The first is Senate Bill 2182. Reported out of the Senate Commerce, Science and Transportation Committee last week, 2182 would require that all computers used by the federal government implement appropriate "best security practices." If passed by the full Senate and House of Representatives, this bill would require the federal government to be as secure as your enterprise should be (but probably isn't). Moreover, we can expect the government to adopt best practices that are equivalent to those in private industry.
Meanwhile, across the river in Virginia, the Department of Defense (DoD) just announced its new National Information Assurance Acquisition Policy. In brief, this policy requires that all DoD computers and networks use only products certified by the National Information Assurance Partnership. The rule would apply to "information assurance enabled products." You'll only be limited if you're the DoD or a company or agency doing business with the DoD.(But first, someone has to decide what an information-assurance enabled product is.)
Even if you don't work for the federal government, your business may be affected by these initiatives. While neither the DoD policy nor the Senate bill specifically require it, you can assume that you'll have to meet the same standards if you do business with the federal government, even indirectly. Whatever security requirements ensue will be a part of every federal contract, extending to subcontractors as well.
Now, keep in mind that just passing a law or creating a policy is no reason to believe things will change. This is especially the case with DoD security policies that are announced to much fanfare, only to drop into oblivion when backs are turned.
In the case of the Senate bill, it's a lot harder for agencies to ignore a law than it is to ignore a policy. This particular law puts an implementation process into effect and makes the National Institute of Standards and Technology (NIST) responsible for standards and benchmarks to be used with the new requirements. In addition to NIST's role, S. 2182 would require the National Science Foundation to issue security research grants to universities and encourage the teaching of security practices.
This is an important step, and starts to make the government look more like a leader than a laggard. Security on federal computer systems and networks has been woefully inadequate; witness the defacements of everything from the FBI to the White House Web sites. In addition, it seems clear that government computer systems are targets for powers that would do the federal government harm. So the fact that these efforts exist are good, and it would be better if they are actually implemented.
One thing you can assume, however, is that when the feds adopt new security standards, any company that does business with them--directly or indirectly--will have to comply, too. Your best bet is to be proactive--see how you can get involved with government plans, share your best-practice strategies, and don't wait for new laws to be forced upon you.