<P> In 2011 the DoD released a guidance called the Department of Defense Strategy for Operating in Cyberspace which articulated five goals: to treat cyberspace as an operational domain, to employ new defensive concepts to protect DoD networks and systems, to partner with other agencies and the private sector in pursuit of a "whole - of - government cybersecurity Strategy", to work with international allies in support of collective cybersecurity and to support the development of a cyber workforce capable of rapid technological innovation . A March 2011 GAO report "identified protecting the federal government's information systems and the nation's cyber critical infrastructure as a governmentwide high - risk area" noting that federal information security had been designated a high - risk area since 1997 . As of 2003 systems protecting critical infrastructure, called cyber critical infrastructure protection of cyber CIP have also been included . </P> <P> In November 2013, the DoD put forward the new cybersecurity rule (78 Fed . Reg. 69373), which imposed certain requirements on contractors: compliance with certain NIST IT standards, mandatory reporting of cybersecurity incidents to the DoD, and a "flow - down" clause that applies the same requirements to subcontractors . </P> <P> A June 2013 Congressional report found there were over 50 statutes relevant to cybersecurity compliance . The Federal Information Security Management Act of 2002 (FISMA) is one of the key statutes governing federal cybersecurity regulations . </P> <P> There are few federal cybersecurity regulations, and the ones that exist focus on specific industries . The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm - Leach - Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). The three regulations mandate that healthcare organizations, financial institutions and federal agencies should protect their systems and information . For example, FISMA, which applies to every government agency, "requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security ." However, the regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies . Furthermore, the regulations do not specify what cybersecurity measures must be implemented and require only a "reasonable" level of security . The vague language of these regulations leaves much room for interpretation . Bruce Schneier, the founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless government forces them to do so . He also states that successful cyberattacks on government systems still occur despite government efforts . </P>

What is the latest regulatory frontier in the united states