This is interesting. While I can understand the US Government feels the need to 'do something' (a feeling common to politicians of all nationalities and sides), I'm not sure if a Government-mandated set of compliance rules is the best solution. Companies that have spend millions on SOX and PCI-DSS compliance have proven far from invulnerable to cyberattack or data breach. It not like the DHS can keep their own house in order as it is (although they have apparently been improving).