21 Sept 2018
Updated Security Criteria for CTPAT to be Phased in Starting in 2019
U.S. Customs and Border Protection is currently circulating within the trade community draft modifications to the minimum security criteria associated with the Customs Trade Partnership Against Terrorism. CBP is gathering input on the proposed changes through the end of October and plans to implement the final updated MSC under a phased approach throughout fiscal year 2019.
CBP states that this is the first major revision of the MSC since the inception of CTPAT and is designed to modernise and strengthen requirements to more effectively combat evolving supply chain security threats such as the exponential increase in the volume and complexity of trade, the heightened risk of data breaches and cyberattacks, and the continued targeting of global supply chains by terrorists and criminal organisations. Generally, the changes include establishing three focus areas and three new criteria categories, explicitly delineating requirements as “must” or “should” based on risk, and providing guidance on how to combat terrorism financing and money laundering.
An overview of the updated MSC is provided in the following chart.
|Focus Area||MSC Categories||Description|
|Corporate security||Security vision and responsibility (new)||Promote a security vision, integrate security throughout the organisation, establish an audit process, importance and role of the CTPAT point of contact|
|Risk assessment||Complete a comprehensive risk assessment based on a recognised methodology and in line with the MSC|
|Business partner requirements||Select, screen and monitor business partner compliance with MSC, including trade-based money laundering|
|Cybersecurity (new)||Written cybersecurity policies and procedures, protection of IT systems with software and hardware, remote access, personal devices|
|Transportation security||Conveyance and IIT security||Conduct thorough inspections for both security and visible agricultural contamination, driver verification, tracking of conveyances, random searches|
|Seal security||High security seal policy, containers not suitable for sealing, mandated use of the VVTT seal verification process, management audit of seals|
|Procedural security||Document processes relevant to transportation, handling and storage of cargo|
|Agricultural security (new)||Requirements that protect the supply chain from contaminants and pests and the proper use of wood packaging materials|
|People and physical security||Physical access controls||Requirements to prevent, detect or deter unauthorised personnel from gaining access to facilities; expands on the use of security technology|
|Physical security||Positive identification of all employees, visitors and vendors at all points of entry|
|Personnel security||Complete screening, pre-employment verification, background checks, and comply with U.S. immigration laws|
|Security training, threat and awareness||Training on security for all employees, specialised training for employees in sensitive positions, determine if training was effective|
CBP has begun informing affected entities of the proposed changes through webinars, weekly workshops at its field offices and workbooks that outline the updates each type of entity will need to implement. CBP will evaluate feedback received and make any necessary changes to the proposed MSC, which will then be finalised and implemented in the following four phases. In a document submitted to its Commercial Customs Operations Advisory Committee CBP indicated that CTPAT members will not be expected to adhere to the new standards until early 2020.
- Phase 1: cybersecurity, conveyance and IIT security, seal security
- Phase 2: security training, threat and awareness; business partner requirements; risk assessment
- Phase 3: security vision and responsibility, physical security, physical access controls
- Phase 4: agricultural security, personnel security, procedural security