A bill has been introduced in order to improve upon an existing security directive that is deemed flawed and impractical, and would mandate more than monitoring and reporting security measures and compliance but actively assess and improve security measures in government agencies.

The 2009 United States Information and Communications Enhancement Act (ICE) bill will assign the Department of Commerce to establish information security standards for all federal agencies, including the Department of Defense an auxiliary intelligence agencies. If it is passed, it will replace the Federal Information Security Management Act (FISMA), a revised version of an earlier 2002 law that was not voted on by Senate. Instead of merely requiring agencies to write reports on security standards compliance, the ICE act will mandate the appointment of a chief information security officer to monitor and respond to any information security threat across the federal agencies.  This new position will hold office at a new agency mandated by the bill, the National Office for Cyberspace. The president will be responsible for appointing this director, whose job will be to formulate a national cyberspace strategy as well as enforcing security measures and guidelines in federal agencies. The director will also evaluate the effectiveness of each security program and act upon any vulnerabilities discovered in these systems.

The security standards, however, will be set by the Secretary of Commerce based on guidelines from the National Institute of Standards and Technology (NIST). The bill will also require contractors for products and services to the government to submit to the same security standards as the intelligence and military agencies would. This is changed from the current practice of the Department of Defense and the National Security Agency directly managing security systems for these auxiliary groups supporting national security.

Gregory Garcia, former assistant secretary of cyber security and telecommunications for the Department of Homeland Security believes that the appointment of the Department of Commerce to set the standards may not go well with the Department of Defense. Also, he believes that the definite final jurisdiction is not clearly defined in the new bill, and may cause different agencies to squabble over the job of forming policies.

Fears have also been raised that the law did not set stricter rules for cybersecurity. The wording of the new bill may be exploited by those wishing to implement the current standards by the NIST. Much of what NIST advises agencies to do is to certify systems and accredit their security measures; listing information sensitivity of data stored in the system. Critics say this is not much more than a futile exercise that does not mandate any real security improvements.