House passes bill that DoD software can’t have any CVEs

[ytpete]

It looks like the policy isn't as rigid as this tweet suggests – the next couple bullets in the bill appear to say you can have known vulnerabilities so long as they're explicitly disclosed and have a mitigation plan. The full text is at https://www.congress.gov/bill/117th-congress/house-bill/7900..., heading "SEC. 6722. DHS SOFTWARE SUPPLY CHAIN RISK MANAGEMENT."

The wording is left a little ambiguous though since there's no "and"s & "or"s to join those bullets (1)-(3). I've never understood why they can't use more standardized boilerplate in legal text for and/or/xor logical clauses, to eliminate that kind of issue.

For that matter, I also don't get why this official congress.gov site can't manage to support basic anchor links! Or even better yet, links that automatically resolve references like "subsections (b)(1)" in the text of the bill...

[elmerfud]

Just what I thought security policies and standards couldn't get any worse now we have Congress trying to dictate what a secure is.

[thesuperbigfrog]

Time to buy slide rules.

[water8]

House should pass bill that congress can't have any equities

[Ekaros]

Now, I wonder what about the vulnerabilities that NSA knows, or have introduced. Then again those are only known to them. So it is probably fine.

[panny]

Big tech lobbyists will kill it in the Senate. What they should have done is make it so "no warranties/liablity" in software licenses don't apply to damages caused by known CVEs. Then everyone is protected, not just DoD.

[water8]

The DoD is not worried about lawsuits. Is it really not clear why the DoD is not ok with no warranties software?

[jeanlou]

Am I the only one to wonder what CVEs are?

[brador]

Common Vulnerabilities and Exposures, essentially no unpatched holes allowed.