[MrMorden]

Compliance with NIST SP 800-53 is mandatory per statute and DHS policy. That system has an identified ISSO, ISSM, ISSPM, DAO, and AO who are responsible for authority to operate being given. If the paperwork is in place, a government employee signed off on that network's operation. If not, it doesn't have ATO and there's a government employee (the AO or CIO) responsible for allowing a such a network to be connected to government systems and store government-controlled information.

[01100011]

I worked at a government contractor who was rolling out NIST compliance. Everyone, from IT to engineers, hated it. You can rest assured that as soon as someone isn't looking, they're going to violate it.

[enraged_camel]

I have never come across a compliance policy that people didn't hate.

Compliance, almost by definition, needs to make people's job harder, or create extra work. Because people are lazy, and they tend to go for the path of least resistance, and those are not good things in the context of safety and security.

[MrMorden]

Compliance is a tool. It's used to enable security iff the C-suite want to use it that way; otherwise, it's just another meaningless metric.