I'm a principal at exactly the kind of company you'd expect to end up benefiting from such a requirement.
And, I agree that this is a policy vector that is in the discussion mix. In fact, I think it's much of what the Administration has in mind.
But I strongly oppose this policy, because companies like mine almost certainly wouldn't end up doing the audit work.
Mandated scheduled audit is a race to the bottom. Look no further than PCI-DSS to see the end result of audit done for audit's sake: the winners are the ones who can deliver the most audits with the best cost structure, and once they gain a foothold, the winners can roll their previous success like a snowball to capture more market share regardless of the quality of the end result. The major credit card breaches of the last few years were all audited by reputable PCI-DSS audit firms.
In the Government, the problem is even worse. Government contracting is procedurally tricky. Most companies that do significant government contracting have entire GSA and DoD business units to handle the sales cycle. When it comes to "security" x "services", the overwhelming majority of the dollars go to a few giant companies (Raytheon, Lockheed, SAIC). These companies aren't winning business because they deliver results; whether any of them ever do or don't, you can look at the security of government networks today to see that mandated audit- for- audits- sake isn't working.
What's needed is liability, or at least toothsome penalties.
People respond to incentives. The problem we have today is cleanly illustrating by looking at the incentive structure, which overwhelmingly favors getting ambitious systems fielded as fast as possible, offseted poorly (if at all) by post-deployment risk of any sort. From a careerist perspective: it is much better to get something deployed --- especially if it will appear to work long enough to soak up credit --- than it is to delay deployment for ambiguous "security" objectives. It's so much better that it's still better to get something deployed even if 2 years from now it's going to cough up 20 million credit card numbers.
To try and shine at least something of a positive light, there is a wide difference in overall fuckededness among different government agencies.
Yesterday I was sent the testing methodology requirements document for a specific agency that was littered with footnotes pointing mostly to TAOSSA. That was good to see, at least.
I agree auditing isn't a silver bullet, and I honestly don't think the federal government should be doing anything here. If they care about the security of "critical infrastructure", whatever that is, they can provide funding for compliance and then demand accreditation before the system is deployed.
But CISPA, is just a way to funnel data about every person in the world into a giant government database in secret. It dwarfs the NSA wiretapping scandal and it allows companies to violate their own privacy policies and shelter them from justified lawsuits.
That is absolutely not what CISPA is about. If the government wanted to funnel private data to giant government databases, their best move would be to do nothing, because that action is already mostly lawful under ECPA. ECPA provides unchecked latitude for service providers to disclose private data so long as it's done in the course or protecting or maintaining the service. CISPA adds restrictions to this process.
(I don't support CISPA, but not for this bullshit tinfoil hat reason).
The amount of misinformation circulating around CISPA is very dispiriting. People are being deluded into thinking there's some giant conspiracy, and the only reason that's happening is so that unscrupulous interest groups can fundraise or drive ad revenue from rageviews.
Primarily - make anyone receiving federal funding meet a certain standard of security that is tested through periodic auditing.