At the state level, legislatures have collectively ignored the UniformComputer Information Transactions Act (UCITA), a complex law thatwould in part reduce liability for software vendors (most majorvendors have backed UCITA).

Federally, money has poured into the complex skein of agencies dealingwith critical infrastructure protection, which has taken on a life ofits own since 9/11. Equally important but not as well publicized, thefeds fully implemented in July the National SecurityTelecommunications Information Systems Security Policy no. 11, calledNSTISSP (pronounced nissTISSip), after a two-year phase-in. The policydictates that all software that's in some way used in a nationalsecurity setting must pass independent security audits before thegovernment will purchase it.