http://www.eweek.com/article2/0,3959,387377,00.asp "All the while maintaining that the government will not set IT security requirements for the private sector, top federal IT officials today said they expect such mandates will be imposed on federal agencies and that the same standards will also be used by industry." While standards are great, one-size-fits-all standards aren't. When the government's cyber-security plan is released in September, will there be 500 requirements that Internet Service Providers must meet? Should ISPs be more secure than the post office or the telephone or the bike messenger? Must Bill's Bait & Sushi Shop ISP Service meet the same security requirements as the ISP for the White House? ISPs come in all sorts of shapes and sizes. Consumers use cordless phones at home, but the NSA prohibits use of cordless phones in secure areas. Just because the government issues a security standard doesn't make it suitable for all purposes. Some people like paying $9.95 for Internet service from an ISP without a backup generator, and wouldn't want to pay $29.95 for a "certified" ISP with a backup generator. If the $9.95 ISP fails, heck they could almost afford two more for the same price as a single "certified" ISP. Sometimes a hammer is just a hammer, and you don't need a MIL-SPEC. If the Department of Homeland Security creates a new security standard for ISPs, what do you think will happen to any ISP which doesn't meet it? The security "Gold Standard" for Microsoft 2000 was written by the Critical Infrastructure Protection Board, the Center for Internet Security, the National Security Agency, the General Services Administration, the National Institute of Standards and Technology, and the SANS Institute. Do you know who is writing the security "Gold Standard" for Internet Service Providers?