> You can write whatever you want into a contract, but if you have no way to validate it, it's meaningless.

3rd party audit like everything else?

Okay, if you want to pass responsibility off to someone else, how does the third party auditor do it?

I'm not talking about checking a compliance box, I'm talking about actually confirming no backdoor exists.

That's proving a negative. You are always going to end up with something like 'to the best of our ability'.

You figured it out. It's trivial to include a backdoor in a large system of systems, and one placed by a remotely competent adversary will not be found.

So what's the point of a regulation that can't be enforced?

So you claim it's never possible to audit anything?

I'm asking how you expect an auditor to confirm the absence of something in a series of black boxes that a determined and skilled adversary would like to hide.

It's actually quite simple. You fail the audit and block the purchase at the first black box you find :)

You realize that's completely impractical and will result in the government buying nothing, correct?

So you complain about useless audits but also complain about actual audits.

Ok.

Go complain somewhere else because this discussion is not productive.

It's not productive because the two options you've presented do not exist in reality.

You rip it out and replace it with one that you can trust. And of course you hope you find all of them.