 Thank you. Welcome, Joanne. Yes, so I get to do my 30-minute talk that was going to be 15 minutes and 30 minutes now. So hopefully, it all works out. So I'm going to start. Let's see how this works here. Yeah, no, I went too far. There we go. OK, a little bit about my program, because it's always good to let you know why I'm up here and what I have to do. I managed, as mentioned, the Solutions Friendly Prize by procurement. It's basically the second biggest IT contract vehicle in the US government. It's managed by NASA. I'm a NASA employee. And we've been doing it for about 25 years now, getting onward to there. It's a contract vehicle that anybody in the US government can use to purchase ICT and AV products and services. We have about 4 and 1 half million lied items on our contract, unique lied items. We have 145 companies with contracts. And through those contracts, we have access to about 4,600 providers. And all those numbers change every day. We're very dynamic. We're always not every number. The number of contract holders, 145 stays the same, but the number of products that we have on the contracts, the number of companies that work with our contract holders increases actually pretty dramatically every day. We have one of three agencies that are authorized to serve the entire federal government. But along with GSA, who many of you know if you work with federal government, we're the only federal government, we're the only agency that actually every government agency uses. So whether it's DOD, or Commerce, or Veterans Affairs, or NASA itself, we're used by every agency, which makes all of what I do very interesting because I have to not only think of what is that I think people should do, or what NASA thinks people should do, but what every single agency thinks they should do, which is different for each agency. We have about 30,000 customers. They all think they do it right. Everybody else does it wrong. So anything we do has to work with the entire range. Our emphasis is customer service. For both government and industry, we're kind of unusual in that in the government. We actually want to work with industry. We see you as our partners as we're in industry. Part of what I enjoy about Open Group, and particularly the OTTF, is my ability as a government employee to learn more about industry and understand what drives industry versus trying to think I know what it is and drive it perhaps in the wrong way. And our basic goal is to make acquisition easier for the government. And in some ways, easier for industry, so that we understand that if it costs industry more, it's going to cost us more. So we want to make sure that it's easy all around. That kind of gives you the idea of why I'm here. I love Dilbert, so I always have to bring up Dilbert. As you read this, we don't actually acquire things. We don't buy things for people. We run a program that people use to buy from. And what makes that interesting, and that's why we talk about the customer here, is that we're worried about how can we help our customer out. And as you can see, it's all about information. And I consider that to be one of our main focuses. And what we do is we try to inform our agency decision makers on issues of importance, like as we'll talk about supply chain risk management. So a little bit about supply chain risk management. I'm going to talk about two particular areas here. One is about authorized resellers and the supply chain, the providence of products. And then we'll talk about OTTF and some of the issues we're facing. But the bottom line issue is, and this is one that probably everybody out here understands, but the government does not. There's this idea out there that if we do the right thing, we're going to have 100% assurance that everything is good. And all we have to do is require industry to do the right thing and bang, everything is solved. And to get my government customers to understand that matter what you do, there's always a risk involved, that in fact, it's all about risk management. We can identify it. We can assess it. We can decide whether what we want to do is worth the risk or not worth the risk. But no matter what we do, there's always a possibility in this world that something's going to go wrong and we have to be aware of that. So it's up to the acquirer to do an analysis. The more money you spend, the less risk there is. But the government doesn't want to spend money. So they try to find other ways to force the issues. But it's not free to lower your risk. It either costs time or resources to do so. Our goal, as I mentioned in the previous slide, is information. So my program is around not to tell people what to buy, not to tell people what the right risk is, but to give the customer the information that says, here's what you need to balance out and then decide where you want to put your emphasis. So one of the key ones we'll talk about in a second is product provenance. How do the items get from industry to the government? And then our plan is to utilize the OTTF to provide some more information in terms of lowering the risk. And we'll get into that in the next few slides. So we've come up in our program with something called the Mazdawn, because we have manufacturer authorized supply, a subset distributor, one time in unknown. So that's our Mazdawn picture. What we do for every customer, for every line item when they're giving a quote, we tell them the relationship between the company that is the manufacturer, because we have Dell and HP and IBM on our contracts, but we also have a lot of resellers, value-added resellers. So we want to tell our customer for every line item what the relationship is between the reseller, the person they're buying from, and the originator, what we call the provider. And so pretty much everybody knows about authorized resellers. And if you're a big company out there, you're not going to like me because one of my things I say I tell my customers authorized reseller is not the do all and be all, and it's not the only thing you should ask for. I'll talk about that, it's some of my reasons why. It does make sense for bigger companies that you ask for authorized resellers because they tend to have an authorized reseller program, but I have 4,600 companies out there providing products and services, and most of them don't care who sells the products. They don't have an authorized reseller program. It's not a simple case to just say everybody needs to be authorized. But if they are, we tell our customer. And one little side note to this is we found out that we don't rely on paper signatures saying that they're authorized. We actually go back to the manufacturer and say, are they really authorized? We found out there's a lot of paperwork out there that people sign, well not sign, they have a rubber stamp of signatures and a rubber stamp of who's authorized and it's not always as clear cut as actually going back to the company like Cisco or Oracle or IBM is saying, are they really authorized? But one of the other things is that there's a lot of distributors out there, some big ones, Ingram, Micro, Tech Data, that companies utilize to sell from. And we need to tell our customers that maybe that's okay. And while a great market may not be something you all want to hear about, but it's not always wrong, it's just risky. And but it can save a lot of money. And you know, if you want to take the risk, it's there. Or maybe it's not so much great market, it's just unknown, which is what it mostly comes down to. So again, we're not here to tell our customers which way to go, but we're gonna tell them for each item they're buying and they can make a decision. I only want authorized or approved resellers or maybe I can use a distributor or maybe I'm buying a cable and I don't really care where it comes from, it's just a cable and they'll go ahead and handle that. So I kinda mentioned some of these. For some large manufacturers, an authorized reseller is a defined program, a process that requires technical knowledge and or money. And I think the government always understands that part of the authorized reseller process is that the authorized resellers pay money back to the manufacturer. And importantly for our customer, if somebody's not authorized, maybe they can't get a get warranty on the item. That's probably the most important issue. And they don't know where it came from. We just had one recently where somebody bought some products from somebody else, maybe reconfigured them and then sold them back to the government. There's a little risk involved in that. So we have to be careful about that. I once had a customer come to me and say, is it okay if I buy off of eBay from Thailand? You know, a major networking piece of equipment. I was like, well, I don't think that's a good risk. But the problem is that some companies allow resellers to resell their products without being an authorized reseller. And again, there are companies like Tech Data and Ingram Micro who are out there distributing that are themselves authorized to sell things, but are not necessarily a direct authorized reseller. So some other issues. You know, authorized reseller sounds good until you realize that sometimes people are authorized for some things and not others. Oracle, they got hardware and software. Some people are okay for the authorized for hardware and not software. So just to say I'm an authorized Oracle reseller does not necessarily indicate the type of reseller they are. And it can be, if you do 100% reliance. Again, sorry for those who think that you should. And I've had arguments with some of the big companies and about this. 100% reliance to me has some negative connotations. Government has a big push to do small business. And they can't all afford to be authorized resellers. It does reduce competition. And it does put decision making in the hands of the manufacturer as to who they want to sell their products through. And it may not just be, it may not be obviously the benefit of the government in that case. And I have a lot, this is a very short inversion of a very long talk that I do. So you can certainly ask more questions afterwards. So let's shift a little bit to standards and guidelines. Just in general, something in working with the OTTF, I remember we were at a NIST meeting and Andross may remember exactly how many it is, but I know there's over 100 groups that are working on supply chain risk management standards. And there still seems to be that many. And what each of them is doing and how they describe it and it all, it's such a large area that it can be very difficult. But that also indicates how important it is that there are so many people working on it. NIST is certainly a big part of that. The National Institutes of Standards and Technology here in the U.S. government, they do a lot of work and the OTTF is certainly involved with them and whenever possible I can get involved with them also. And then we also have the, as we'll talk about the actual open group and the open trusted technology provider standard. We did include that standard in our RFP that went out when we started our latest version of the contracts. We do have two government participants in this standard, myself with the NIST program and Don Davidson from DOD. And as I think we'll mention a few times, it is now an ISO standard, which I think is an extremely important part of the process. I'm not gonna spend a lot of time in here because Andross probably does better talking about what OTTS is, he's the chair of the board. But the basic concept is, we're not trying to solve all the problems. We're not trying to, again, do 100% no risk. We're trying to say, what is it that we can set up as a standard that will tell customers that there is less risk for tainted and counterfeit products? Hopefully a lot less risk if these standards are followed. So there is a standard out there. It is, we do have an accreditation program and Andross's group actually has gone through that. And as I mentioned, it is an ISO standard now, which is really good. So we have a standard. We have a standard that fixes all our problems, right? It's 100% standard, it's gonna fix our problems. We don't have to worry about counterfeit and tainting anymore. And it'd be great if that was true. But we have some barriers that exist besides the fact that it's not 100%. We, and I think that this is not something that is just true about OTTF, it's true about any standard, I'm sure. But we have the chicken and the egg paradigm and almost every meeting, every discussion we have, we hit this problem. Industry doesn't want to go out and spend money to prove that they are meeting a standard if no one is asking for it. And nobody is gonna ask for it if nobody has a certification that they can do it. Because if I went out and asked for it, it doesn't help me, because nobody's actually certified. So we're really stuck with this. How are we going to get past this barrier of who goes first? So one way is, can we reduce the cost to industry? So it's worthwhile for them. And the other way is to not so much say to the customers, go out and acquire the standard, because nobody does it yet, so if you acquire it, nobody does it. But start talking about it. Start making it best value decisions. Start making it something that is in your processes that once people start doing it, the customer is ready to start using it to say, this company reduces my risk. This company reduces my risk. I should use them over this company who's not certified and therefore has not reduced their risk. The other issue is who should be certified? And I quite honestly, I'm not sure yet who should be certified from my point of view. As I mentioned, I mostly deal with value-added resellers. I do deal with manufacturers and integrators also. I kinda deal with everyone in a sense through this program. But the fact is, tomorrow, not everyone's gonna get certified. So we still have to struggle with the question of are we really focusing on reducing counterfeit and training, counterfeit and tainting at the manufacturer level when it's getting integrated, when that reseller goes in and maybe does some value-ad. They're all very important and I'm not suggesting that they shouldn't all be certified at some point, but where do we start is a question I'm kinda faced with at this point. I have 145 resellers, that might be a good place to start versus the 4,600 manufacturers just because of the numbers. So you have those barriers? So what's our path to fulfill some of those barriers? After, and Sally can think of how long this has been going on, the discussion of certification levels, I think we've finally reached the point of understanding that we really need to have not just a fully certified, third-party certified level, but to get things started, to break that, that who comes first, go beyond just requiring that third-party certification. Clearly a third-party certification is the better of anything because you're gonna have an independent authority go in and make sure that whatever that standard is is being met, but it is a costly and long process and no industry persons, except for those who maybe see it as a possible differentiator, they're not gonna just jump up and say, yeah, I'm gonna spend lots of money and go through a process for nothing. So we're going to a self-certification level to kind of get things started. It is something that, as I've learned this week, I'm learning new things all the time, it's called compliance if it's a self-assessment, but a lot of people talk about being compliant to other ISO standards. So it's a terminology that is not unusual out there and I think that's very important for getting adoption. We sit in this open group forum or standards forum and we all know what we're talking about. When we're going out and talking to companies that have no clue what open group is, have no clue what a standard is, we need to talk their terminology and they know about self-assessments, they know about compliance because many of them will say, I'm ISO certified, that's another problem we have, I don't think it's on here, but I'll go to one of my companies and say, we have a new ISO standard. They say, oh, we're already certified and they mean they're ISO 9000 certified and many small companies think that that's what ISO is and we have to make sure we're talking language to both let's know that there's other ISO standards, but it's still kind of the same thing. It's a process driven standard. Are you following those processes? Let's make sure that you're doing things that reduce our risk in this case for counterfeit and tainted products. By having a self-certification, we can get to a point of asking for our companies to show that they are self-certified, to use the, and Sally, what's the right term? I always forget the right term here. Warranty and represents, yeah, to warrant and represent that they have met that standard through the open group that will be part of the self-certification. And then I will feel a lot more confident in going out into my program and saying I'm going to inform my customers if anybody has made that self-certification. It might take a year or so before this really gets rolling, but at least it starts the process out. And what that then does is it brings information to our customers that there is a standard out there, that there is a way to show compliance with it and then if you're dealing with somebody like DOD who really wants more than just a self-assessed requirement, we say, yeah, and then there's a third-party certification. It's going to take a little longer, so start with a self-assessment perhaps and then move yourself forward. So who should be certified? As I mentioned, the key question, you know, we're going to focus on manufacturers, going to probably focus on value-added resellers, but we're going to also see where our customers end up taking us in terms of who should be certified in these situations. Believe that that gets me to Ondra. So Ondra, if you want to give a little bit more about Open Group Itself and the Open Standard, OTTF, yeah. Well, you know, one of the things that I think that was really unique about this particular forum was that we got all angles of the membership kind of covered. We have the customer angle. Joanne represents that from the government's perspective. We have the vendor angle. We have integrators and channels and we have the certification labs. And it was also really interesting, you know, how the whole forum evolved because really it was the outcome of a public-private partnership. And that's very unique and we do a very good job of that here in the Open Group. The forums primary asset that we've created is the Open Trusted Technology Provider Standard. The purpose of the standard is to mitigate two primary risks that we did a tremendous amount of research on to determine, you know, how to actually mitigate risks to the supply chain from a technology point of view. Traditionally, the supply chain security perspective has really started with how do you actually manage your suppliers but primarily focused on ensuring the integrity of the product as it's delivered into the hands of the customer. And our standard really extends that idea to all the way from design through the sourcing of the components to development and to the delivery and sustainment, which is very important from a technology point of view because technology is constantly being updated and delivered especially in the cloud now. So those two risks that we're mitigating in our standard are the risks of maliciously tainted components and the counterfeit components. So we're trying to mitigate counterfeit and maliciously tainted. So what maliciously tainted is any capability that's been added to a particular component that isn't part of the authorized product or component is considered tainted. Obviously, you know, you would think of viruses and worms and so on and so forth, but that includes backdoors or listening components. And then, of course, from a counterfeit point of view, it's any non-authorized channel support from a product point of view. In the government, they were seeing a lot of chips that were being ablated, the top of, and re-marked and then sold as authentic. That's definitely counterfeit or I could manufacture it from scratch and pass it off as your product. That's also counterfeit. So those are the two major risks. And at this time, I think, I'd like to ask Steve up and I think he's gonna ask us a few questions. Certainly, and if there are any more, I've got a couple, but if there are any more questions from the audience, then please, it's not too late, but sit up here, I'll start by, one of the things I always think of when the NASA soup program or the soup program is mentioned is just the sheer size of it. And I think you've been very modest about that, but are you able to give us an idea of the scale of the budget that the program is governing? Yes, so we are currently at about 3.1 billion a year of products going through the contract. And as I mentioned, every government agency is utilizing these contracts. So it's sometimes a little frightening how big it is. And we're actually expecting, my expectation is actually that we'll double in size in the next couple of years, based on a number of factors. Yeah, that's huge. As a side note to that, because some people say, I just had a talk about the US government to understand the money involved. So we're number two. Number one is GSA. They do 17 billion through their schedules. And actually number one is everybody else, which is 80 billion. There's a lot of IT being bought by the government, which is why issues like this can be very important. It's amazing how they keep buying, right? So first question I had, since you and I this morning, Andres were talking about executable standards and open-source, what's the open-source angle on something like this? Because one of the fears, obviously, that people hear about for open-source products is you really don't necessarily, there's less of a ability to have a warranty and representation kind of situation. What's the open-source angle on this? Well, there is a very significant open-source angle because the government has a significant open-source initiative. And a lot of folks, including the government, incorrectly believe that somehow open-source is free. Open-source is a channel, it's not free. And so you've got to get the open-source from the right channel that has the lifecycle and product support management that underpins it, that I think that the panelists talked about before with respect to open Pegasus, and certainly that's our perspective within IBM too, is that you have to have that lifecycle and product management piece in place. And that includes all of the processes that we have in the standard to mitigate the risks that somehow you're not pulling in components or allowing somebody to add some mischievous elements to the open-source itself. So that's a very significant part of open-source because there's a lot of open-source out there just because you can go out and get it and it's free. It doesn't mean it's necessarily, A, without risk, and B, able to support your overarching mission. Okay, thank you. And Joanne, you mentioned one of the slides that this is now an ISO standard. Yes. Does that make it easier for you and your program harder or you did mention that ISO means different things to different people, but is that a big plus? I think it's an amazingly big plus for us. As much as I know Open Group, I've been involved with you all for a long time. Most of the government does not, so I can go up to anybody and say, the Open Group standard, and they're like, who is that? If I go to somebody and say, ISO for better or worse, it doesn't mean that it's better or worse. It's just the reality of life. I say ISO, they're like, oh, this is something real. I know ISO, and I know the language that you speak of and government really likes ISO. It's a big thing. If you say you're an ISO standard, it kind of takes, oh, okay, somehow that wipes away a lot of concerns. It's actually the same standard as the Open Group standard, but it now has that statement. It has made it through that special standard process that people like to see. Really important distinction state because we're able as the Open Group, we have the authority to be able to take our standards and submit them to ISO via pass. And as Joanne mentioned, not only is it an ISO standard, but because it became an ISO standard, now you have ANSI and the BSI British Standards Institute. I think that's what the eye stands for, supporting it now as well. So really, really important points. Yeah, that's right. And as you say, we've got this ability to do that in the Open Group, and it doesn't always, there's not always a requirement to do it or a need to do it, but clearly for government it makes a big difference. So you mentioned that it's relatively rare for a, Joanne, sorry, you mentioned that this is relatively rare for a government agency to want to work with industry actively. And has it been a positive experience in this particular case? And are there others that you've experienced that are similar? Yeah, I think, you know, the reason my program is where it is and part of why we're growing is because we've always had the view of industry as a partner, which just is unfortunately not a big part of the US government's view at least. And whether it's little things like, I went to tech data, I mentioned the distributor tech data, I went to the headquarters. I was the first government person ever to enter the headquarters. I'm like, really? You know, I'm not that important of a person that there shouldn't have been other people to think you should talk to your distributor and learn how they operate. And they're just sitting in the room with IBM and Cisco and Oracle and HP and Dell and then the labs. And the people who are in that community, hearing them discuss things gives me a sense of where the issues are. And all too often the government sits back and says, well, firstly, we have an interesting economy in the government. We either think industry knows everything and we should just follow them because they are perfect. Or they're the devil incarnate and we should help them at arm's length for everything. We are perfect, right? Right. And neither is true. And that's what I find so fascinating is to learn that there are issues and we can all make this a working hand-in-hand process versus one against the other. Right, right. And from a vendor point of view, I'm sure that it's a relatively unusual environment too to do this. Yeah, I mean, one of the important elements of this whole discussion, especially around the certification, is what is the business case for me to invest in certification? Because it's non-trivial. Anytime you do any kind of certification. And so my company is certified and the business case that we had was driven really by the government and by our integrator partners who are asking for this information anyway. And we figured, hey, why not just get certified and we'll have the information on hand and we can provide them with it as necessary. And we know that other companies are going through the certification process too. And we're currently working on self-adastation, self-certification as a first step into this area to give folks, as Joanne suggested, an opportunity to participate, kind of crawl, walk, and run. And at the higher level, we'll probably see the integrators also taking it a step further as we go into the future for weapons systems or high assurance systems and adding that to their perspective. So I think this is really important that we now have this international standard and we have the customer, they're asking for it and this makes the business case a lot easier. So we talked about the customer in this case being your program, Joanne, and the US government. Are you aware of other governments using the standard or is it applicable to big commercial organizations too? Should they be looking at this when they're doing their procurements? I think it's more on justice view. I will say one interesting note is I actually got to meet with Eastern European countries who don't know anything about the standard. Because through our program, the Department of Commerce says I got to go to Moldova, an interesting little country. I will say for them, they aren't ready for this. One of the fascinating pieces was that their main concern is corruption and getting hacked by Russia. To counterfeit and tainting wasn't quite on their radar yet, but I think if you're not talking about those kind of developing areas, you probably do have other government should be looking at the same sort of issues. How do you mitigate the risk? Again, you're never gonna say I've got a bit of the risk, but how do you mitigate it? And I think the other thing that is, the government doesn't quite understand is why isn't industry just driving it themselves? Why isn't industry asking industry to do it? I don't know. And we have better insight as to that. Well, I think that when we started this effort, there was a recognition that the industry was working on it, but it takes a significant amount of investment to mitigate the risk. And so you really have to be a kind of top tier supplier or vendor. So the primary folks who are best at this were the ones that were creating secure engineering, in our case we call it secure engineering framework, secure engineering initiatives, Microsoft, Oracle, all these guys have all of the tools in place to be able to mitigate the risk. And one of the things that we did was we came together and shared our practices and kind of codified them so that we could help the end-to-end supply chain. That helps us too because we are on both ends of the spectrum of the supply chain. We're both suppliers, but we're also the customers of the component suppliers and we need to mitigate the risk to our brand names as well. Well, it's typically the case with any kind of certification program, whatever. There needs to be that pull from the customer for the vendors to want to do it. You describe the chicken and egg, and how do we break the egg? And we had that experience, in fact, involving your program Joe in years ago with our unique certification program. That was definitely the fact that if you wanted to bid on a contract, you needed to have a certification under the single UNIX specification program that we run, then if you didn't have it, you couldn't bid. That got the vendors' attention, and all of a sudden, they want to be part of it. So, yeah, that's fairly typical. So, you said a little bit, make this the last question, unless anyone has one from the audience. You said a little bit about the next steps or the roadmap for what happens next for the certification program. You're gonna start with the self-certification type approach, and what's next for the standard? Do we leave the standard as it is? Does it need to evolve? Does it need to change? The standard is changing so much as we're doing some optimization around the wording. We're making the certification policy. We actually changed the name of accreditation certification because internationally it's called certification regardless of whether we think it's more like an accreditation program or not. And the tier one, two, and three approach where you have different channels of certification, self-certification, third party, and then maybe third party extended or something like that is certainly kind of where we're going. But we're really, really, really trying to do two things. One is market outreach and adoption and then working on the lower end of the tier one because you really need to be able to have that crawl, walk, and run because the smaller channel vendors don't have the resources necessarily to go directly to third party assessments. And so we wanna facilitate the industry to come into this from a crawl, walk, and run point of view and not just top down the big guy's approach. Right, right. So one of the interesting things is I'm more in the commercial arena, the very commercial products and so worried about that more lower level and resellers and such and Don Davidson who's from DOD has the opposite view which is why you mentioned tier three which is he's from the DOD major weapons and major critical items and so he's actually interested in going in the other direction which is one of the areas we have to look at is having more rigid requirements that you have to meet to deal with his program. So what's cool about this particular program is you have both ends of the customer being represented here. So sometimes it adds a little tension but the tension can be good if it's used to make the program better. And we don't have to modify the standard to actually satisfy the needs of those to three different categories because the standard actually has shoulds or shals, musts, in other words you must do that. And it has some attributes that you could consider as higher level assurance that you not only might be able to implement in the current standard but could require for higher assurance projects. Okay, thank you. Well, we're just about out of time. I've got a couple of announcements beforehand but in the meantime, thank you, Joanne. Thank you. Thank you.