paid visibility to product vendors or third parties.
-
It focuses on system design, architectural patterns, and engineering quality, regardless of which brands an organization chooses.
The goal is to provide a clearer, more trustworthy picture of how well sectors are protecting the public, not to steer anyone toward a particular product.
Using the Report Card
What you can do next:
-
Read the findings for your industry and discuss them with leadership teams and oversight bodies.
-
Compare recent incidents in your sector with the architectural themes described in the report.
-
Identify one or two structural weaknesses that your organization can address in its architecture and engineering plans over the next year.
The U.S. Cyber Architecture and Engineering Report Card is intended to start a different conversation about cybersecurity in the United States: one that treats digital systems as engineered structures with real safety implications, and measures how well those structures are holding up under pressure.
Turn Data Into Defensible Cybersecurity.
The Cyber Sciences Division advances ISAUnited’s data-driven research and technical scoring methods that support the U.S. Cyber Architecture and Engineering Report Card. We welcome volunteer data scientists, data engineers, analytics engineers, and research-focused practitioners who want to strengthen measurable cybersecurity outcomes through evidence-based analysis, defensible metrics, and repeatable evaluation models.
