However, once some recommendations written as standards, and understood and at least partly implemented by some manufacturers, it would be quite straightforward for other laws to prohibit sales to consumers or import of certain product categories unless they meet those standards - and it would be quite crazy to pass such restrictions before the standards have been made and discussed and tweaked, they take work and time to become reasonable.
So assigning resources and specific organization to define such standards is the way to go even if there's no enforcement scheduled yet.
It is common for contracts to stipulate that performance under the contract must conform to various public standards, recommendations, best practices, etc by reference to an external document or authority (RFCs, standard body outputs, industry consortiums, etc) that are not required by law. People create these publicly referenceable outputs precisely because it allows them to be added to contracting language. NIST is such a reference source. In some sectors, virtually every contract has the same conformance requirements.
In practice, this often has the force of law. There are many domains where regulatory bodies arbitrarily require that all contracts conform to one or more of these recommendations to be in compliance or fit for purpose even if they don’t come from the government. Government contracts often have language that product and delivery must conform to a long list of such reference documents.
This is less common in web tech, but in other market sectors compliance with a set of common public guidelines is a cost of doing business and contracts sometimes have long lists of things to conform to. The real issue is that most organizations do just enough to check the box, even if violating the spirit of the requirement, because it turns out that customers just want that conformance for ass-covering and don’t care about rigorous compliance. Rigorous compliance would be expensive, especially if anyone tested it (which virtually never happens).
People will comply with the NIST guidelines because their contracts will require it. The problem is that is not enough.
Great explanation, and exactly right in my experience. It isn't about "you're breaking the law and the Govt is gonna getcha," but you can't do business without meeting the guidelines and would be in breach of contract if you take on a project where you don't conform.
because a lot of laws do not have consequences codified, or they do but have delegated to an authority that cannot levy any consequence, like the Department of Commerce or in this cast the NIST
sometimes this is intentional, not by any specific lawmaker, but relying on their and everyone else's inattentiveness.
