But you have to ask the right questions. Two senators have sent a letter to 24 US agencies asking them to report on their progress in data protection. This article at Federal Computer Week highlights the woeful state of security compliance at most US agencies.
This is great. There can be no change without someone asking these type of questions. But what worries me is that adopting policies such as NIST 800-53 is only the very first step towards becoming secure. GAO, and other agencies that are attempting to address the sorry state of security within the US fed should move on to requiring more proactive steps. Things like:
Every firewall will be set up to deny by default.
Every firewall will explicitly block high level ports.
Telnet, FTP, and TFTP may not be used unsecured.
Administrative access to be granted via strong authentication only.
These mandates would be a start. After getting over the firestorm of objections the GAO could start to work on configuration management and universal strong authentication.
Update: Stiennon's blog has moved to here.