Apparently, when it rains it pours. I picked up this link this evening:
I suppose what scared me the most when I read this little article is this line:
"Members of the federal information security community have been involved in shaping the bill..."
Which means vendors. I also think the CISO council that they want formed will need defined intervals and smaller working groups inside that structure.
Lastly, this idea of DHS running a red team. Why not fund each IG with the ability to do real audits? Or the GAO? Then there isn't going to be any of this, "DHS isn't going to look at my stuff". Because I agree that the red team would have to be so big that managing it would be close to impossible
We'll see though. My final thought based on what little information I have here is ... let's treat the problem not the symptoms. What I mean is why can't they legislate a better risk management, rather than running some more scans.
You know why ... vendors sell scanning tools, not solid risk management processes and procedures. I'm just saying.