I find this note from a recent GovExec story valuable:
"House Government Reform Chairman Tom Davis, R-Va., said Thursday [7 April] that agencies could have their budgets cut if their information technology security does not improve.
With several agencies struggling to meet requirements of the 2002 Federal Information Security Management Act, Davis said that compliance eventually has to be tied to funding."
This will never happen. Does Congress advocate cutting funds to poorly performing schools? Regardless of the merits of the approach, I can not see enough people supporting this tactic. Agencies will continue to "muddle through" until evidence of a massive intrusion becomes public. I hope that day never arrives, though.