Sharing attestations on software supply chain data that are formed into a policy will give us a framework to interpret risk and develop compliance directives.