Re: "the Memo doesn't discuss whether critical infrastructure operators need to be compelled to act"
security baselines sounds good to me, I wish our lot did that.
Most infosec bods just bitch about other peoples work rather than actually helping to create secure systems in the first place.
Private and Public infosec need a shake up IMHO.
Pen testing and ha King for a fee is too late in the game.