Congress would write a law with general objectives, and leave the regulatory work to an exec branch agency. The regulations generally either reference or draw inspiration from NIST.
HHS uses NIST stuff to guide HIPPA. IRS is more prescriptive, but everything in IRS 1075 is still based on NIST stuff.
You have to separate the political puffery from reality. The Federal government is very good at establishing effective regulatory frameworks. They fall down with the long-term maintenance of regulations, as it's often difficult to keep the legal mandate up to date.