CTPAT Minimum Security Requirements for Importers: Corporate Security

1. Corporate Security
2. People and Physical Security
3. Transportation Security

At Veroot, we are subject matter experts in obtaining and keeping CTPAT certification. And we’re here to help you understand CTPAT requirements for foreign manufacturers in a three-part series. This post focuses on corporate security in general, and parts two and three will dive deeper into two categories of corporate security: risk assessment and business partners, respectively.

To better understand the MSC for foreign manufacturers, we’ll first discuss the CTPAT program before moving into the four criteria categories of corporate security that foreign manufacturers need to meet to earn and keep their certification. In addition, we’ll touch on people and physical security and transportation security as well as how foreign manufacturers can utilize CTPAT management software to seamlessly manage their CTPAT certification and renewals

What Is the CTPAT Program?

The CTPAT program came about after the 9/11 terrorist attacks and is an effort to strengthen border security and facilitate global trade. It is a mutually beneficial, ongoing relationship between CBP and importers that is built on knowledge and trust. Importers that receive CTPAT certification receive numerous benefits, including:

• Reduced number of CBP examinations
• Skipping the line for inspections
• Shorter border wait times
• An assigned supply chain security specialist
• Free and Secure Trade (FAST) access to lanes at the land borders

There are certain eligibility requirements for CTPAT membership, but it is generally open to those in the trade community, including air carriers, foreign manufacturers, importers, rail and sea carriers, and 3PLs, among others, who can demonstrate their experience and commitment to supply chain security excellence. Some of the requirements for foreign manufacturers specifically include:

• Being an active manufacturer incorporated in Mexico or Canada
• Having an active U.S. Customs and Border Protection Manufacturer Identification (MID) Number
• Completing a supply chain security profile in the CTPAT Portal, and uploading required evidence to prove how they meet and maintain the program’s MSC for foreign manufacturers

Each type of business entity has specific minimum criteria that they need to meet. Given that the CTPAT program was founded based on border security, it only makes sense that corporate security is the first focus area in the MSC for importers.

Minimum Security Requirements: Corporate Security

For each focus area in the MSC, CBP provides criteria, implementation guidance, and whether it is a “should” or “must” be completed. Click here for the most recent detailed criteria from CBP.

Security Vision & Responsibility

Senior leaders at a given foreign manufacturing company must be fully committed to its supply chain security. It should be prioritized by leadership and part of the company culture, with an emphasis that it is everyone’s responsibility. In addition, a written review component is required to ensure that employees are indeed following the company’s security policies. A rock-solid security vision permeates everything the company does and is easily identified and followed by each employee. To confirm this engagement, the CBP wants to see a “Statement of Support” that is submitted with the Security Profile (or Annual Review) and is signed by the executive staff pledging to maintain the CTPAT MSC.

Risk Assessment

With the threat of terrorist groups and criminal organizations targeting supply chains around the world, it’s no wonder that one of the annual CTPAT requirements for importers is a risk assessment, used to assess existing and potential exposure to these evolving threats. There are many factors that CTPAT importers need to consider when determining risk within their supply chains, including its business model, geographic location of suppliers, and other aspects that may be unique to its specific supply chain. Importers need to identify threats, assess risks, and incorporate sustainable measures to mitigate these vulnerabilities.

Typically the external risk assessment takes the form of a “Risk Map” which can be a visual map, diagram, or spreadsheet that plots the risk across the various regions served by the manufacturer. Having accurate information on each region is part of the challenge of this effort, and is why many manufacturers leverage outside help in this area. The exercise helps the company identify “hotspots,” and more importantly aligns all stakeholders to potential risks incurred by operating certain locations.

An internal risk assessment is also a requirement. This is usually a document that outlines all the measures a company puts in place to maintain security at the office and warehouse level, and identifies gaps that exist

Business Partners

As is the case with most companies, importers likely have business partners, both domestic and international. Not only does the potential CTPAT member need to ensure they are following secure supply chain practices, but its partners need to as well. Business partners include those involved in the document preparation, facilitation, handling, storage, and/or movement of cargo of a CTPAT importer or exporter member. If a member happens to outsource any part of its supply chain, it must ensure that these partners have stringent security measures in place. Some ways to do this include conducting:

• An onsite audit
• A security questionnaire

The security questionnaire is the most common device used to judge a partner’s adherence to the MSC. Although the format of a security questionnaire varies greatly, it usually contains anywhere from 50 to 100 questions related to overall security encompassing the 12 sections of the CTPAT MSC. After receiving a questionnaire, the goal is to be able to assess a partner’s fitness to perform security functions related to documenting or handling cargo.

Business partners add an extra layer of complexity to the risk analysis equation. As long as they meet or exceed the minimum CBP requirements, there will likely be no issues for the potential CTPAT member. If red flags are raised, some steps can be taken to rectify them.

Cybersecurity

You’re likely no stranger to cybersecurity. It has and can affect businesses of any type and size. Today’s definition of terrorism now includes various types of cybercrime, making cybersecurity requirements no surprise for becoming a CTPAT member. The first step is getting comprehensive cybersecurity policies and procedures in place — and committing to reviewing and updating them regularly (if necessary). This focus area also addresses the proper securing of IT systems — working remotely, cyber policies, cyber inventory, and backing up data. CTPAT requires organizations to take several measures to mitigate the risk of a cybersecurity breach.

Additional Focus Areas

Of equal importance to corporate security are the second and third focus areas of the MSC for foreign manufacturers: people and physical security and transportation security.

People and Physical Security

The need for physical security varies by organization, but when you’re a manufacturer that handles cargo, sensitive equipment, and/or information daily, some basic security measures need to be in place. Physical barriers and deterrents are needed to ensure unauthorized individuals do not gain access to confidential information and equipment. The “people” portion of this criteria refers to the human resource force at a given organization. People who are involved in shipping, receiving, driving, and security must be reliable and trustworthy, making thorough pre-employment verification and employee screenings crucial.

Practical applications of physical security include:

• Making sure people cannot access offices or cargo storage without a key/keycard/keycode, or first checking in with a supervisor.
• Checking visitor IDs and keeping a log of all visitors.
• Verifying that all alarms, cameras, and other security equipment are working properly.
• Training all employees on what to do if an unfamiliar person enters the building and tries to gain access.
• Criminal background checks on all associates.
• Other ways to prohibit access to cargo and shipment information without proper vetting.

Transportation Security

Breaches in supply chains occur most often during the transportation process, which is why these key cargo criteria must be upheld by CTPAT members.

• Instruments of International Traffic (typically containers or trailers)
• Seal Security
• Procedural Security
• Agricultural Security

Making sure your company has policies in place for each one of these areas is critical since employees and business partners must be able to fully understand your Standard Operating Procedures.

Your Guide Through the CTPAT Certification & Renewal Process: CTPAT Management Software

If you’re a bit overwhelmed after reading through the CTPAT requirements for importers, you’re not alone. Even if you’re already doing most of the MSC requirements, documenting them can be complex and time-intensive. The good news is, we’re here to help. Our team of CTPAT consultants and CTPAT management software could be the resources you need to earn that coveted CTPAT certification.

With our CTPAT management software, you can automate the entire compliance process, saving your team precious time and effort. Other benefits you’ll see include:

• Storing all CTPAT-related data in one location
• Sending, tracking, and managing everything from a single dashboard, including security questionnaires and audit documentation
• Real-time data collection allows you to receive partner data as it comes in, making this part of the risk assessment much more seamless
• Vendor portals allow you to easily manage business partners’ CTPAT compliance and action plans if necessary

After you’ve become CTPAT certified, the Veroot software doesn’t stop working for you. Each year, you are required to maintain your CTPAT certification and will likely be audited by CBP. Easily show your proof of compliance anytime, anywhere, with our software. In addition, Veroot customers save an average of 85%-90% of the time they used to spend managing their CTPAT membership the old-fashioned way. Part of this maintenance includes CTPAT training. Some of the reasons your organization would need CTPAT training include meeting the requirements in Section 12 of the MSC, keeping up with evolving regulations, and general ongoing education. Training your employees, business partners, and leadership ensures you’re all well aware of the CTPAT minimum security criteria and that your certification is of utmost importance to the organization. Whether you need video training, instructional video creation, or branded training documents, Veroot’s CTPAT training service can take the load off you.

As a foreign manufacturer, being able to show your current and prospective customers that you’re committed to becoming CTPAT certified builds trust, improves your brand, and strengthens the global supply chain. Don’t let the minimum security requirements overwhelm you. Veroot is here to make CTPAT compliance less complicated and we’d love to help. Get in touch today.