I agree with your comment but want to ask a couple of questions to see how you see it working it practice:
What will stop the local city council be compliant on paper, ie them doing a tick box exercise and saying that their summer IT intern is the security department?
I'm not a policy design expert by any means, and it's not like I've given this thorough thought. I expect some amount of red tape and controls from a government agency would be the proper way to enforce it.
It would of course require significant political will to create these institutions and system of laws and regulations, but it could be similar in spirit to the kinds of controls the military has for software vendors that want to work with it.
What will stop the local city council be compliant on paper, ie them doing a tick box exercise and saying that their summer IT intern is the security department?