The scorecard currently includes a "CIO direct reporting" component, which assesses how much real authority each agency gives to their top IT leader.

For the first time, agencies were required to report only incidents that affected their operations, and to break those incidents down based on the attack vector used.