The purpose of the Customs-Trade Partnership Against Terrorism (CTPAT) is to assist businesses in securing their supply chains in an increasingly complex global trade environment. The CTPAT, a program organized by the U.S. Customs and Border Protection (CBP), also strengthens international supply chain security in general while reducing potential threats from terrorism.
In this article, we cover:
- What CTPAT is
- What your business needs to do to join the CTPAT partnership program
- How to maintain your membership of CTPAT following acceptance
- How Certa’s functionality smooths the process of joining CTPAT and remaining in compliance with its requirements
What Is CTPAT?
CTPAT is a supply chain security program with the goal of strengthening America’s border security by encouraging partnership and cooperation between businesses and government agencies.
The practical benefits of the program to companies are:
- Better supply chain security profile: CTPAT’s detailed and specific security criteria and validation procedures help you greatly reduce supply chain risks relating to smuggling, forced labor, theft, and other illegal activities.
- Enhanced supplier collaboration: You get help in encouraging and assisting your third-party suppliers to adhere to CTPAT security requirements to create a more secure and compliant supply chain.
- CBP assistance: You have direct access to CTPAT Supply Chain Security Specialists who provide guidance on best practices and help identify vulnerabilities within your current procedures and workflows.
- Front-of-the-line cargo processing: CTPAT members benefit from free and secure trade (FAST) lanes and reduced wait times at CBP's Centers of Excellence and Expertise. That means fewer inspection delays for your goods. In addition, these centers are often staffed by experts in particular sectors, including pharmaceutical and automotive.
CTPAT shares much in common with the Importer Self Assessment (ISA) program. But while CTPAT focuses on security, ISA is a trade compliance program. Companies with both certifications benefit from the highest level of cooperation and assistance from the CBP.
Many overseas governments have their own version of CTPAT — called Authorized Economic Operator (AEO) programs. The U.S. Government and overseas governments have entered mutual recognition pacts, which means that CTPAT members benefit from reduced inspection, priority treatment, access to FAST lanes, and cost savings when exporting to or importing from those countries.
How Your Business Can Become CTPAT Certified
To obtain CTPAT certification, you first need to be eligible and second submit to the rigorous application and certification process.
CTPAT eligibility criteria is known as minimum security criteria (MSC). The MSC varies depending on the type of business you operate. For example, to become a CTPAT importing partner, the criteria you need to meet includes:
- Being an active U.S. or non-resident Canadian importer
- Possessing a documented history of importing goods
- Having an active U.S. Importer of Record number
- Holding a valid continuous import bond registered with the CBP
- Having an operational office in the U.S. or Canada
- Being able to evidence your commitment to supply chain resilience and security in addition to your future adherence to CTPAT requirements
- Designating a primary cargo security officer within your company who is responsible for overseeing CTPAT compliance
The other industries with their own list of MSC are:
- Air carriers
- Customs brokers
- Foreign manufacturers
- Highway carriers
- Long-haul highway carriers in Mexico
- Marine port authority and terminal operators
- Rail carriers
- Sea carriers
- Third-party logistics providers (3PL)
Getting Your Certification
To secure CTPAT membership, you must first initiate a risk assessment process within your own company. You need to identify and evaluate the risks you face and plan how you defend your business against those risks.
Key areas include:
- Mapping cargo flow and identifying business partners: Create a supply chain flow chart to identify third-party risks and your company’s exposure to those risks.
- Conducting a threat assessment: Assess every single organized crime, human smuggling, contraband smuggling, and terrorism risk by country and region. You then need to assess the level of threat from each risk as “high,” “medium,” or “low.”
- Conducting a vulnerability assessment: Discover where current supply chain vulnerabilities are and identify where security could be improved in accordance with the CTPAT Minimum Security Criteria.
- Preparing an action plan and documenting: Outline how your company will address the threats and vulnerabilities you uncovered in the previous two steps.
- Recording how risk assessments are conducted: Document every stage of the risk assessment process, noting how you approached each risk and how you arrived at a conclusion on how you would deal with each one.
You then submit your online application through the CTPAT portal. There are two parts to the application process: the company profile and the security profile.
You first need to complete an online form, and this creates an account for you on the portal.
You provide fairly basic information at this stage like your address and primary CTPAT contact.
Second, you complete a detailed questionnaire referencing your risk assessment and how you perform against the following 12 risk areas:
- Security, vision, and responsibility: The CBP wants to see that compliance is a priority at the most senior levels in your business and that you have communicated it to your employees. Provide evidence of staff training as well as any investment you’ve made in resources and procedures to ensure maximum compliance.
- Risk assessment: Inspectors want to see that you have clearly identified existing supply chain vulnerabilities. They want to know how you’ve assessed what the impact of these risks might be and how you’ve prioritized them. You should pay particular attention to OFAC SDN lists and any involvement with politically exposed persons.
- Business partner requirements: You’ll need to ensure that supply chain business partners are aware of the CTPAT requirements you must follow and expect them to commit to the same in their dealings with you to ensure a secure supply chain.
- Cybersecurity: With the rising threat of cybersecurity attacks, CTPAT inspectors require members to protect their systems against unauthorized access. They also expect you to have procedures in place to monitor for breaches and response plans for each potential type of breach.
- Conveyance and Instruments of International Traffic Security: This refers to safeguards you put in place to guard against unauthorized access to means of transport (like trucks and ships) and means of storage (like containers). Areas to address here include inspecting for integrity at the point of origin, the point of arrival in the U.S., and all other points in transit with respect to seals and locks.
- Seal security: This is closely related to container security but specifically references continuous seal integrity during transit. Areas to address here include applying the correct number of seals, the proper placement of those sales on International Intermodal Transport Units (IITs), and ways to verify that seals have been affixed properly.
- Procedural security: CTPAT members must have written procedures in place for all aspects of their supply chain management. You’ll need to train employees and contractors on the procedures and ensure that they follow them. You need to pay special attention to employees and contractors with access to sensitive areas and information systems.
- Agricultural security: You must put in place measures to stop unauthorized chemical or biological agents from getting into the supply chain across your own business and your wider supply chain.
- Physical security: CTPAT requires you to control access to sensitive areas like cargo, equipment, and facilities. Inspectors will want to see physical barriers like fences or gates and electronic access controls like key cards or biometric scanners. They need assurance that visitors are properly identified and authorized before being granted access.
- Physical access controls: Related to the previous point, this requirement relates to the actual use of physical barriers and electronic access controls.
- Personnel security: As a CTPAT member, you must perform background checks on employees and contractors who have access to information systems and sensitive areas. Background checks include employment history, criminal records, and references. You must have a system in place by which staff can report security issues or suspicious coworker behavior.
- Education, awareness, and training: You need to train staff to recognize security vulnerabilities at each part of the supply chain, providing extra training to those in sensitive positions.
During this process, you’ll have access to a Supply Chain Security Specialist (SCSS) who will review your application to determine whether you meet the minimum standards. They are international trade experts working directly with the Department of Homeland Security (DHS).
When You’re Approved
After passing the tests and inspections required in your application, you’ll be accepted into the CTPAT program.
Your SCSS will contact you to set up site visits to observe your security measures in practice. If they find that your internal operations meet program requirements, you’ll be certified as a Tier II member and have access to the full benefits of the program.
Maintaining CTPAT Trade Compliance as a Member
The CTPAT trade compliance program requires ongoing adherence to the rules, something your SCSS will regularly check.
To stay in the program, your primary cargo security officer (PCSO) should:
- Monitor for changes in minimum security criteria: CTPAT’s MSC regularly changes to reflect emerging global supply chain threats. This requires continual risk monitoring internally. When changes do occur, your PCSO should ensure that your company is compliant with these new and additional requirements.
- Conduct regular risk assessments: Your company’s individual risk profile will change as you add and remove new suppliers and vendors. Your PCSO will need to monitor individual risks regularly, taking into account information provided from other stakeholders like employees and investors.
- Develop and implement security profiles: Security profiles are the measures your company has put in place to defend against specific risks and vulnerabilities. The security profiles developed by your PCSO should reflect your business’s specific operations and the 12 risk management areas from the initial approval procedure.
- Work closely with your SCSS: Your SCSS is a valuable source of information and insight. Your PCSO should bring them into decision-making as much as possible, especially in areas of concern regarding compliance.
- Train staff regularly: A significant factor in continued compliance is ongoing training and awareness programs for coworkers on their roles. You’ll need to demonstrate a commitment to this and investment in the tools that allow them to execute their responsibilities correctly.