It's putting the responsibility on the party most capable and interested in evaluating the packages for security.