Last time it was the Sorbanes-Oxley act. The company security policies were changed by a committee mainly run by lawyers. These 300$/hr billing rate guys have never logged into anything, always had a bevy of flunkies who did all the access to the computer, who printed out emails and who typed back the responses scrawled on the print outs. The main intent was to show that they had strict security policy in court, rather than implement policies that will actually improve security.
Passwords must be changed every ninety days, it must have one upper case, one lower case, one numeral, one non-alphanumeric, and no reuse of passwords, no substring can be a word or date found in the dictionary. A bunch of uninformed jury would be impressed, that was all the point. That it would force people to write down the passwords in sticky notes and very cleverly paste it on the underside of the keyboard is not realized by the bozos, or if it did, it did not bother them. More like, "yes!, Exactly! this process would net us enough scapegoats and sacrificial lambs to be thrown under the bus! I approve!!" would be their response if they understood what would really happen.
Not all government agencies are like that. FAA and NTSB have a decent reputation. If they realize pilots are not following procedures or checklist they would try to understand why and try to make the procedures easier to follow. (I think they would perform even better if we remove from FAA's charter "promotion of air travel" and make it exclusively concentrate on safety of air travel. )