Interesting idea! I don’t know how to think about the threat model of “pay for it yourself, and then the government will run your code for essential services”. I suspect there’s a juicy target there, but it’s something I hadn’t considered so thanks for giving me something to mull about.
An independent application security assessment would need to be performed prior to handoff of the code base (with follow ups each time you cut a new release), but if you can meet the requirements of all 50 states (not trivial, but also likely not overly onerous), that’s a huge reduction in duplicated effort.
