It looks like the policy isn't as rigid as this tweet suggests – the next couple bullets in the bill appear to say you <i>can</i> have known vulnerabilities so long as they're explicitly disclosed and have a mitigation plan. The full text is at <a href="https://www.congress.gov/bill/117th-congress/house-bill/7900/text" rel="nofollow">https://www.congress.gov/bill/117th-congress/house-bill/7900...</a>, heading "SEC. 6722. DHS SOFTWARE SUPPLY CHAIN RISK MANAGEMENT."<p>The wording is left a little ambiguous though since there's no "and"s & "or"s to join those bullets (1)-(3). I've never understood why they can't use more standardized boilerplate in legal text for and/or/xor logical clauses, to eliminate that kind of issue.<p>For that matter, I also don't get why this official congress.gov site can't manage to support basic anchor links! Or even better yet, links that automatically resolve references like "subsections (b)(1)" in the text of the bill...
Big tech lobbyists will kill it in the Senate. What they should have done is make it so "no warranties/liablity" in software licenses don't apply to damages caused by known CVEs. Then everyone is protected, not just DoD.