 For those of you who don't know, SOOP is the Solution for Enterprise-Wide Procurement Program. It's a premier government-wide acquisition contract providing federal agencies access to the latest IT product solutions. In this presentation, Al will look at how the Open Trusted Technology Provider Standard is being used to achieve product integrity and supply chain security. So please a warm open group welcome for Al Marshall. Oh, I forgot my water, yes. Backwards, there we go. Alright, so I mastered the clicker. Thank you all for the warm reception and hopefully you'll be just as warm when I'm finished. First, I'd like to start by thanking the Open Group for allowing us to co-locate here with the Open Group for this event. This has been something that we've been working on for a few years. I want to thank Angela Taylor from our team, Maggie Ross from the Open Group team, and countless others who have assisted them that have made this event possible. I also want to take a second to recognize our SOOP program manager, Ms. Joanne Wojtek. Most of you folks, almost everybody here knows Joanne. As those of us at the SOOP office know, Joanne is never short on visions. And this was a vision that she's had for many years to have a SOOP and Open Group event together. Unfortunately, events conspired against her and the aforementioned government shutdown ended just a little bit too late for her to make it here today. I hear she's probably going to make it here by maybe noon time tomorrow. So you're stuck with me for today's presentation. So wish me luck and we'll get started. All right. Half you folks here, I asked you before, we've got about 50% SOOP, 50% Open Group. So we're going to kind of beep out back and forth between the two groups. For the SOOP folks, you'll obviously see this will be a review, hopefully for you. Open Group folks, what is SOOP? Solutions for Enterprise-wide Procurement. What's the emphasis on the solutions part? You know, it's products, you know, ICT products, product-based services. Multi-award suite of contracts, so we have 140 contract holders, and most if not all of them are represented out here in the audience. We also have about 6,500 OEMs or what we call providers, and just a provider is either OEM of the NISCO product or provider of the NISCO service, one SOOP. We are a government-wide acquisition contract, or GWAC, and that means that we are open to the entire U.S. federal government. We are used by pretty much every federal agency, us and GSA schedules, anyone who can actually make that claim. FY18, we're used by 87 separate federal agencies. You can see the bottom there, I said the ICT. You know, our scope is extremely broad, pretty much everything from, you know, handheld devices up through supercomputers, you know, AV equipment, networking equipment, software, file-based products, and pretty much anything else that you can shoehorn into the IT realm. I'll be off and do this out. All right, a shameless plug for SOOP here, and just a little bit of a rundown of how busy we are and had it been. SOOP 5, so we are in our fifth iteration of SOOP. We started, God spoke to me, said yes, we started way back, but even before my time, we just had our 20th anniversary in October, so in our 26th year, we are in the fifth iteration of SOOP, SOOP 5 here. So as of about one day last week when I ran these stats, we already had 112,000 orders in the, you know, almost four years that we've been operational. Just last Friday or Thursday, we passed the $15 billion mark in orders through SOOP 5. And we have an average order size. We're moving up, you know, in previous versions of SOOP, we went maybe from 50 to 60 to 75. That's around 34,000. You know what that tells me is the government agencies, the bigger agencies are using this, using this more, using this for more consolidated buys, and using this for more important buys, not just a laptop here, a desktop there, a cable there. Some quick FY18 trends. So you can see, if you do the numbers real quick, from FY17 to FY18, we actually increased 17% in total amount of business. So we're extremely proud of that. It shows that not only, you know, hopefully we're making our government customers happy, but we're also successful in our outreach, you know, our contract holders, our industry partnerships, our, you know, open group partnerships. You're getting the word out about SOOP and advancing the brand. So for the open group folks, you know, our SOOP folks, why are we here at the open group? So SOOP has been in one way or another associated with the open group, where it's predecessor since 1992. So you can see almost since SOOP's inception. You know, UNIX is one of Joanne's favorite topics. When I first started this, one of the reasons she liked me, I actually came, even though I started out as a cobalt programmer in the 80s, when everybody used mainframes, I was like one or two or three people who seemed like in the world at that time, and actually did it under UNIX, of course, now. Everybody uses Linux for everything. So, you know, she was real happy. She was a big fan when I came aboard in 2000. Moving on, SOOP recognizes the importance of IT standards, not just the open group standard. We're going to hit on ISO 20243 as we go through this, but also other FedRAM, TAA, EnergyStar, EP, and anything else the government throws at us. We are, you know, we make every effort to incorporate into our program and provide information. You'll hear me say this in your presentation, your customers to help them make their buying decisions. We do actively support the open group and its activities. Dennis Taylor is actually in here, but Dennis Taylor has been with the open group security forum for as long as I can remember, you know, working with Dennis Taylor. You know, as SOOP has evolved and become more, you know, I've been able to become part of the open group contingent from SOOP. And then just last November, Randy Gitteron also became another participant. Yes, we're up to about four. Kelly Joann, who of course is on the board as well, of SOOP team members who are also open group participants. Last bullet there, and we'll mention this again as we get into the O2PS part of the presentation. So SOOP, along with DOD, are the two government entities that actually participated in the creation of the standard. So once again, why are we here? We have an annual PM meeting. It's a contractual requirement for all of our contract holders. So we have the 140 program managers, our PMs that are here this week, not only to hear about SOOP, but also to hear about the open group and hopefully, you know, become more involved and maybe even seek out the ISO 20243 certification. As we mentioned before, this has been a vision of Joann for years to actually have this transpire. And at the bottom there, we have a typo. So it's ISO 20243. Did not catch that during my proofreading. Sorry about that. We didn't do one there. So as mentioned at the bottom, this conference hopefully will assist SOOP in working with our contract holders to have them become ISO 20243 certified. By the way, so what does SOOP do? So hopefully for the open group of customers, this will be some new information for our SOOP contract holders. Hopefully you already know this. So our primary goal, you know, of the now 80 member staff of SOOP is to manage the SOOP contracts and the contract holders. Next, immediate action between government industries. So what does that mean? Obviously we have industry partners. Not only do we have 140 contract holders, we have 6,500 manufacturers. We have customers. We have standards organizations. So we actually work, you know, recognize that all of our stakeholders have a say in our success and we continue to try to reach out to as many groups as possible. In fact, we just stood up maybe three, four months ago an industry team that's focused on the Cisco, the Oracles and those type of companies, as well as the emerging technologies of the world. And we previously worked with our contract holders, obviously with our customers. Facilitate the acquisition process. You know, that's from everything from, you know, having a helpline that's, you know, staffed 12 hours a day, online chat, you know, taking one business day or less to get back if you send in a help ticket. You know, we go out. We have two sets of teams that do outreach. We have one that concentrates mostly on customers. We also have our strategic solutions team that goes and meets with the CIOs, the higher level folks. He establishes those strategic relationships. He works on the complex solutions, the big dollar solutions. Recommended best practices. You know, of course, you know, this is a part of it. He recommended to use some of our online tools. Last bullet there is one of the other important ones. Inform the customer. Soup is not assisted acquisition, so soup itself does not make any orders for any of our government customers. So what we do provide is information. Information that they can make the best decision possible. You know, is this TAA compliant? Is a product EP compliant? Is it two or two or three compliance? You know, we are in the business of providing information. If I forget, you know, later, every time an RFQ comes to a suit, we provide our customers with a verification file. All of the information is presented right there for them to view when they are ready to make their buying decisions. A couple of SCRM definitions here, hopefully you are familiar with these, are supply chain. These are JoAnne's definitions, so I'm going to try to remember them as best as possible. Just basically, the root of product takes, provenance, the chain of custody from its inception as an idea, design through disposal and all the people, the entities, the organizations, the processes that touch it along the way. The supply chain risk management component, so you have your supply chain and these are the physical transportation, you know, any other type of risk associated with, you know, the product and taking steps to mitigate, you know, those risks. So you have to evaluate the risk, prioritize the risk and take a mitigation strategy as best as possible and, you know, based on, you know, how much money you have and what risk you can take to, you know, the organization. You know, if it's a test system, maybe it's not as important as your centralized total agency network in communication systems. Counterfeit and taining. So actually, we have a much better explaining than one of the other slides, I'll slide by those. And what that means to SUP simply is the OEM, the company that actually makes a product, recognizes you as a legitimate reseller of the product and would consider any sale to a U.S. government entity of a legitimate, supportable sale. And that's a very short definition of we consider an authorized reseller. I'm sure there's many others and folks that probably do hour-long presentations on just what authorized reseller means. Gray market versus black market. The unintended unauthorized channels. You know, black market is just totally outside of the balance of any normal distribution channel. SCRM standards. It's a hot topic. Cybersecurity, of course, is one of the hottest topics in the cyber world, the government world. Everybody's world, really, since now we're all consumers of cyber services on a pretty much hourly by minute basis anymore. So, you know, lots of folks in the U.S. government are interested in this. NIST, obviously, you know, SUP with the open group. Just last Friday, I read an article from GSA where they're charged with looking into to cyber security risk within the federal government, you know, assessing programs and coming up with hopefully, you know, solutions to the risks that are posed to the federal government through the purchasing and use of ITCT-type products. All right, so here's where it gets a little tricky for me, because this is before Al's time at open group. So, you know, the online Wiki page says 2010, Joanne's slide says 2009. So I'm saying 2009 because I have to. So, open group started in 2009 with the, you know, looking for the U.S. and accreditation for how to solve the supply chain problem. You know, based on the government's you know, move away from you know, standard customized solutions into a plug and play world. So, you know, if I'm plugging, you know, server rec, server rec, plugging these things in, you know, how do I know that I'm getting a genuine product? I know this product is what it says it is. You know, as we move to that world as opposed to, you know, just, I got to do all my stuff for me. You know, how does the customer identify, you know, good product from a bad product? You know, is there any way to help them along that path? You know, so some smart folks got together and said, whoa, it sounds like a good idea, less established, and I always love the best of breed word or best in class, like, not sure what that means, but you know, sounds good when we're doing it. And you know, create a solution. There's a fancy little diagram there. So, we mentioned before, you know, a tainted product, so, you know, we consider a tainted product. You know, so it comes from a normal supply channel, comes to the manufacturer, but somehow, somewhere along the way, something bad happened to it. Maybe some malware was placed on it. Maybe a driver was updated or changed. Maybe some malicious code was sent in. You know, it's a communication equipment, so it just phones home and just sends out some information. You know, so what's the risk involved here? You know, obviously you have, you know, security risk. You may have performance risk. You know, if someone switches out a new part for an old part or a non-standard part or a compromised part, you could obviously have intellectual property risk, national security risk, corporate security risk, PIA leaks or PII leaks and so on it. Lots of bad things can happen if the supply chain is compromised and a malicious tainted product is acquired. Bottom part here, we have counterfeit products. So who's ever walked the streets of New York and seen the $50 Louis Vuitton's on the corner? So who here thinks they're actually really Louis Vuitton's? You know, so it's, you know, label says that, right? And you get it back home and you're all excited, look, I got a brand new, and then a couple weeks later you realize, oh, inferior workmanship, inferior materials. It doesn't, it doesn't hold up to the standards that we expect from that brand. Pretty much the same applies to IT. So, you know, just because it says we'll pick like Dell or something on the outside, you actually know is it a real Dell, is it, you know, are they used components, the old components, refurbished components, the actual components, you know, inside. Who knows. Had a short customer story here for you. We had a customer send in a help ticket once, and they're like, oh, this is nice, you know, what does it say? Oh, soups prices are, can't say the bit, are not good. Yeah, so we contact them and say, why are you saying that? Well, we did an RFQ on soup and we got we got five codes back and they were all like for this particular product about $10,000. Okay, well that's normal. Oh no, we found an eBay in Thailand for $5,000. All right, well, you know what, if you're going to put that piece of communications equipment in your agency's system, and you've not to cast aspersions at, you know, eBay or Thailand, but, you know, if you think that is a real system and you're willing to take that risk, then, and so be it, so obviously that was our counsel to them, you know, the old attitude that sounds too good to be true, it probably is. You know, so our contract holders are all competing for the business, so if there's a bullseye of prices in a $10,000 range you can find an eBay for $5,000, well, you get what you get. The OTP is standard itself, so you can see here on the slides from 2013 it's a set of, it says prescriptive requirements, so if you take the time to read it, it's the shalls, shall nots, hastoos, and such. Left hand sign, I'm going to point to this like you all can see it, of maybe as you're left to, of the chart, you know, this is the provider itself, the OEM, so this is their design, manufacturing, sourcing of the materials, et cetera, this is their part. The supply chain part is really where soup may become involved, you know, the product is already made. So how does it get from the company that makes it into the hands of the end user? What path does it take? What's the chain of custody, you know, the provenance that it goes from point A to point B. Bottom part here, I think we already mentioned that, right? There's two areas of development, so we'll slide up to the next part. Which is a blank slide. I didn't realize it was like fancy stuff like that. Wow. Who knew Joann said it up that way? So there's a fancy stuff like that. So how do we accomplish our mission? This is more of the open group part. So, you know, my story is this, you know, when my first open group we had was at Newport Beach at the hotel across from the Maserati dealer, which is kind of cool for a boy from South Baltimore. Say, ooh, Maserati dealer across the street. It wouldn't give me a test drive. So, you know, we have a bunch of folks in a room and, you know, they're looking at these five goals and it's, you know, a variable who's who of IT. You have Cisco, you have Oracle, you have Dell, you have HP, you have IBM, you have Microsoft, Huawei, and I'm sorry if I forgot some others, but, you know, all these titans of the IT industry. So, you know, I come in with Joann and I'm all excited about what am I going to do when I get there and how can I participate. She's like, well, we just sit and watch. And, you know, for those of you who know me that's like not normally my style. So, I'm like, okay, I'll file your lead. So, sure enough, all these companies are growling and back and forth and now we shouldn't do this and I'm like, wow, and then about an hour passes and there's poor Sally and she's taking notes and trying to keep 20 type A personalities and checking. And then, you know, there's silence and she turns to, you know, Joann and Don Davidson from DOD and he's like, and what does the government think? And thumbs up, thumbs down, and then we moved on to the next issue and we went back to typing our laptops until the next time the government input was needed. So, there was years of that. I had the slides in different order and we'll get to the years of stuff in a second. So, what was the final outcome? So, in 2013, we actually had the first version of the standard. So, we have a cool little diagram here and we have some by with confidence here. So, we have our trusted sellers, you know, the people who follow the supply chain rules, the people who are certified. And then we have the untrusses, you know, guys in the bottom, we have the e-bays of the world and stuff and, you know, procuring stuff from green market, you know, new companies, you know, the risks associated with that. And on the right-hand side, we have our happy customers because, you know, they went through trusted providers and got a good solution. So, now I want to get to the part of, after our first meeting in Newport Beach, there was a bunch of other meetings, a lot of phone calls, even one unscheduled, you know, out of sequence meeting in the FESA, but eventually, in 2015, the 20243 standard was published. So, as you can see here, we have eight of our 140 contract holders so far have went through the certification process. So, one of the reasons to have this presentation here and to have this co-mingled meeting was to hopefully, you know, encourage more of our contract holders to follow that path. Suba's goal on F.R.19 is, as we work with our government customers to you recommend they use the ISO standard as a possible discriminator, you know, when you're looking at your, as I said, our large dollar, highly complex or highly secure or essential procurements. And here's a picture of the, of our website with said open group certification. All right, so now we're going to bounce back to soup again, so we have open group back to soup. So, whatever you advise our customers when we're after talking to them, 100% assurance is really impossible to achieve. You know, I can't be there as they mine the material and follow through all the processes that go through all the design, you know, look at all the coding, the software, hardware, and figure out if somebody does, you know, something somewhere that's bad. So, there's, you know, no way to know 100% for sure. You know, so there's no way to negotiate with anything you buy. It's IT, food, someone's scary buddy, but everything, right? We all make risk assessments, you know, every day and on normal lives and, you know, IT purchasing is, you know, really no different. Obviously, there's, you know, in most cases, a cost with lowering the risk, you know, as I mentioned before, 10,000 dollars to buy a router from an authorized reseller and 5,000 dollars to get it on eBay. You know, so if you're the acquirer, you know, if I was going to just use that as some test system, it was never going to be part of my network. Maybe I'll just buy the cheap alternative and roll with it. If it was going to be an integral part of my secure network, I would probably look to get it from an authorized reseller. So we just mentioned the AR term there. A lot of manufacturers don't have authorized reseller programs. As we mentioned before, we have 6,500 manufacturers on suit. So as you can imagine, it's the full gamut of suppliers. You have big, publicly traded companies and some modern pop shops. So we never pass the hard and fast rule. I know folks have talked about that in the government. That's to make everybody have to be an authorized reseller. Well, I said, what happens when a company doesn't have an authorized reseller program? Does that mean their products can't be bought in the federal government? Moving down there, as you get to the bigger companies, they authorized our contract holders for example. Some are hardware. Some are software. Then they have their exadata products and that's even a smaller set of suit contract holders that are qualified to sell those products. As we mentioned before, 100% reliance on negative connotations. Obviously, the larger companies, if there's a cost associated with the authorized reseller program, the smaller companies are many times competitive disadvantage. They just don't have to pay several thousands or hundreds of thousands of dollars to become authorized or move up to certain levels to play. That can lead to reduced competition. And quite honestly, at the end of the day, the decision to what companies succeed or fail isn't so much on the effort or skill of the employees, but how deep their pockets are. So I know we're getting close to the end here. I can stretch it out for another 16 minutes but I'll try to talk slower. Alright, for some large manufacturers, Steve told me it's okay if I get on a little bit early. They have a defined authorized reseller program, Cisco Golder. As I said, Oracle says you can sell exadata and stuff like that. So at SUP we use a trust the verify approach. They have to provide a point of contact. So if I say I'm an authorized reseller for a company, they have to provide me with a name of someone at that company. And we're going to trust them while we verify that information for some reason that verification fails. Then we remove that relationship and mark them as a non-authorized reseller. We do have a program called ERP. I'll talk about it in a couple slides here. But one of the authorized reseller functions that has to be part of our program is there has to be a negative connotation if you don't use the authorized reseller program. So I can hit you with another story of a Ford customer who bought some items from a large networking company, but they bought them through the gray market. They bought them from Europe. They acquired them, installed these 10 networking products in their enterprise, and life was good. And then they needed support. So they came to the soup and said, oh, we want to do an RQ on soup. We want to get support for these items because we have a need to update the firmware. So sure enough, RQ goes out, customers notify them, sorry, you can't get support on those items. We're showing these serial numbers while valid. We're showing these in proper channels, and therefore we will not support said items. So what happened to the customer? They have to rip out 10 functioning networking devices, purchase 10 functioning networking devices from proper channels, go through the whole process of installing, configuring, and then updating those items. So as our counsel to our government customers understand the rules of the companies that you're trying to do business with. And as we move on down here, as we mentioned before, all companies have authorized reseller programs. So if that's the case, and we have probably 6,000, the 6,500 probably fall into that range or probably close to 90% will be there. Last point there, manufacturers, it's from time to time to authorize a sort of approach to selling their products. And I think it's mentioned here in the last slide. At some point in time, there is the opportunity for a one authorization. And actually it's on this slide right here. So why don't we recognize letters of authorization alone as a source? Well, I mean Joanne can probably get you with more stories than I can, but just a couple that she's relayed to me. So we have some with the rubber stand, we have our name here, so it actually comes in from our contract holders, and it says enter name here is authorized to resell Dell products. Can I trust that letter as being authentic? Who is authorizing? It's another little story. One of our contract holders sent us a letter in. It was from the Brazil, yes, Outpost of the company. I'm not sure if we can really trust and verify the authenticity of that letter. What is the authorization for? Is it for federal? Is it for commercial? What's the period of performance? Has it already lapsed? So all that is not really clear. So in our case, as I mentioned, we use a trust to verify and provide us a contact at that manufacturer. We will contact that person and say is this company authorized to resell your products? For some critical purchases and for our Sioux folks if you're familiar with the art and wine strategic sourcing and GSS catalogs we require you guys to provide the LOA in addition to your other information pricing and all with regard to that. So there are time to time that we do actually reach out to our contract holders but that's in addition to and not in place of the contact information. Oh and of course Joanne says if Sioux and the LOA disagree rely on Sioux. Always rely on Sioux, right? Supply chain information itself is provided at the quote level so every one of the 13 million clins on our contract have an associated level of SCRM with them. We add about 11,500 products every day so the Sioux contracts are constantly evolving. There are actually four levels, I might say three here top level least level of risk is I am the manufacturer so we have Dell, HPE, HPI IBM so we do have four contract holders that actually make the products and some of the smaller companies may make certain components or a small companies or put the other on PCs but for the most part those four companies actually make a lot of what they sell. Next level down from that is authorized reseller and we actually split that as we mentioned before in the two areas. I am a authorized to sell every thing from this company or B I'm authorized to sell a subset of the company's products moving down from that the next level of risk is I get it from a distributor so as we talked about chain of custody provenance so now it went for the manufacturer to a distributor to the contract holder so there is a third set of hands at least involved in that so as a customer am I willing to accept that risk maybe the price is a little cheaper because they got it from the distributor they can pass the savings on to you but that's a third chance for malicious tainting of the products. The last level is the dreaded unverified relationship once again does not necessarily mean it's bad because not everyone has an authorized reseller program if you're buying equipment maybe from a Cisco, from a Dell an Oracle, if you're buying your networking equipment we did a large buy with the federal government the JRSS joint regional security stack system that's the communication system for the entire federal government it came through soup so I'm certain that they had very stringent requirements on the authorized resellers and the like for communications for the department of defense I think we're almost done we have two more slides to go here in nine minutes not doing too bad so as previously mentioned we do have an EARP enterprise established authorized reseller program so what is that basically we found 17 companies that have met the requirements, central point of contact and most importantly repercussions for not buying authorized channels so they don't support the product you can't get maintenance on the product they won't come out and service the product so what we've done is identified those 17 companies flag them in our databases EARP and the short story is for those 17 companies if our contract holder is not marked as an authorized reseller then they are unable to quote those products on RFQ so as I mentioned before we provide information to the customer for every RFQ but for these 17 companies we've taken the additional step of preventing nonauthorized resellers from even quoting their products and I believe this is our last slide here so once again when our teams are out meeting with our customers what do we do we make some decisions on risk management and obviously as we talked about the GRS system before your most critical systems should have the most critical and most stringent requirements to have the lowest level of risk authorized reseller can lower that risk ISO 20243 certification can help lower that risk know what the information means so once again understand the parameters of the companies you're dealing with nonauthorized reseller program or not what are the benefits of the program what do you get with it what happens if you don't get a product and will it be supported once again rely on the super verification file so once again just a large amount of information provided to the customer for every quote that comes to our system and last but not least since we're here at the open group consider using ISO 20243 certification as a best value discriminator super awards are best value determinations so you have the lowest price you have technical acceptability and certainly your standards social economic standards if all else fails look and see if the company you're dealing with is ISO 20243 certified and I believe that is the end so we got done with six minutes to spare so you're all welcome six minutes to your day back Steve please have a seat yeah please have a seat because you don't get off that easily you get to choose you see this is part of the test we know which one Joanne would choose there we go well thank you thank you very much for that well thank you all for allowing SUP to obviously have this co-located event and for the generous applause for my presentation so one of the questions that's clearly come from the non-SUP side of the audience is what's with the duck we get the soup and the bowl but what's the duck what's with the duck now I can tell you the duck alright so what's with the duck the short story of the duck is way back strangely enough there was a meeting of the founding fathers of SUP there was three gentlemen that we called the founding fathers of SUP and sort of like the story it's almost like the Led Zeppelin story about Keith Moon saying you'll go over like a lead balloon so one of the founding fathers name is Joe Barks they all said getting this program off the ground should be as easy as making duck soup which I hear is hard to make I've never actually made duck soup because of that saying way back in 1993 and it stuck with us through all 26 years of soup so that's where the duck came from so we are down to the uni duck now we started out with SUP one there was one duck, SUP two, there was two ducks SUP three, there was three ducks in a bowl when SUP four started there were three ducks in a bowl and a duck climbing up a ladder but our graphic artists were having a hard time fitting four ducks into a bowl so we went to the uni duck approach in SUP four and continued up to SUP five and I believe he'll be our mascot moving forward so you come to an open group event and get the really useful information yes thank god they asked something I could answer that was a ok so we have a few questions from the audience remember Slido is the way to do this can you say anything Al about the cost can you comment on the cost of becoming an authorized reseller can you comment on the cost of becoming an authorized reseller for who I wish I could but each company has their own programs some may just require some demonstration of skills some may require a level of certification for employees some may just say give us this many dollars and you're certified so it depends on the individual as I said some companies have no program also 6500 companies probably have 6500 different programs so are just U.S. companies eligible to be suppliers to SUP or can non U.S. companies supply we have companies from all over the world SAP German companies SUP Japanese UK based companies Swiss based companies there's no applicable restriction U.S. government may impose some restrictions on certain agencies on what countries they're allowed to buy products from but SUP itself there are some exceptions but they're handled on a local basis I would not feel comfortable saying that in the public forum some security issues have arisen from certain companies actually the first question in chronologically was since the OTTPS standard was created that we talked about has the open group seen more interest and concern over tainted products or counterfeit components and has this changed over time yes that's partly for you and maybe partly for me but partly for you maybe for Andras or Joanne or anybody hears from their constituents be they who they may that we've heard you know as I said I relate a few stories that have come in to us doesn't necessarily mean they're the only ones that have ever happened sometimes the shame and the dignity of having it happen may preclude you from reaching out oh I bought something and it was it really caused a security incident it's probably going to be the most imposed before someone calls up SUP and says oh by the way we bought some we bought some bad products from time to time we'll get some stories we check them out and if we find them to be true as I mentioned before like the one manufacturer we remove all their products because of concerns that they could not control or supply chain or they made themselves have then maliciously came their products I mean from my perspective I've always thought that the creation of the standard was such a significant activity in itself starting from a collaboration between government and industry taking quite a lot of time with some very important organisations involved and it got there and I've never quite understood why it hasn't been taken up more to be honest I think the answer is as is usual with these standards it needs the customer pool it needs the procurement pool for the vendors to see the value of going through this so hopefully one of the things that will happen from your event this week is we may start to see some of that but I do think it's anyone who looks at it why wouldn't you want some extra good feeling and security around the products that you're procuring I think it depends what it costs is there a cost for the good if it is the warm or fuzzy cost more than just the warm or fuzzy then you might just have to settle for just one or the other Talking of, is there an estimate of how much soup has saved in dollar terms? How much soup has saved Strangely enough I'm also statistically inclined I'm not sure why so I do the annual numbers as our soup contractors soup has been the best in class in the U.S. federal government so we're one of the best in class programs so as such we have to provide data to the government while there's no hard and fast number for every order and your results may vary we have roughly 16 to 17% our soup cowboy price you can charge a customer the average quote in order is about 16 to 17% off of that and then there is also a smaller savings of about 7 to 8% from the MSRP to the catalog price itself so that's the government terms cost avoidance in class savings so the cost avoidance is roughly 7 or 8% 16 to 17% of actual cost savings from catalog price to quote and of course that varies with so your $10 million opportunities get much better than your I'll take one left out please one of the things we've heard from Joanne over the years is the way that the budget has increased for soup and the way that more agencies are looking to take advantage of all the work that's gone in over the years so it's very well regarded program well we're happy that was part of the shame of self promotion there the 17% this year maybe 10-15% a few years before that so we're going to leave it there and move on we've got the big set of zeros the big set of zeros in front of me we need to move on but thank you very much for your presentation thank you for having us