VCRI Logo ValueChainRisk.org
Executive Overview Technical Overview ISMAP Alignment Data Security

Value Chain Risk Institute · 2026 Roadmap

Master Roadmap

Value Chain Risk Institute — Everything We Have Committed To

Last updated: February 2026
32 open items across 7 tracks

This document outlines VCRI's phased commitments and milestones — from pre-launch foundations through platform scale. It reflects what has been built, what is underway, and what comes next.

Legal & Licensing Platform & Engineering Research Infrastructure Client Tooling Marketing & Comms Government & Partnerships Documents & Publications
Phase 0 — Pre-Launch Now · Before Funding Closes
Foundations that must exist before anything else can move

Legal & Licensing

#73
Complete VCRI 501(c)(3) formation — BIZEE order placedLegal

BIZEE formation order placed 2026-02-26 for Value Chain Risk Institute Limited. Awaiting: articles of incorporation, EIN, registered agent, bylaws, officer designations. Prerequisite before any government agency can make a formal funding commitment.

#61
SCF licensing resolved — Tom Cornelius authorized useLegal✓ DONE

"As long as the SCF is not being made into a derivative and it credits the SCF as being used, then there is no issue." — Tom Cornelius, 2026-02-23. Condition: credit SCF in all publications that reference it (→ #81).

#81
Add SCF credit line to all VCRI publicationsLegal✓ DONE

Condition of Tom Cornelius authorization: all VCRI documents that reference SCF must credit "Secure Controls Framework (SCF) — securecompliance.org." Attribution added to TechnicalOverview, ISMAP-Alignment, OnePager, Index, and PitchDeck — 2026-03-01.

#62
Resolve IEEE/UL 2933 TIPPSS licensing with Mitch ParkerLegal✓ DONE

IEEE/UL 2933 is a paid standard, not open source. CAM methodology is built on TIPPSS. Mitch Parker confirmed authorization 2026-03-01. Separate from logo clearance (#56).

#63
Resolve CMMI proprietary licensing terms with Ed McCabeLegal

CMMI is proprietary (ISACA). VCRI uses CMM L1–5 as the core scoring scale. Ed McCabe emailed 2026-02-23. Separate from logo authorization (#57).

#56
Call Florence Hudson — IEEE/UL 2933 TIPPSS logo clearanceLegal✓ DONE

Authorized 2026-03-01. TIPPSS logo cleared for use in pitch deck and all publications. "Clearance pending" notes removed from all documents.

#57
Confirm Ed McCabe CMMI logo authorization in writingLegal

Written confirmation to use the CMMI circular globe badge. Logo is live in deck with "clearance pending" note.

Financial Foundations

#78
Complete use-of-funds dollar specifics in MESSAGING-FOUNDATIONDocs

Section 5 of VCRI-MESSAGING-FOUNDATION.md has placeholders for per-phase budgets, staffing titles/roles/start months, CRIBL cost, platform hosting, legal, research allocation, and breakeven timeline. Must be real numbers before fundraising materials are complete.

Relationships

#64
Confirm CRIBL licensing model for non-profit data volumeLegal

Non-profit pricing, per-vendor data volume, whether CRIBL offers a mission-aligned tier or will partner at reduced cost. Open question in CRIBL-INTEGRATION.md.

#65
Verify CRIBL per-vendor data isolation architecturePlatform

Technical confirmation that CRIBL supports the per-vendor logical separation required for VCRI's escrow promise. Separate encryption keys, logical tenancy, no cross-contamination.

#79
Maintain active government engagement — Japan bridgeGovernment

Active relationship management with in-country contacts facilitating Japanese government introductions. Regular briefings on deck progress and timing for agency-level meetings.

Phase 1 — Foundation Months 1–6 · Platform Live · First Agency
Platform operational · 1 government agency formally partnered · CRIBL pipeline live

Platform & Engineering — Core IP

#66
Build CRIBL Tool-to-Schema normalization lookup tablePlatform

Maps each supported vendor tool (Qualys, Tenable, ServiceNow, Splunk, CrowdStrike, etc.) to a normalized TIPPSS-aligned output schema. Without this, the pipeline cannot ingest data.

#67
Build CRIBL SCF Control Mapping lookup table (core IP)Platform

Maps {event_type, field_value} → {SCF_control_id, TIPPSS_dimension, asset_category}. The intellectual core of the pipeline. Converts raw telemetry into SCF control evidence.

#68
Build CRIBL Maturity Classification lookup table (core IP)Platform

Maps {TIPPSS_dimension, SCF_control, evidence_type} → {CMM_level: 1–5}. Translates normalized events into Bronze/Silver/Gold (CMM L1–5) maturity tags for CAM scoring.

#69
Build CRIBL Sensitivity Redaction Rules lookup tablePlatform

Fields to mask/hash/drop per tool type before VCRI storage. CVE IDs, internal IPs, hostnames stripped — only risk signal retained. Technical foundation of the "VCRI never stores specific vulnerabilities" escrow promise.

Research Infrastructure

#70
Build Industry Incident Duration database for VCAR formulaResearch

VCAR = Process Value × Industry Incident Duration. The duration factor requires a maintained dataset of impairment times by incident type and industry sector. Feeds every dollar-at-risk calculation on the platform.

Documents — Promised but Not Yet Built

#52
Draft VCRI Data Processing Agreement (DPA) templateDocs

Data categories, legal basis, retention, vendor rights (access/delete/portability), breach notification SLA (72h), sub-processor disclosure, Japan data residency. Listed as available in DataSecurity brief.

#53
Write minimum telemetry specification per CAM dimensionDocs

Exact data VCRI requires per TIPPSS dimension × asset class. Data type, format, acceptable sources, minimum frequency. Listed as available in DataSecurity brief.

#54
Create escrow boundary architecture diagramDocs

Formal diagram showing 4-layer data flow with encryption points, access controls, and what data exists at each layer. Listed as available in DataSecurity brief.

#55
Produce sample vendor audit log reportDocs

Redacted/sample audit log report VCRI can produce for a vendor on request — proving the audit rights commitment. Listed as available in DataSecurity brief.

#58
Draft preliminary pricing framework for VCRI servicesDocs

Agency/client-side pricing, vendor participation pricing, founding partner terms. Non-profit framing: pricing covers operations, not profit.

#59
Draft ROI and business case document for procuring agenciesDocs

Cost of NOT having continuous monitoring vs. VCRI annual cost. ISMAP compliance cost reduction. Staff hour savings from eliminating questionnaire programs. Anchored in VCAR methodology.

Government & Partnerships

#49
VCRI × NISC working group — SCF-to-ISMAP control mappingGovernment

Briefing with NISC to map SCF control identifiers to specific ISMAP assessment criteria. Produces the authoritative crosswalk for VCRI evidence packages. Tom Cornelius leads.

#80
Execute direct government outreach — primary funding pathGovernment

Japan ministries/agencies for Asia-Pacific anchor. US: DoD/DHS/CISA. EU: DORA-adjacent. GCC: SAMA/NESA. Schedule briefings, deploy ISMAP brief and pitch deck. Runs in parallel throughout all phases.

Marketing — Highest-ROI Items

#74
Decide on Security Weekly path — sponsored vs organicMarketing

Security Weekly is now owned by CyberRiskAlliance. A dedicated episode requires a paid sponsorship. Options: (1) Sponsored episode — cost TBD, 160K audience; (2) Organic mentions by Paul in vendor risk mgmt segments (no cost); (3) Use Paul's board role for LinkedIn amplification and direct introductions. Decision: worth sponsoring at this stage?

#75
Upgrade website beyond landing page with full contentMarketing

Deploy OnePager + TechnicalOverview content, resource library (ISMAP brief, DataSecurity brief, pricing), blog section, contact/intake form. Index.html exists; needs hosting at valuechainrisk.org.

#76
Set up LinkedIn — Joshua personal + VCRI org pageMarketing

Joshua personal: thought leadership content strategy. VCRI org page: created and branded. Regular posts on supply chain risk, ISMAP, Kojima/Toyota, milestones.

#77
Outline and draft five foundational blog articlesMarketing

(1) Decay of Truth; (2) Inside-Out vs. Outside-In; (3) Kojima Toyota — supply chain risk made real; (4) What continuous monitoring actually means; (5) Portable Trust — why vendors benefit from transparency.

Phase 2 — Expansion Months 7–12 · 10 Vendors · First Dashboards
10 vendors from agency ecosystem active · First VCRI dashboards live

Government — Japan Pilot

#50
Pilot one Japanese government agency with 5–10 ICT vendorsGovernment

Onboard agency + 5-10 of their ICT vendors. Generate first ISMAP-formatted evidence package. This is the anchor deployment promised in the Japan pitch deck.

#51
Engage ISMAP registered assessment orgs to validate evidence packageGovernment

Formal confirmation from registered ISMAP assessment organizations that VCRI evidence output is accepted as supporting documentation for ISMAP A.15 controls.

Client Tooling

#71
Build BIA templates for client functional system valuationClient

Structured templates for clients to price their business processes (the "Process Value" input to VCAR). Four types: commercial revenue-generating, commercial revenue-protecting, government direct mission, government indirect mission.

#72
Design Jira and ServiceNow closed-loop remediation integrationClient

VCRI remediation lists sync with vendor ticketing systems for real-time resolution tracking. Integration spec: data fields, direction, access model.

Phase 3 — Scale Year 2+ · Self-Sustaining · Regional Expansion
Fee revenue covers operations · Research output published · Additional government agencies
#60
Plan SBOM ingestion roadmap for ISMAP A.14 coveragePlatform

Allan Friedman (father of SBOM, VCRI board) leads. Converts ISMAP A.14 System Acquisition from "Roadmap" to "Direct" status. SBOM/HBOM/FBOM ingest feeds CAM software supply chain dimension.

#72·b
Annual refresh of CMM-CAM-MATRIX technology namesResearch

Technology names in the 150-cell matrix evolve; CMM levels stay stable. Annual refresh cadence intended per CAM-METHODOLOGY.md. Lee Neely (LLNL) and Mitch Parker appropriate reviewers.

Ongoing All Phases · Running in Parallel
Continuous activities that run through all phases
Maintain Industry Incident Duration databaseResearch

Incident duration norms update continuously from published incident data. VCRI research arm owns this. Feeds every VCAR dollar-at-risk calculation automatically.

Government outreach — Japan, US, additional marketsGovernment

Primary funding path. Japan: Asia-Pacific anchor. US: DoD/DHS/CISA. EU: DORA-adjacent. GCC: SAMA/NESA. Briefings scheduled on rolling basis using ISMAP brief, pitch deck, ROI doc.

10

Legal & licensing items to resolve

11

Platform, research & tooling builds

11

Documents, marketing & outreach items

Already Completed — Document Package

Executive One-Pager (OnePager.html + PDF)
Technical Overview (TechnicalOverview.html + PDF)
Japan 2026 Pitch Deck (HTML + PPTX + PDF, 11 slides)
Speaker Notes — Japan deck (8 min script, embedded)
ISMAP Alignment Brief (HTML + PDF)
Data Security & Escrow Trust Brief (HTML + PDF)
CAM Methodology Reference (internal)
CRIBL Integration Spec (internal)
Greeks Scoring Rubric (internal)
CMM-CAM Matrix (150-cell reference)
Board & Leadership Roster (all 8 named)
Messaging Foundation (identity locked)
SCF licensing cleared — Tom Cornelius authorized (2026-02-23)
TIPPSS/IEEE/UL 2933 licensing cleared — Mitch Parker authorized (2026-03-01)
SCF attribution added to all publications (2026-03-01)
VCRI

Value Chain Risk Institute

Secure the Value, Not Just the Network. · ValueChainRisk.org

Roadmap · 2026 · ValueChainRisk.org

Contact: info@valuechainrisk.org