An independent application security assessment would need to be performed prior to handoff of the code base (with follow ups each time you cut a new release), but if you can meet the requirements of all 50 states (not trivial, but also likely not overly onerous), that’s a huge reduction in duplicated effort.

Glad I could provide something to ponder!