U.S. Customs and Border Protection currently released proposed modifications to the Minimum Security Criteria (MSC) for the Customs Trade Partnership Against Terrorism (CTPAT). The updated MSC is the result of a working group which was formed in 2016 under the Customs Commercial Operations Advisory Committee (COAC). CBP is gathering input on the proposed changes through the end of October and plans to implement the changes under a phased approach throughout fiscal year 2019.
CBP states that this is the first major revision of the MSC and its objective is “to ensure that [CTPAT] is reflective of CBP’s overall mission, the current supply chain environment and the threats that the global supply chain faces today”, such as the heightened risk of data breaches and cyber-attacks, the increase in volume and complexity of trade, and the targeting of global supply chains by terrorists and criminal organizations.
An overview of the updated MSC is provided in the following chart.
|Business partner requirements
|Select, screen, and monitor business partner compliance with MSC, including trade-based money laundering
|Written cyber security policies and procedures, protection of IT systems
|A comprehensive risk assessment based on a recognized methodology
|Security vision and responsibility (new)
|Corporate security vision, integration of security awareness throughout the organization, and audit processes
|Agricultural security (new)
|Requirements that protect the supply chain from contaminants and pests
|Conveyance and IT security
|Inspections for both security and visible agricultural contamination, driver verification, and tracking of conveyances
|Processes relevant to transportation, handling and storage of cargo
|High security seal policy, VVTT seal verification process, seal audits
|People and Physical Security
|Screening, pre-employment verification, and background checks
|Physical access controls
|Requirements to prevent, detect, or deter unauthorized personnel from gaining access to facilities; expands on the use of security technology
|Positive identification of all employees, visitors, and vendors at all points of entry
|Security training, threat, and awareness
|Training for all employees as well as specialized training for employees in sensitive positions
The CBP has begun informing all affected organizations of the proposed changes through webinars and workbooks that outline the updates that each type of organization will need to implement. CBP will finalize the MSC based on guidance from CTPAT members and COAC, and then post the new criteria to the CTPAT Minimum Security Criteria and Guidelines webpage.
Changes to the MSC will be implemented in the following four phases.
|Cybersecurity, conveyance and IT security, seal security
|Security training, threat, and awareness; business partner requirements; risk assessment
|Security vision and responsibility, physical security, physical access controls
|Agricultural security, personnel security, procedural security
CBP indicated that CTPAT members will not be expected to adhere to the new standards until early 2020.