>not extracting unenforceable promises from trillion-dollar tech giants.
Of course you can enforce it. Create a law that tech giants must comply with FISMA/FEDRAMP, ISO 27001, DFARS 252.204-7012. I don't see why that's such a bad thing anyways. Compliance is a necessity because its just thorough hygiene.
Why DON't we have a written process to change our firewall rules, a written process to review our code, a written process to rotate our keys. These don't seem like a burden to me at all.
Of course you can enforce it. Create a law that tech giants must comply with FISMA/FEDRAMP, ISO 27001, DFARS 252.204-7012. I don't see why that's such a bad thing anyways. Compliance is a necessity because its just thorough hygiene.
Why DON't we have a written process to change our firewall rules, a written process to review our code, a written process to rotate our keys. These don't seem like a burden to me at all.