CBP Releases Proposed Updates to Minimum Security Criteria for CTPAT

U.S. Customs and Border Protection currently released proposed modifications to the Minimum Security Criteria (MSC) for the Customs Trade Partnership Against Terrorism (CTPAT).  The updated MSC is the result of a working group which was formed in 2016 under the Customs Commercial Operations Advisory Committee (COAC).  CBP is gathering input on the proposed changes through the end of October and plans to implement the changes under a phased approach throughout fiscal year 2019.

CBP states that this is the first major revision of the MSC and its objective is “to ensure that [CTPAT] is reflective of CBP’s overall mission, the current supply chain environment and the threats that the global supply chain faces today”, such as the heightened risk of data breaches and cyber-attacks, the increase in volume and complexity of trade, and the targeting of global supply chains by terrorists and criminal organizations.

An overview of the updated MSC is provided in the following chart.

Focus Area MSC Category Description
Corporate Security Business partner requirements Select, screen, and monitor business partner compliance with MSC, including trade-based money laundering
Cybersecurity (new) Written cyber security policies and procedures, protection of IT systems
Risk assessment A comprehensive risk assessment based on a recognized methodology
Security vision and responsibility (new) Corporate security vision, integration of security awareness throughout the organization, and audit processes
Transportation Security Agricultural security (new) Requirements that protect the supply chain from contaminants and pests
Conveyance and IT security Inspections for both security and visible agricultural contamination, driver verification, and tracking of conveyances
Procedural security Processes relevant to transportation, handling and storage of cargo
Seal security High security seal policy, VVTT seal verification process, seal audits
People and Physical Security Personnel security Screening, pre-employment verification, and background checks
Physical access controls Requirements to prevent, detect, or deter unauthorized personnel from gaining access to facilities; expands on the use of security technology
Physical security Positive identification of all employees, visitors, and vendors at all points of entry
Security training, threat, and awareness Training for all employees as well as specialized training for employees in sensitive positions

 

The CBP has begun informing all affected organizations of the proposed changes through webinars and workbooks that outline the updates that each type of organization will need to implement.  CBP will finalize the MSC based on guidance from CTPAT members and COAC, and then post the new criteria to the CTPAT Minimum Security Criteria and Guidelines webpage.

Changes to the MSC will be implemented in the following four phases.

Phase Focus Area
Phase 1 Cybersecurity, conveyance and IT security, seal security
Phase 2 Security training, threat, and awareness; business partner requirements; risk assessment
Phase 3 Security vision and responsibility, physical security, physical access controls
Phase 4 Agricultural security, personnel security, procedural security

 

CBP indicated that CTPAT members will not be expected to adhere to the new standards until early 2020.