 So, welcome to the Open Group webinar on Secure Global IT and Supply Chain. The Open Group, in particular the Open Group Trusted Technology Forum, has been addressing the problem of product integrity and supply chain security for commercial off-the-shelf information and communication technology, which we refer to as COPS-ICT, for the past three to four years. We published the Open Trusted Technology Provider Standards, specifically focused on mitigating the risk of maliciously tainted encounters at product in 2013. And last week at the Open Group Conference in San Francisco, we announced the launch of the OTTPS accreditation program, which credits organizations who conform to the best practice requirements and the standards. So this webinar is going to provide insight into our work that got us to this point, the resultant accreditation program that now is available to all and the outreach efforts for increasing awareness of these efforts. So later we'll hear from some of our members who had a significant impact on the creation of the standard and the accreditation program as they each present a portion of the presentation, and at the end we will participate in questioning and answers for that section. So I'll provide a brief overview of the global challenge we're facing, how the Open Group is positioned to address it, and some insight into how we got started and where we are today. So the problem, COPS-ICT products are developed globally and used globally. They're built from hardware and software components developed and manufactured around the world, and they're integrated into critical infrastructure and government systems and commercial solutions. And at every point in the product's life cycle, they're vulnerable to the threats listed here. Today the world relies on global supply chains, and therefore constituents from around the world must work together to protect them. And the global nature of this problem is one of the main reasons the Open Group was chosen as the place to work through and address this very, very significant problem. So a little bit about the Open Group. It is a global organization with over 40,000 participants, from over 95 continents with over 400 members, headquarters in over 37 countries. The Open Group provides a vendor-neutral environment where customers, both governments and commercial customers, and technology providers can come together to create standards and accreditation programs that are consensus-based and meet the needs of all the participants. So how the Open Group trusted technology forum gets started and become part of the Open Group? It began with a series of roundtable discussions with the Open Group and DOD, AT&L, and CIO, and it included many of the most mature IT providers in the industry. During those meetings, the following questions were posed and discussed. Now the governments and commercial entities around the world are moving away from high-assurance customized solutions to COTS-ICT. How can commercial customers and government confidently identify good trustworthy COTS-ICT products in their providers? So the recommendation that came out of these early meetings were these. If all the major IT providers are building quality products and for the most part secure products, then doesn't it make sense for them to get together, pool their practices, and come up with a set of best-to-breed best practices that could be established as a standard for the rest of the industry? And doesn't it make sense to then build a brand around the standard to identify those trusted technology providers who are conforming to standards? So that's how it all got started. These informal series of meetings found a lot of traction and the constituents decided to form under the Open Group as the Open Group Trusted Technology Forum and began some serious work on responding to those recommendations. So who are those constituents? Here they are. As you can see, from the member chart, there's a broad representation of COTS-ICT providers, integrators, and third-party information assurance laboratories. There's product distributors and there's government-related constituents. In my humble opinion, three of the most important takeaways from this slide are these. When we say we defined and published the standard and accreditation program, we mean the membership. It's the way that we're talking about and it was all done by consensus, which is a huge feat. Secondly, we meet and have met over the past three or four years, at least twice a week, meeting not only with the technical participants from some of these companies, but with the chief security officers and the chief technology officers, the VPs and program directors of the companies. That indicates an amazing amount of talent and commitment. And finally, it's a true example of industry working together with government to create something that's reasonable, open, and practical. And by practical, I mean that it's actually based on inputs from members who understand how product development and supply chain operations really work in the field and therefore can identify the best practices that are needed to mitigate the risks of the tanks and counterfeit products. So one last slide for me, just a brief overview of our milestones. As mentioned, we started with early collaboration. We formed the OTTF in 2011. We began working on a standard immediately called the Snapshot in version 1.0 of the standard in 2013. While we were finalizing the standard, we were also developing conformance criteria, the accreditation policy, and the assessment procedures that would be used in the pilot program, all of which we started at the end of 2012. The accreditation program was finalized and approved in October 2014. We implemented the program and launched officially last week, also announcing that one of our pilot participants had successfully made it through the accreditation program. And we're pleased to announce that, again, that successful candidate with IBM was accredited as an open trusted technology provider for their application, infrastructure, and middleware aimed at the software business division. So congratulations, again, to IBM. So with that, I look forward over to Ed McConway, the Chief Security Officer of Global Supply Chain Francisco Systems and Vice Chair of the OTTF, who will talk about the challenges of Global Supply Chain and how the standards address them. So Sally laid the foundation for what we're really all about. And after the initial conversations that we had, what we came to the conclusion as a public-private partnership was that we did need to identify this key challenge. Let me remind you of what that is. Sally, why don't you build this out? The challenge really is that we who make commercial off-the-shelf information and communication technology leverage a supply chain that reaches around the world. As we look to those from whom we would source, those who partner with us in the fabrication and the methodologies by which we deliver in between the supply chain and ultimately to the end customers of the supply chain, we wanted to have a program that would enable the acquirers to look at the product, yes. But rather on top of that, to look at the organization and to say we understand that from these organizations we can buy products that are trusted. We're buying with confidence and the products are trusted because of something somewhat unique. We actually, in this accreditation program and standard, encompass the full product lifecycle across commercial information and communication technology. And what we're doing is saying we want to look at this end-to-end lifecycle because we are aware of the fact that risks can occur at any part of this supply chain or product lifecycle. So, Sally, why don't you go to the next slide? So the takeaway there is public-private partnership looking comprehensively around the globe at the supply chain itself and as well looking comprehensively at the end-to-end product lifecycle. In order to focus ourselves, oops, sorry, go back there just for one moment, if you would, Sally, in order to focus ourselves in this first version of the standard, we tackled two not insignificant, quite substantial threats, but these two. And these two have been on the minds of our customers and the community of acquirers of information and communications technology. And we'll talk a little bit about the risks associated with them. They include maliciously-tainted products or counterfeit products. So, Sally, if you'd go to the next slide, that would be great. So you're all familiar with what the risks are. I won't drill into them, but I want you to take your mindset to why this standard is somewhat unique. By addressing these two particular threats across this spectrum that you can see below on this slide, what we've done is tried to take a comprehensive approach, thinking through the niche and stage of when information and communication technology is begun as an idea, how it's developed and designed, and taken through each step. A set of practices, whether they're technology practices, whether they're physical security practices or logical processes, that together establish the right steps in the right stage of this product lifecycle and supply chain to give that higher degree of trusted products and allow our acquirers to buy with confidence. Sally, if you can go to the next slide. So let me give you a little bit of insight. This is a very high level into the best practice areas that we address. And we've broken this down into two major categories across this comprehensive product lifecycle or supply chain, specifically product development and engineering requirements, secure development and engineering requirements, and the third one is supply chain. So you can see some of the critical focus areas that the requirements drill down on. And I'm just going to highlight a few that I think are unique. We really talked a lot in product development and engineering requirements about not just the traditional development and design practices, but product sustainment, recognizing that given the ubiquitous reliance on information and communications technology, that those who have it within their networks and how they use it rely upon, we must inevitably ensure the integrity of the product portfolio and the organization supporting it throughout its life. For secure development and engineering requirements, what we've done is embrace all of the traditional best practices, but also remind it ourselves that we have to have an outward facing view as well. So I want to highlight that what we are also embedding within the standard is a mandate to regularly monitor and assess the impact of the never-ending changes that we see in the threat landscape for information and communications technology. So you can see we've addressed full product life cycle, sustainment through utilization, and awareness of the external environment that affects our information and communication technology community. Sally, if you could go to the next slide. From the perspective of supply chain, we really again took a unique comprehensive approach, thinking with some of the best partners that we had here as members of the standard body itself, and thinking about what we wanted to drill down into. And clearly, you can see what they are, but I wanted to highlight just a few. So risk management and security go hand in hand. Understanding the risk landscape and implementing security in a comprehensive fashion must be aligned and are in fact embedded throughout the supply chain requirements in the Open Trusted Technology Partner standard. Additionally, again focusing on the end-to-end product life cycle, we have embraced raw materials, work in process, finished goods, and products that are at their end of life. And those products include hardware and software. They are somewhat unique, but as you know, in information and communications technology, work hand in hand. So that's a quick overview of the in-depth requirements embodied within this version of the TTPF. Thank you. So now I'm going to turn it over to the chair of the standard body, Andrash Sekal. Thank you very much, Edna. That was an awesome overview. So I am the chair and my name is Andrash Sekal and my segment is intended to help viewers understand the purpose, process, and value of the recently announced OTTPS accreditation program. And while the typical cyber threat is very well understood by most folks, you know, maybe you're not as familiar with that of technology supply chain threats. So we've tried to kind of boil this down into a table as a reference to help you understand the landscape and which threats the OTTPS standard and accreditation program is intended to mitigate. Now, of course, for more information, you can download the freely available OTTPS standard or shameless plug. You can get a copy of the most recent issue of the IBM Journal of Research, which I published an article on this particular subject, and endeavor to learn a little more. But version 1.0 of the OTTPS standard and the accreditation program are focused on helping to mitigate what we believe are the two most significant threats, as Edna pointed out, counterfeit components and maliciously tainted products or components. From a taint point of view, we also think our standard goes a long way to mitigating those other risks that are outlined here. However, we do not explicitly focus on the insider or negligent cases. We believe that the OTTPS standard and now the accreditation program is exemplary of a holistic approach to securing the global supply chain. The trusted technology forum was founded by our customers and includes representatives from each of the major stakeholders who participated in the development of the standard and the accreditation program. This ecosystem is essential to effectively addressing the risk in establishing a normative standard and representative trustworthy accreditation program. Remember, the OTTPS accreditation is an organizational assessment against the industry best practices described in the OTTPS, the standard. And this industry ecosystem is depicted here and includes providers, in other words, the technology producers, their suppliers, component suppliers, integrators, and in partnership with standard organizations like the Open Group and the labs that are responsible for third party accreditation to the standard. Next chart. Last week, the OTTPS officially announced the launch of the OTTPS accreditation program and, of course, IBM's successful pilot and accreditation for our Aim Product Service Division. I'm sorry, Aim Product Division. I used to be part of the Aim Services Division, so I got that on my brain. While the development of the standard requires Open Group membership, both the standard and the accreditation program are open and freely available to the public. The standard can be downloaded and used by the organization, any organization, free of charge. And the accreditation program, while operated by the Open Group, is available to the public as well. And the accreditation are conducted by third party labs on behalf of the Open Group, following the accreditation processes, practices, and policies that were established within the OTTPS and by the industry. So an open OTTPS accreditation, I'm sorry, an OTTPS accreditation lasts for three years before an organization must re-accredit. In the meantime, an accredited organization warrants and represents that they continue to maintain the practices that meet the accreditation conformance criteria. And they can associate the OTTPS accreditation logo with the products produced by the accredited organization. We believe this approach will significantly increase the trust across vendors, suppliers, and acquires to build with integrity and buy with confidence. So an organization seeking accreditation may only produce one product or many products. It doesn't matter. The accreditation process works for providers of all sizes. In most cases, providers will accredit an organization that's responsible for producing many products, in which case we have developed an approach that uses established techniques for identifying and sample size that will be used to assess the candidate organization and make the accreditation practical and affordable. This is called the scope of accreditation. It may consist of a product line, business unit, or maybe an entire software company. It really depends on the provider and how they want to approach the accreditation. As I said previously, the accreditation lasts for three years in which the organization warrants that their practices represent those defined in the OTPPS standard, the best practices. Should any nonconformances be identified, the organization must remediate, i.e. come back into compliance in a timely manner, or they'll be removed by the accreditation authority, in this case the open group, from the accreditation registry. The OTPPS trademark represents to the industry a trusted technology provider. So why the open group? Why did the customer and the industry select the open group? The reason is really very simple. It's a very significant history of effective public-private partnership, standards development, and a track record of successful certification conformance programs, which includes really well-known profession certifications, the UNIX specification standard conformance to it and POSIX, and even lottery and WAP conformance to best practices, as well as core technology standards. Now I'm going to hand it over to Fiona Pattinson of ATSEC to talk about how we are managing third-party labs and assessors to implement accreditation. Okay, thank you very much. I'm Fiona Pattinson, and I'm working with one of the already recognized assessor companies that were part of the launch last week. So I'd like to talk a little bit about how the assessment and the becoming a recognized assessor works in this program. First of all, some of the key points about the assessment is that the open group and the OTTF forum have produced some publicly available assessment procedures. This will help achieve objectivity, repeatability, and consistency as we're performing the different assessments. When we look at the standard and the assessment procedures, we find there are two types of requirements that need to be assessed. We look for evidence that the processes that are recommended and part of the standard are there in place and that they are documented by the organization. We are not just performing a process assessment. We have a second set of checks that we make to the implementation evidence. So we look to see that those processes are indeed implemented in the organization. The open group program has established formal recognition of the OTTPS third-party assessors and they have established criteria and examination, which I'm going to explain in a little bit more depth in the next few slides. It receives certificates and there is a public registry of the recognized assessor companies so that this can be checked. The requirements to become a recognized assessor we have divided into two components. First of all is the component of belonging to a recognized assessor company. So here we're looking for an organization that is mature and professional in the way that they handle such assessments. We have a variety of management system standards that are related to this in the world of assessor companies and I'll go through those on the next slide. But the key point is that the open group will accept organizations that are already certified management systems and they're looking at things like documentation management, record control, personnel, training, resource management, their own internal auditing and how they handle preventive and corrective actions. This reliance on existing industry standards is a very exciting development. It allows for the recognized assessor program to take advantage of the established pool of IA assessors and their companies that are already in professional practice. So we talked a little bit there about the company that could be a recognized assessor. We also talked about the individuals who are the actual assessors and their competency. So the requirements for that is that these people have already been trained as assessors and have a minimum of two years experience in performing process assessments and in looking at people's documentation, organization's documentation. Thank you. Again, here I'm going to detail some of the standards or the standards that are currently accepted in order to become a recognized assessor. So they're on the left. There are three standards that are very often used in the information assurance industry to qualify assessment companies. They're ISO standards, and there are three of them listed there today. ISO IEC 17020. ISO IEC 17021. And ISO IEC 17025. So if the company is already accredited to these standards, then they can reuse that accreditation to become an open group assessor company. For the actual individual assessors, then the auditing or assessing qualifications that we commonly see in the information security assurance field can be accepted. The current list includes lead auditors for some of the ISO standards, the 2701, the information security management systems, the 9001, the CMMI appraisers, common criteria evaluators, and FIPS 140-2 testers. If you're interested in applying, all the information is on the accreditation program website. Okay. So finally, here we talk a little bit about the specific requirements that are required to join the open group program. So in addition to an existing management system, the company must also show and prove the open group accreditation authority that they do have established processes for performing OTTPS accreditation. And for the individual assessors, then we work very hard to make sure that the skill level of these people in the subject matter of OTTPS is sufficient. So we ask for skills in supply chain management, the terminology and techniques. We ask for technical knowledge of all the OTTPS attributes and the OTTPS assessment program. And we also have in place an OTTPS assessor examination, which the individuals must successfully complete. So that's a brief overview of the accreditation program requirement to be recognized assessors. And with that, I'll hand over to Dan. I'm Dan Reddy from EMC Corporation, and I am co-chair of an internal work stream of the forum that is focused on a combined effort to both reach out to a number of global constituencies to inform them about our work, but also to harmonize their work in building the standard and the accreditation program with other initiatives where there may be some synergy. Our approach in this effort is to remain fact-based so that we can be a credible partner in this broad community. When we're referenced by other entities, such as the ones mentioned here, like the GAO report and the NIS Special Publication draft on supply chain risk and NASA RFP that has a reference to our standard, we think if it is based on facts and the word gets out that it helps everyone understand how our work ties in with other work that is being done in other spheres. On a regular basis, we are asked to speak at conferences where there may be a focus on maliciously tainted or counterfeit products, and there could be some synergy, and if you know of any such opportunities, you might bring that to our attention. In addition to focusing on facts for our outreach, we focus on the details of our technical content because we think that that's important for the community. We've done several internal efforts where we have taken our detailed requirements and those in other standards, and we've looked for alignment or congruity or to identify possible differences and gaps. One strategy that we're following in order to build momentum whereby others can leverage our work is to make it clear to the outside world what we're about and to talk about the value that we have in having someone voluntarily adopt our standard and possibly the accreditation program. We think that it is a more solid foundation to take that approach rather than a process that would rely on mandatory regulation. As people learn about our work, we hope that this effort will grow and there will be more cross-references and that the demand will grow. In terms of our priorities, obviously with the launch, there are activities like this podcast that are ongoing in support of the launch. We think it's a big deal that we have a standard that focuses on supply chain risk management and offers a measurable method to gauge that conformance. Anything that we can do to get the word out and is good, we hope to continuously look at our own content, especially as we compare it with content that may be out in the world at large. Let me just highlight some of our key priorities in this area of harmonization. Again, we've combined harmonization and outreach. Although this is a global standard built through content, we realize that there is further value in linking our work to that of ISO and IEC. We are actively exploring a potential, stronger relationship with ISO regarding their related work concerning supplier relationships, and we have a formal liaison in place. The open group is already a recognized submitter to ISO and IEC, so therefore we think we're in a good position to consider submitting our standard as a relevant part of the work for ICT COPS providers. From the very outset of this initiative, we have made our relationship with the common criteria a high priority. Many of the larger technology providers, such as my company, are actively going through common criteria certifications for our products on a regular basis. We see a great deal of synergy. Some of the same companies and individuals who are working on the common criteria of supply chain technical working group are the same people and companies that are working on this initiative. We think that the threats that are being addressed here are also aligned between the groups, and we are moving in a direction of formalizing our working relationship with the Common Criteria Development Board, hopefully creating a formal liaison between the programs. As I had mentioned previously, we feel that we can add value by mapping our work to those of others, and we have done that internally with much of the work embedded in the Common Criteria, which looks at products, not at organizations and the practices the way we do. But it's important to note that the members of this forum have adopted a measure once approach, whereby during the trusted technology provider accreditation process that has been discussed today for a particular product organization, they may encounter a situation where the assessor is looking for evidence that a product team has met a particular OTTPS requirement. That evidence may be related to the same product that has been certified under Common Criteria for a matching requirement. We expect to be a leader in recognizing the value of those forms of evidence so that we can measure once as we go forward with our accreditation. We believe that this approach of focusing on the facts and the content and making continuous improvements is very important for the ongoing credibility and adoption of our work. So I think we're nearing the end. The next slide gives you an overview of a summary of the accreditation process that Andrash and Fiona have outlined. So this can be a good reference for you as you take a look through the slides. And then the last slide in the deck has a series of resources that we would encourage you to tap talking about some of the work that we have done in written form or other testimonials and information that can be valuable. So on behalf of the entire team, thank you very much for joining us. We would like to hear from you in terms of other ways that we can inform people about our work and those opportunities will be something that we can capitalize in with your help. Thank you. Good. Well, thank you, panel. We've now got to the stage where we can go through some of the questions that we've had submitted on the QA facility. We've got a few, so if anyone's got any more, then please do send them in now. Start with the first question from John. John is asking, so if a specific product is accredited, does that mean the entire supply chain for that product has been reviewed and accredited? Or does each vendor stroke element in the supply chain need to be accredited? Who would like to pick that one up? Well, it's Andrasa. So the organization as a whole becomes credited against the best practices. So you don't have to become accredited for each component or each element of the standard. It's a holistic approach. So the question, I think, really was do we look at the entire supply chain in a product? And I think our best practices, our requirements, as Edna pointed out, do cover the full life cycle of a product. So from design disposal, including supplier relationships and how you interact with your suppliers and things like that, we do believe that it would be in the best interest of everyone if the component suppliers got accredited on their own. And we hope that because that will be assurance that they're following the best practices through all of their development cycle and ensure that they're not contributing to stated and counterfeit products. So the goal really is to have component suppliers also be accredited on their own. Did Dad answer the questions between Andra and I? Yeah, and we also have accreditation requirements, best practices around kind of holding your suppliers to the same, you know, level of integrity as those best practices defined in the standard. Right, that's true. Okay, thanks. John's just put in another question asking, has there been any thought to how a requirement for accreditation might be included in government contracts competed under FAR Part 12 commercial items? Well, so if you look at NIST SBA 100161, they've done something very similar to what we have done here, and that is that they are trying to be descriptive and outcome-based and not pejorative. And they do cite the OTTPS standard in that piece of work. So I believe that if there is a defined standard and there is that of policies that may get established, you know, per the NDAA that was just passed for 2014, that we may be one of probably maybe the preeminent program in which to measure compliance. But there might be many different ways a company can use both this program and other techniques to show compliance. So we're hoping that this doesn't, like, get written into some sort of stone, you know, from a policy perspective because there may be many exceptions as well as rules that could be established and that might make it more difficult for the industry to evolve over the period of the next few years. You know, if I could just emphasize that, you know, I mentioned that our approach is to get people to pay attention to this on a voluntary basis and not to try and actively try and get it embedded in regulation. And as Andrush said, there are, especially in the area of supply chain, this is evolving and it is unclear to many in the U.S. exactly what constitutes the right kind of best practices and how you measure it. And as he said, we do offer something that is clear about building global consensus and is measurable. And when you compare some of the baseline controls in 853, for example, I think there is good alignment between many of the fundamental practices that we have in our standard and the accreditation program that line up suitably with some of those expectations. Okay, so let's go on to the next question. This is a question from Richard. It's a question and a statement. So first he's saying congratulations to IBM for being the first certified. He's asking, how quickly can we expect other vendors achieving certification? Do we have any visibility on that stage yet? So this is Edna from Cisco. Let me take a crack at that. I think, Richard, that we have membership that is looking at it. So those vendors who are part of the TTF, as well as those outside. And I don't think we can give you a specific anticipated commitment on when folks might be accredited. I think everybody's in the stage of evaluating the excellent work that has been done by the forum and the standards alignment with other standards, which are utilized across our various organizations. So that's a way of answering without specifically answering. Lots of folks thinking about it. Not sure yet. We do have one other company that's participating in the pilot at the moment. So I think we're all weighing the many benefits that we see and trying to fit it into our schedules over the next fiscal year or so. Thanks, Edna. So question here from Jerry. This is a long one, so bear with me. Jerry is asking, how does accreditation requirements impact small businesses that are engineering services and ID product integrators for the larger OEMs? He goes on. Will small businesses be expected to be accredited if they are in an authorized reseller or IT product? Or IT product, sorry. Yeah, I believe our goal as industry leaders and I believe that our government partners would also agree is that over a period of time, you would see the industry adopt the best practices and that would include small companies as well as large companies. And we really painstakingly took a lot of effort to focus on making these best practices consumable for small one, two, three, four, five, 50-person companies. So I believe that it's very much attainable for smaller companies, even a one-man company. It is certainly probably even a little bit more work for larger organizations, I think, in some ways because you have separate lines of responsibility. But these are best practices and they're very similar to ISO 27,000 security controls based on outcome-based best practices for supply chain security and integrity. If I could just add to that answer. We were also very cognizant as we were building the accreditation program that there was enough flexibility that we could accommodate a number of different situations where we would have different kinds of organizations. It could be an integrator. It could be a component supplier. And the way they describe what their products are, that same flexibility because we felt that it was not possible to build something that was one-size-fits-all. And yet we had to have enough standardization to have real conformance that you could bank on. Yeah. And that's a good question, Dan. I mean, a point, Dan, because we used the word provider consciously. We didn't use the word supplier. We use provider because a provider might be an integrator or they might be an actual producer of a product that gets consumed upstream. Right. And they could be producing that at any level within the supply chain. Right. Yeah, so this is Sally from the helping group. I think one of the beautiful things about this program is this holistic approach, as one of Andras' slides pointed out, so that if we can really get all constituents involved, which really is the point of securing the whole all of the global supply chains, then that would be a wonderful thing. Your component suppliers are practicing the best practices and they're accredited. The technology providers who are utilizing the component suppliers and integrating their components get accredited. The integrators get accredited. And then you ask, then you partner with those open trusted technology providers who are accredited and are reducing the risk of counterfeit and tainted products. So yeah, this is a global standard and it affects, it does affect all constituents. And the point, one of our markers was to raise all votes so to make it attainable for all constituents around the world. Thanks, Sally. We've got one final question. This is from Srikan. And I think he's really asking for a little bit of information about the upside of getting involved. So he's asking, what is in it for organizations that have to fund the implementation for accreditation? And he's given example, so accreditation to OTTPS will bring an organization to any compliance requirements such as PCI, DSS, or FISMA, or HIPAA. And he says, if not organizations may not really fund it. So does someone want to just talk to that point? So, you know, first off, I would say, you know, my position from his company's point of view would be reviewing and assessing the standard itself, the impact on your business with respect to the standard. And are you actually conducting those best practices? And then you have to make a business decision about the customers you're serving or the supplier or the provider who's using your components and the business decision they're making to prioritize over those component suppliers who are providing not only a well-formed, you know, valuable service or product, but also one that they can trust. And so really, this is going to be, you know, business-driven requirement ultimately. But I would, you know, begin assessing and using the standard today. This is Edna. Let me join in as well. And Dan may want to speak to this. There's a corollary to that as well, which is, in addition to assessing yourself, as Andras just articulated, we have gone out of our way and will continue to do so to identify where we align with other standards, some of which you referenced. And the reality is that there may be some overlap, there may be some positive recognition where you can, when I say overlap, not in a negative way, but a benefit from doing one that you will automatically get credit for or be able to leverage and utilize effectively. So, you know, this isn't a standalone standard that sits on a mountain and does not recognize that is part of a global standards environment. And I think that's very important to note that most of us who will be looking at this will recognize that it fits nicely and dovetails with some of the other activities in which you're engaged. But again, you are correct. All of us need to make business decisions based on cost and efficiencies. And that is the very fact why we tried to align and we had a harmonization organization or subtract that Dan was heavily involved with. Dan, do you want to elaborate on that? Sure. I do agree with Andras in terms of the business decision around the value. Do you and your customers see value in being listed as a trusted technology provider in a way that has been measured by an independent third party? That's the fundamental decision. And when you look across the landscape of requirements, the whole area of supply chain is relatively new to some of the other areas of security. And this is something that is concrete has value and is being measured today. How you translate this particular conformance through the accreditation program to the various groups that you work with, I think it represents solid evidence that you can point to. We are focused on the threats of maliciously tainted encounters, but some of our practices that are foundational include regular things like vulnerability response and secure coding. And these are things that you can point to in a variety of settings where you've had a third party assess your practices. Okay, team, thank you for that. Well, we've come to the end of the question, so I think this will probably be a good time to bring today's event to an end. But Sally, would you like to say anything just to finish off with? Sure. Just thank you for everyone who participated, and please do feel free to contact me, s.long, at opengroup.org if you have any further questions. And also, the links on the slides are very important. Please go visit the forum to see what that's all about. But the accreditation link will take you right to the live launched accreditation program. It has all the information there that you would need to prepare for accreditation, including the standards and the policy and the assessment procedures. So please do explore that site. Thank you, everybody. Sally, one last thing. I would just like to clarify that you do not have to be an open group member to take advantage of the free standard or to go through the accreditation program. We certainly welcome people to join as members if they want to shape the future of the standard in the accreditation program, but it is not a requirement for being accredited. Absolutely. Thank you, Dan. All right, Sally. Well, thank you for that. Thank you, team. And thank you, everyone, for joining us today. And I'll bring today's event to a halt now. Thank you very much.