►
From YouTube: Supply Chain Integrity WG (May 23 2023)
A
A
Also,
let's
see
that
finally,
signage.
C
A
Put
some
funny
stuff
going
on
with
what
the
hell
is
going
on,
what
anybody
else
see
what's
happening
to
the
shooting.
A
B
A
I
miss
you
here
are
a
few
different
things
going
on
today
out
in
the
ecosystem,
I'm,
not
terribly
sure
I'm
going
to
have
a
larger
tendency.
D
So
between
the
previously
about
debrief.
C
D
From
the
open
source,
Summit
always.
E
A
E
And
I
think
you
know
I
think
one
of
the
things
I'd
ever
also
from
last
time
and
it
kind
of
end
up
back
in
the
spec
meeting.
You
know,
as
a
fake
sort
of
agenda
item
was
just
kind
of
like
you
know.
What's
that
Frameworks
versus
compliance
versus
conformance
versus
all
those.
A
Different
things,
I
don't
want
to
look
when
this
is
a
recorded
call
man,
so
I'm
gonna
be
very
going
to
be
very
or
or
watch
my
words
carefully,
and
what
else
to
say
is
this
or
room
of
people
that
are
writing
a
specification.
A
A
It
made
me
extremely
when
I
say:
consumer
I
mean
someone
who
will
take
this
ISO
PCI
HIPAA,
you
know
f,
f.
I
f.
A
I
f
e,
I
c
whatever
no
we'll
take
these
these
Frameworks
Sans
stuff
and
no
whatever
take
these
Frameworks
internalize
them
understand
them
and
then
create
my
security
posture
from
them
right,
a
consumer
of
them
when
you,
when
you
sit
in
the
room
and
you
get
asked
a
question,
a
very
of
the
in
very
individuals
that
are
writing
the
spec
man
like
I
I,
like
you
know,
I'll
I'll,
leave
it
there.
I
I
I,
don't
know
how
you
felt
like
the
damn.
E
E
You
know
where,
if
you're
talking
about
like
you
know,
let's
say
Google,
where
hey
I'm,
building
a
spec,
that's
going
to
be
used
by
other
teams
at
Google,
it's
going
to
be
viewed
very
differently
than
let's
say:
hey
I'm,
a
bank
and
I
have
all
these
different
requirements
and
I
have
these
nist
things
I?
Have
you
know
fips
I
have
PCI
I
have
all
these
different
things?
They
all
come
at
different
levels
right
and
they're.
Also
all
going
to
be
worded
slightly
differently.
E
You
know
I'm!
Sorry,
not
slight.
Word
is
slightly
differently.
The
the
tone
and
the
the
like.
The
vocabulary
is
going
to
be
different
right.
So
you
know,
in
certain
things
are
going
to
be
worded
descriptive.
Certain
things
they'd
be
worded
prescriptive.
Certain
things
would
be
worded,
you
know
whatever
and
I
think
there.
A
lot
of
the
folks
who've
been
working
on
this
thus
far
have
been
purely
writing
it,
as,
if,
like
hey,
I'm,
writing
something
that
I
view
as
like
for
my
department.
E
What
are
sort
of
the
general
Frameworks
that
I
want
folks
to
sort
of
work
with
it.
I
think
what's
happening
right
now
is,
as
folks
are
coming
in
and
they're
like
hey
I'm,
an
Enterprise.
How
does
how
does
salsa
fit
into
my
entire
picture
here
like?
Does
it
fit
at
this
level
at
this
level
at
this
level?
E
E
Think
a
little
bit
of
the
minutia
around
you
know
like
as
much
as
I
I
like
in
fact,
I
kind
of
don't
want
as
much
as
is
possible
salty,
to
become
something
like
a
something
likeness
that
gets
debated
and
all
that
good
stuff,
because
then
it
becomes
this
thing
of
like
you
know
like
right
now,
I
think
Salsa's.
The
majority
of
folks
who
have
given
good
feedback
on
us
also
are
mostly
folks
from
who
are
Engineers,
who
were
just
like.
E
Oh
yeah,
I
get
it
I
totally
get
it,
but
most
of
the
folks
have
given
me
bad
feedback
or
we're
not
bad
people,
but
have
said
they're
confused
are
more
Folks
at
that
management
level.
At
that
engineer
like
at
that
Engineering
Management
level,
or
at
that
executive
level,
who
are
like
hey
I'm,
looking
at
this
thing
and
I,
don't
understand
how
it
fits
into
this
big
picture
and
so
I
think
there's
some
stuff
there
right.
Where
the
you
know,
I
would
say.
E
There's
certain
folks
like
if
the
Google
folks
who
obviously
they're
coming
at
us,
are
mostly
an
engineering
perspective.
We
have
and
a
lot
of
the
other
folks
right.
You
know
who
have
been
working
on
this
have
been
working
on
it,
purely
thinking
about
it,
Hands-On,
keyboard
and
I
think
this
is
where
stuff
like
I
think
you
know,
folks,
like
yourself,
folks,
like
Melba
and
so
on,
could
do
a
better.
You
know
can
really
help
push
that
like
hey,
but
we
still
need
to
make
sure
that
it's
we
separate
out.
E
A
So
so
one
of
the
things
that
the
reason
why
I
said
what
I
said
and
then
I'll
take
a
step
back
and
then
I'll
say
this
part
for
the
ciso
in
an
organization
right.
A
The
CSO
one
of
the
csos
Rose
in
any
Enterprise
period,
is
to
establish
a
risk-based
culture
right,
and
that
involves
creating
a
culture
where
you're
adopting
true
security
awareness
and,
of
course,
that's
establishing
that
risk-based
culture
you're,
taking
whatever
cultural
value
set.
That's
there
you're
changing
behaviors
to
illicit
habits,
around
security
and
and
that
thought
process
of
what
security
means
perspective
of
the
of
the
the
business
unit.
A
Every
business
unit
has
a
different
nuances
around
what
different
security
controls,
what
those
controls
are
and
then
how
you
exhibit
those
to
create
that
security
or
that
risk-based
culture
across
the
Enterprise.
Now
engineering
is
no
different
right.
So
when
you
so
when
you
create
something
like
this,
that's
very
engineering,
Centric
true,
you
still
have
to
create
it
in
mind,
especially
when
there
is
a
cost
in
adopting
that
cost
center
is
very
business.
Driven
a
business
owner
owns
that
cost
center,
not
an
engineer.
A
So
so,
when
you
so
when
you're,
so
when
we're
positioning
us
when
we're
positioning
this
across
the
ecosystem
and
in
the
industry,
we
have
to
make
sure
that
we
do
that.
Speaking
not
just
to
the
engineer,
the
engineer
is
going
to
get.
We
need
to
speak
to
that
business
person
speak
to
that
see
so
to
say
hey.
This
is
why
it's
important
to
be
done
and
I
think.
A
This
is
why,
when
we
were
working
on
that
blog
post
way
back
in
September
October,
when
we
were
trying
to
understand
from
a
consumer
standpoint,
we
were
trying
to
write
that
down.
We've
had
issues.
Why
do
we
have
issues
because
it's
not
properly
articulated
how
we
talk
to
a
CSO?
How
do
we
talk
to
a
privacy
person?
How
do
we
talk
to
a
compliance
person
at
the
business
level?
A
A
This
is
an
and
to
that,
especially
when
you're
developing
applications
and
and
services
within
those
respective
Industries
organizations,
Industries
Enterprise
organizations
and
business
units.
So
we
need
to
be
able
to
properly
articulate
that
when
we
have
the
questions
that
we
had
then
you're
absolutely
right,
their
Engineers
creating
specifications
but
see
that's
the
problem.
A
True
security,
true
compliance,
true
privacy,
practitioners
in
the
room
to
navigate
and
and
to
and
to
provide
an
end
like
one
of
the
things
that
I
like
to
say,
is
I
like
to
to
make
security
and
and
provide
true
security
of
business
transactions,
so
that
it's
a
yes
and
not,
and
always
no.
So
how
do
we
provide
the
yes?
We
need
to
be
in
the
room
to
give
that?
A
Yes,
otherwise
it's
not
going
to
be
properly
articulated
and
we're
going
to
get
the
questions
that
we
got,
which
which
is
troubling
to
me,
because
there's
not
enough
in
the
room
to
provide
the
right
articulation
that
needs
to
be
provided.
So
it
gets
adopted
by
the
people
who
are
going
to
spend
the
money
to
put
the
tools
in
place
to
properly
adopt.
E
Maybe
one
of
those
folks
to
like
come
in
attend
a
meeting,
provide
some
feedback
or
convey
that
feedback
through
one
of
us
or
you
know
a
group
like
this
to
sort
of
highlight
the
problem
and
then
second,
you
know
yeah
getting
a
few
more
folks
to
kind
of
come
in
and
maybe
come
in
and
say
hey
what
you've
written
here
reads
more
like
the
implementation,
not
the
rules
or
you
know
not
like
the
spec
right.
E
This
is
more
of
the
implementation,
so
this
would
fall
more
into
like
an
example
or
whatever
I
think
that's
where
stuff
would
be.
You
know
very
valuable
to
kind
of
kind
of
talk
through
there,
because
I
know
for
a
lot
of
those
folks
right.
You
know
a
lot
of
the
folks
I
know
who
I've
spoken
to
on
the
salsa
side
are
like
this
is
our
first
foray
into
open
source.
So
this
is
our
first
foray
into
writing
a
spec,
and
it's
like
great.
A
To
help
drive
it
so
here
goes
my
general
issue,
though
my
general
issue
is
not
even
in
because
I
think
I
think
that
what
we
could
release
1.0
I
think
we
did
a
lot
of
great
work
there
and
I
think
we
whittled
it
down
and
we
parsed
things
out
and
we
got
something.
That's
absolutely
usable
fantastic.
My
problem
is
this:
we
did
not
call
it.
The
salsa
build
one
track
engineering.
We
had
a
gun
called
Salsa
engineering
guide
for
builds
version,
one.
E
Sure
the
thing
about
the
conformance
side,
I
would
say,
is
we're
talking
that
when
people
talk
about
conformance
they're
talking
about
conformance
from
the
are
you
conforming
to
salsa
they're
talking
about
are
you
is
an
organization
who's
who's,
providing
a
service
conforming
to
salsa,
which
is
which
is
kind
of
I,
think
different,
but
I
think
there's
still
a
lot
of
confusion
around
that
because,
like
you,
can
apply
the
salsa
framework
without
going
through
the
salsa
conformance
program,
which
is
diff
yeah,
it's
like
more
of
like.
Are
you
building
a
system
that.
A
Could
yeah
we
understand
that?
That's
not!
That's!
That's
not!
That's!
That's
totally
transparent
to
the
to
the
practitioner
or
the
person
consuming
it.
They
don't
know
what
we
know
right.
We
know
that
because,
because
we're
close
to
it,
what
I'm
saying
is
when
we
have
publicly
used
these
terms,
especially
when
we
have
publicly
said
security
framework
and
then
you
go
into
the
meeting
and
you
get
asked
the
question.
Well,
I,
don't
understand,
especially
from
those
that
have
are
interested
that
are
that
are
intricate
that
are
Hands-On
keyboard.
Writing
the
specification.
A
The
question
get
at
gets
asked.
Well,
what's
the
difference
between
a
security
framework
and
compliance
requirements
flat
out?
That
was.
That
was
one
of
the
questions
that
was
one
of
the
questions
straight
up.
That's
a
problem.
When
you
publicly
say
it's
a
security
framework,
I
mean
I.
Look
I,
I'll
I'll
pose
this
question
now
to
the
to
what
Mike
was
there
but
Bruno
and
Arno
I
think
Arnold.
You
were
there
too,
but
I'll
pose
the
question.
D
E
You
know
that
discussion
a
little
bit
so
that
folks
kind
of
get
that
like,
even
though
colloquially
right,
somebody
might
say,
what's
the
difference
between
a
framework
and
a
compliance
requirement,
it's
like
no,
no
compliance
is,
you
know
and
I
know,
I
use
that
the
the
analogy
yesterday,
like
you
know,
compliance,
keeps
you
out
of
jail.
You
know
the
security
keeps
you
you
know,
keeps
you
from
being
compromised
and
and
and
I.
You
know
it's
it's
joking,
but
it's
like
you
know.
E
Compliance
is
significantly
more
sort
of
like
evidence-based
and
all
that
sort
of
stuff,
whereas
a
salt,
you
know
a
security
framework
is
more
like
the
rules
by
which
you're
you
know
and
and
there's
a
lot
of
you
know,
there's
some
intricacy
there
and
whatever,
but
I
think
we.
We
need
to
make
sure
that
you
know
I
I
get
it
because,
because
at
the
same
time,
right
like
it's,
you
know
I
think
that
the
thing
is
a
lot
of
the
folks.
E
E
You
know
what
are
they
looking
to
adopt
and
then
that
could
help
us
steer
it.
A
bit
more
right
because,
like
if
you
were
to
ask
me
I
would
say:
salsa
comes
to
is
more
like
a
standard,
then
again
by
standard
I,
don't
mean
the
like.
E
An
ISO
standard
I
mean
more
like
a
set
of
practices
by
which
you
know
you
say:
hey
I've
hit
all
these
things,
I'm
applying
good
security
practices
right
and
then
you
would
have
a
set
of
controls
that
could
validate
that
and-
and
you
have
a
set
of
compliance
requirements
to
say,
hey
am
I
actually
complying
with
this
standard
or
whatever,
and
it
all
sort
of
depends
because
there's
some
minutia
around
standards
versus
procedures
and
that
sort
of
thing
right.
A
A
See
what
I'm
saying
that's
not
how
it's
written
and
that's
what
needs
to
happen
so
that
we
on
on
in
this
positioning
meeting,
could
do
effectively
do
our
job
and
position
it
within
the
industry
correctly,
because
now
guys,
like
me,
guys,
like
you,
ruin
on
Arno
right,
keep
in
mind.
The
four
of
us
right
Arnold
is:
is
a
standards
guy
I'm,
a
security
guy
and
a
compliance
guy.
A
C
D
A
A
D
So
Mike
is
right
that
you
know
they.
Typically,
the
the
people
who've
been
leading
the
spec
development.
There
don't
have
that
background,
and,
and
basically
you
know
my
experience
on
the
standards
front
as
using
this
said,
you
know,
I
understand
this
guy
and
you
know
I've
been
trying
to
help
them
get
better
at
from
a
process.
D
Point
of
view,
spec
development
type
of
thing
you
know
I-
think
they
equally
and
and
the
good
news
is,
you
know,
they're,
very
welcoming
of
of
input
from
people
who
are
more
knowledgeable
in
some
areas
than
they
are,
and
so
I
think
it'll
be
the
same
here,
but
they
can't
you
know
they
cannot
invent
what
they
don't
know,
and
so
it's
up
to
people
like
you
to
come
up
and
and
join
and
try
to
guide
them
to
get
this.
You
know
sorted
out
I.
The
question
for
me
is:
do
you
think?
D
Do
you
think
this
is
something
that
can
be
addressed
by
kind
of
having
some
kind
of
like
forward
to
the
spec
to
salsa,
explaining
how
you
know
how
things
are
to
be
read?
So,
for
instance,
you
know.
Well,
you
could
say
what
we
mean
when
talk
about
security
framework
in
the
case
of
salsa
means
blah
blah
blah
no
or
does
that
require
deeper?
You
know
editorial
changes
throughout
the
spec
to
to
reshape
it.
That's.
A
A
man
I
I,
want
to
say
you
can
get
away
with
maybe
a
forward,
but
then
you'd
have
to
provide
an
example
in
each
use
case
right.
So
when
it's
a
security
framework
do
this,
when
it's
a
compliance
requirement,
do
this
right
like
it
like
that
I
think
you'd
have
to
I
think
you'd
have
to
have
to
provide
some
some
kind
of
some
kind
of
use
case.
One
thing
I
do
want
to
say
is
I
agree
with
Mike.
There
should
be
some
end
users
in
the
room
there
and
then
end
users
over.
A
Here
too,
there
should
be
like
a
cross
like
a
crosstalk
that
way
the
ideas
get
over
on
that
side,
and
then
they
come
back
and
then
we
can
formulate
those
stocks
and
put
out
to
the
masses.
I
want
to
say
that
before
I
said
the
next
thing,
but
but
you're
saying
I,
know,
I'm
I
I
want
to
say
I
want
to
say
maybe
a
forward,
but
then
I
also
want
to
say
that
you
got
to
have
use
cases.
A
This
do
this
when
it
is
that
do
that,
you
know
and
then
how
you
tie
it
all
together
with
the
with
the
respective
maturity
lovers,
because
you
know
and
as
I
sit
there
in
that
meeting,
because
you're,
because
you're
a
level
two
or
three
on
the
security
part
doesn't
necessarily
mean
you're
a
level
two
or
three
on
the
compliance
part
and
vice
versa.
E
Yeah
and
and
like
I,
think
also
as
we
kind
of
steer
this
I
do,
think
that
you
know
I
would
push
away
from
this
necessarily
being
a
compliance
set
of
requirements
or
or
or
whatever,
because
I
do
think
that
there
is
a
lot
of
stuff
already
in
compliance
that
could
refer
to
salsa
as
hey
I
do
salsa
and
because
I
can
prove
to
you
with
this
evidence
that
I'm
doing
salsa
that
hits
this
compliance
requirement.
C
E
A
And
so
yeah,
but
what
will
work
but
when
that
work,
we're
not
splitting
hairs
we're
seeing
a
testation
we're
not
splitting
here
is
we're
not
describing
what
we
mean
by
attestation
in
this
or
that
context,
we're
saying
a
testation
use
the
test
station
either
self-infestation
or
otherwise.
You
mean
violence.
E
I
get
that
and
I
think
we
can
maybe
be
like
you
know,
and
this
is
where
we
we
have
to
clear
up
some
of
it
right
because,
because,
at
the
end
of
the
day,
right
like
we're,
never
going
to,
you
know
I
think,
like
especially
with
the
word
attestation
here,
there's
enough
folks
who
are
using
attestation
for
for
years
as
well
out
completely
outside
of
the
compliance
context,
that
I
think
we
just
need
to
make
sure
that
folks
understand
when
we
say
attestation
we're
using
it
in
the
sort
of
nist.
E
B
Yeah
I
came
from
Financial,
self-center
I
think
with
Mike
as
well,
when
they
say
compliance,
it's
much
stronger
word.
It
means
you
must
prove
evidence
or
have
a
30
party
that
can
attest
as
well.
So
it's
not
only
at
the
station
by
yourself,
but
we
need
a
third
party
but
Jay.
What
one
question
I
I
agree
with
you
when
you
mention
about,
for
example,
security
framework,
you
may
not
have
the
description
that
I
have
with
financial
institutions.
They
are
the
same
like
for
them
security
framework.
B
They
remind
me
like
fed
ramp,
they
remind
csas
and
of
course,
when
they're
talking
about
salsa
wow,
we
are
competing.
This
space,
of
course
not
I,
agree,
but
I
do
not
know
if
you
have
an
idea
how
to
position
a
South
in
this.
In
this
spectrum.
A
That's
what
I'm
saying
like
I
I,
don't
so
to
position
sauce
in
the
Spectrum.
We
need
to
get
the
spec
down
to
the
point
where
we
can
properly
articulate
what
it
is
and
then
not
a
drive
how
we
position.
A
A
What
I
think
bedroom
has
400
was
it
100
and
some
400
different
yeah
I
can't
remember
what
it
is
fed
ramp
I
mean
well,
there's
like
a
hundred
and
something
patrols
from
fed
ramp
ready,
but
then,
but
to
reach
ATP
you
got
to
meet
like
another
200
or
something
anyway
to
get
better
ramp
could
point
to
salsa
as
a
means
of
getting
there
right.
It
could
point
to
it.
So
I
don't
think
it's
also
beyond
that
level,
but
but
you
would
still
need
to
properly
articulate
it
to
position
it
in
that
kind
of
way.
A
B
A
So
what
does
level
one
mean?
What
does
level
two
mean?
What
does
level
three
mean
in
terms
of
what
controls
you've
applied
where
and
we
have
that?
What
I'm
saying
is
say
what
it
is,
why
it
is
and
how
it
is,
and
then
we
could
properly
properly
and
then
say
what
it
is
not,
and
then
we
can
properly
position.
A
A
We
have
to
be
very,
let's
say
narrow,
but
we
we
have
to
scope
this
a
certain
way
where
there's
not
much
scope
right,
I
I,
you
know
you
know
like
like
the
scope
creep
can
get,
can
get
real,
real,
quick,
but
that's
how
these
questions
end
up
coming
up
because
we're
not
you
know,
concise
in
the
scoping
of
salsa
to
begin
with,
but
say
to
begin
with,
we
changed
and
we
budge,
but
the
scope
needs
to
be,
you
know
very
specific
or
concise,
and
then
you
build
up
build
up
from
there.
B
No,
no
I,
I,
totally
agree.
Compliance
always
saw
those
levels
like
a
maturity
levels,
because
when
you
talk
with
developers,
they
know
from
the
past
cm
and
CMM
that
you
have
love
of
maturity.
I
see
wow
level,
one
two,
three
you!
You
cannot
get
three.
If
you
don't
have
the
level
two
already
I
mean.
A
Exactly
you,
you
see
them
saying
and
where
and
and
we're
going
help
we
go
from
level
one
to
level
three
yeah
you
know,
and
if
you
go
by
the
capability
of
maturity
model
you
you
start
with.
You
know,
there's
there's
I
can't
remember
what
the
first
one
is:
the
manage
defined
optimal.
You
know
you
know
right
so
so
so
you
we're
not
even
saying
that
we're
just
saying
level,
one
level,
two
level
three
aspirational
is
level.
Four.
A
We
haven't
even
defined
the
levels
which
is
perfectly
okay,
but
we're
going
from
level
one
to
level
three.
You
still
have
a
maturity
model
in
place,
but
what
does
that
actually
mean?
If
we're
saying
this
is
not
a?
You
can
have
a
maturity
model
around
around
compliance
and
attest
to
a
specific
level.
Right.
A
D
But
you
see
I
I,
you
know,
Devon
really
talked
about
compliance
right
and
when
they
talk
about
conformance
it's
a
different
type
of
conformance
we're
talking
about
right,
yeah,
it's
kind
of
like
saying:
well,
you
know
we
want
Builder,
you
know
build
system,
implementers
are
going
to
be
adding.
You
know,
salsa
Providence
features
to
their
Builder
and
they
are
going
to
claim
well
now
I'm
like
salsa
3
and
well.
How
do
you
trust
that?
D
And
so
the
conference
program
they're
talking
about,
is
really
focusing
on
trying
to
make
sure
that
people
can
just
make
claims
that
are
you
know
in
the
wild,
because
at
the
end
of
the
day,
it
all
depends
on
the
user,
trusting
these
attestations
made
by
the
Builder
and
so
well.
It's
always
the
same
way.
D
It's
like
how
do
you
trust
that,
and
so
the
conformance
program
that
is
being
discussed
at
the
salsa
level
is
merely
about
you
know
having
a
mechanism
to
register
either
self-claims
or
claims
by
some
third
party
that,
yes,
that
Builder
you
can
trust
it.
It
does
produce.
You
know
attestation
and
it's
also
a
provenance
at
a
level
three
which
is
very
different
from
what
you're
talking
about
the
kind
of
compliance
which
is
like
you
know,
security
policy,
compliance
right,
it's
like
yeah.
D
A
D
So
but,
interestingly
enough,
I
think
you
know
I
I'm
always
wondering
a
little
bit
with
the
charter
of
the
group
we're
meeting
now
you
know
this
SCI
positioning
I
always
thought.
Well
initially
it
was
called
Salsa
positioning.
Then
we
kind
of
say
well,
let's
take
a
borders
call,
but
I
thought
that
would
be
part
of
this.
Is
you
know
how
do
we
position
salsa
and
other
pieces
against?
You
know
in
the
grand
scheme
of
things.
A
Well,
I
volunteered
to
help
write
to
help
write
this
piece
that
goes
into
the
step,
but
but
to
your
point.
Yes,
that
is
our
Point
here
it
gets
hard
when
we
say
what
we're
saying,
which
is,
which
is
all
the
right
things,
but
then
that
person
takes
the
dot.
It
listens
to
what
we
say,
picks
the
speck
up
and
then
we
go
to
presentations
and
we
get
asked
the
questions
that
were
asked.
C
A
That's
what
all
of
this
bonds
from
the
nature
of
the
questions
that
are
being
asked.
It's
like!
Well,
man,
that's
a
that's
an
odd
question.
It
would
sound.
It
sounds
odd
if
you're
not
saying
well,
no
wonder
they're
asking
that,
because
we're
not
clear
and
what
this
is
and
what
this
isn't
right.
What.
A
A
D
A
Yeah
also,
that
will
help
us
help
us.
You
know
position
is
better
when
I
think
about
positioning
and
I
think
about
what
our
role
is
here.
That's
the
only
reason
why
I
said
because
when
we
go
out
and
do
these
talks
like
I
I
I,
really
want
us
to
focus
more
on
the
meat,
because
the
meat's
so
important.
Well,
you
can't
even
get
there.
F
Hey
how's
it
going
I
was
super
late
and
I
was
so
I
was
like
I'll
just
I'll
be
fly
against
the
wall
over
here.
D
C
D
F
Yeah
I
I
agree
that
where,
when
we're
looking
at
from
a
positioning
standpoint
like
the
end-to-end
supply
chain,
security
I,
don't
know
maturity,
model
or
framework.
However,
you
want
to
call
it
like
it's
having
just
salsa
without
really
an
explanation
of
of
what
it's
trying
to
achieve,
or
maybe
a
unified
explanation
of
of
of
what
it
is
made
made
it
difficult
to
answer
questions
so
I
would
agree
there
so
having
it
well-defined.
F
And
and
determinology
being
very
specific
to
what
we're
trying
to
say
versus
what
like
the
universal
word
for
attestation
means
is
definitely
something
that
we
just
haven't
had
time
to
to
do,
but
it
requires.
You
know
that
General
consensus
from
everyone,
so
that
you
know
they
we
all
can
move
forward
under
the
same
understanding.
So.
D
You
just
said
security
framework,
which
is
what
triggered
I
think
at
least
partially
Jay,
which
is
like
well.
You
know
it
doesn't
seem
right
to
actually
you
know
position
salsa
or
prisons,
also
as
a
security
framework,
yeah.
F
Right,
no
and
I
would
agree
with
that.
I
think
that
we
brought
I
was
I,
wasn't
in
the
specifications
meeting,
but
I
wasn't
in
our
chat
last
week,
where
I
got
I.
I
was
really
confused
of
like
how
how
we're
calling
things
not
we,
but
within
salsa
page
you
can
find
it
referenced
as
a
model
or
a
framework
or
a
requirement
or
a
guideline,
and
it.
C
D
F
I
think
it's
a
it's
a
way
to
help
with
complete
like
help
you
get
to
compliance
whatever
that
compliance
means
for
you,
but
that
was
the
question
that
came
up
that
a
couple
of
times
during
during
the
panel
and
throughout
the
week
is
like,
oh
so,
salsa
compliant.
What
does
salsa
compliance
mean
and
and
I?
Don't
think?
That's
the
right
question:
it's
not
what
salsa
compliance
means.
F
It's
what
salsa
means
to
achieve
compliance
for
whatever
it
is
you're
trying
to
comply
with
right,
not
to
make
it
like
this
gray
area,
but
it's
not
salsa
that
you're
trying
to
be
compliant
with
it's
whatever
it
is
that
your
organization
needs
to
be
compliant
with.
You
can
use
salsa
as
a
Playbook
to
implement
specific
standards
or
I.
Don't
know
how
I
mean
that's
the
trying
to
figure
out
what
word
to
use
without.
A
Let's
see
Laura
that
so
that's
so
you're
hitting
you're
hitting
to
the
point
the
the
point
is,
is
to
for
us
to
properly
articulate
that
salsa
is
an
and
right.
It's
not
an
ore
and
we're
saying
that
right,
because
if
we
say
things
like
you
know
you
you
don't
properly
articulate
what
and
then
we
don't
say
that
you
know
we
don't
say
that
it's
an
and
it
complements
through
doing
these
things
right
and
then
what
then
we're
not
even
able
to
clearly
articulate
and
provide
that
kind
of
one-liner
the
elevator
pitch.
A
When
we're
talking
to
people
with
the
persons
with
the
pocketbooks
that
elevated
pitch,
they
only
got,
they
only
got
30
seconds
for
you
to
say
this
is
what
this
is
and
why
you
need
to
have
it
30
seconds
is
what
you
got
yeah
three
bullet
comics.
A
You
know
we
have
to
be
able
to
do
that
and
provide
that
kind
of
high
level
c-suite
understanding
so
that
it
can
become
practice.
A
In
organizations,
otherwise,
if
you
implement
it
from
the
bottom
up,
but
not
from
the
top
down
you're
impacting
slos
and
you're
and
then
you're
just
adding
something
on
that,
creates
a
headache.
You're.
Not
even
it's
not
even
something
that
that
that's
usable.
F
D
I,
don't
think
so,
but
but
I
do
think
it
is
very
bottom-up.
You
know
oriented
and
I
I
mean
for
that
matter.
It
doesn't
you
know
it
doesn't.
I
mean
it
barely
talks
about
policies
right,
which
is
you
know,
so
it's
not
like
you
know.
It
starts
with
the
policy
point
of
view
and
then
goes
into
detailing
how
you
how
you
comply
with
those
policies.
It's
the
opposite.
It
just
collects
information.
D
You
know
defines
what
the
build
system
must
do
to
provide
the
right
information
which
can
then
be
used
in
a
policy
that
you
would
then
comply
to
as
the
the
you
know
at
a
system
level,
so
it
you
know
again,
I
think
it's
really
interesting,
because
it's
I
agree.
It
comes
down
to
what
Mike
was
saying
earlier
that
it's
it's
a
very
it's
very
engineer,
oriented
from
that
point
of
view.
A
So
I
I
mean
gone
down
that
basis
alone.
I
mean
it's
all
in
the
Playbook.
If
they
ever
did
want
to
do
that.
That
solves
a
lot
of
this
by
using
the
term
Playbook,
especially
with
the
bottom-up
approach,
when
you
use
the
term
framework
the
music
instead
of
saying
Playbook.
If
you
turn
framework,
that's
now
you're
getting
towards
the
middle
middle
to
the
top,
because
the
decision
holders
on
what
Frameworks
to
use
that
comes
that
comes
from
the
that
comes
from
the
Middle
top
layer
that
doesn't
come
from
the
bottom
there.
A
A
If
the
Playbook
ties
is
technically
coupled
with
the
framework
use
that
you
can
say,
this
adds
to
but
doesn't
take
away
from
our
framework,
our
policy,
our
policy,
our
procedures,
our
framework,
whatever
it
doesn't
take
away
from
that,
that's
true,
you
gotta
now
make
a
decision
at
the
top.
Do
we
use
this
framework
against
what
we're
already
doing?
How
does
this
differ
from?
What
we're
already
doing?
A
Is
there
more
money
that
needs
to
be
spent
to
follow
this
framework
against
what
we're
already
doing,
rather
than
just
being
a
Playbook
where
there's
labeled
should
have
little
to
no
spend
at
all
just
be
a
set
of
practices?
Now
that
you
follow
that
are
in
concert
with
your
framework,
your
policy,
your
procedures,
your
policy,
Etc.
F
Yeah
and
that's
kind
of
the
well
not
kind
of
that
is
the
basis
for
that,
aligning
it
to
the
Frameworks
that
we
or
standards,
rather
that
we
were
already
looking
at
at
for
Red
Hat
to
figure
out.
How
does
this
new
thing
called
Salsa,
this
new
framework
aligned
to
what
we
we
already
are
already
doing
as
an
organization,
and
does
this
add
value
or
does
it
just?
Is
it
just
one
more
column
for
us
to
check
the
box
and
we
don't
want
it
to
be?
F
A
A
C
D
You
know
General
introduction
to
how
you
know
and
I
say
you,
because
you
guys
are
security.
People
and,
like
me,
you
know,
could
could
give
this
kind
of,
like
high
level
view
on
how
you
see
things,
what
it
means
for
you.
D
A
Go
a
long
way,
so
that's
what
I'll
do
I'll
put
some
words
together
and
then
then
you
know
what
I
don't
know
I'll
hand
it
off
to
you.
So
you
can
take
a
look
at
it
from
a
standards
perspective.
Is
it
articulating
something
that
a
person
picking
up
a
standard
who
knows
what
to
read
and
I
mean
I
I
mean
you
know,
yeah
I'll,
look
at
it
with
my
eyes,
but
your
your
eyes
are
a
bit
more
seasoned
than
mine.
A
You
know,
look
pick
it
up
and
say
yeah.
This
is
articulated
correctly
for
standard
and
then
we'll
bring
it
back
before
the
before
the
spec
spec
people
and
see
if
we
can't
put
a
PR
on
a
PR
in
to
get
it
properly.
First,
over.
D
Yeah
I
mean
for
now
you
know
I'm,
not
too
worried
about
the
pr
I
think
we
really
need
to
gain
some
common.
You
know
understanding
and-
and
you
know,
agreement
on
the
what
needs
to
be
done.
Then
we
can
focus
on
the
actual
PR,
because,
right
now
it
could
be
a
text
anywhere.
It
doesn't
really
matter
right.
There's
foreign,
but
I
mean
we
can
we
can
work
around
a
BL
for
sure.
D
C
D
F
I
have
to
get
better
at
not
just
looking
for
Google
doc
updates,
but
also
like
and
I,
don't
always
know
like
where
it's
posted,
because
it
goes
different
under
different
specifications
and
we're
not
specifications
but
cigs.
So
if
you
guys
are
you
gonna
use,
Google,
Docs
or
GitHub.
A
B
B
D
All
right
and
again,
I
think
this
Falls,
you
know
really
squarely
into
the
charter
of
this
group
of
this
group,
so
I
think
we
should
share
it
with
everybody
else
in
the
group
and
make
sure
that
the
other
people
like
Melba
can
chime
in
right
absolutely.
A
Absolutely
by
the
way,
do
we
have
I
think
we
have
a.
We
have
a
Google
Drive
for
this
thing,
don't
we
or
no
I
think
we
open
one
up.
Didn't
we
an
actual
Google
Drive?
For
this
sake,
I.