How to Build a Rock-Solid CTPAT Maintenance Strategy

So…you have decided you want to be a member of the CTPAT program. Perhaps a client is requesting it – or maybe you just want to prevent shipping delays, limit inspections, and take advantage of the many other valuable reasons first-timers seek certification. You’ve wrapped your head around all the criteria you need to meet to be approved. Sure, it’s an undertaking, but you know it will be worth it in the end.

*But* at this point in the process, it’s important to stop and ask yourself just one more question: “Once I’m a validated member of the program…what’s the plan to maintain it?”

One of the biggest hurdles companies face when it comes to CTPAT is underestimating the planning, time, and resources it will take to maintain their membership in good standing once their Security Profile has been approved. In this article, Veroot walks you through how to build a rock-solid maintenance strategy that meets (and exceeds!) CTPAT requirements.

PLAY THE COMPLIANCE LONG GAME

To participate in the CTPAT program, there is a defined set of requirements that CBP expects members to complete regularly. Companies are held accountable by their assigned Supply Chain Security Specialist (SCSS) who does a compliance review on an annual basis, but a much more in-depth audit every 2-4 years called a CTPAT Validation. At the time of the validation, your SCSS will expect to see detailed records of consistent compliance with CTPAT requirements extending back to your last validation (or acceptance into the program).

When you’re considering what it will take for your organization to manage CTPAT internally, the first rule of thumb should be to always think long-term and develop a system. Getting in a compliance rhythm from the very beginning and establishing a cadence for follow-up on all components that will eventually be reviewed by your SCSS is critical. This is the main reason that Veroot clients asked us to develop an automated software system to help track all these milestones as well as provide reminders when tasks are due so that members aren’t stressed out the next time re-validation comes around. 

LET THE MINIMUM SECURITY CRITERIA BE YOUR GUIDE

As a rule, your program maintenance strategy should be centered around the items included in the 2020 Minimum Security Criteria (MSC). These regulations will be used by your SCSS as the benchmarks for compliance during your evaluations moving forward.

If you are new to CTPAT MSC (or simply need a refresher on the latest updates), we put together a nice overview of the components here: Making Sense of the New MSC

However, for today’s purpose of creating a CTPAT management strategy, we’ve included a high-level list of the major MSC topics and each of their unique components below, along with links to articles across our site that cover many of the subjects in greater detail.

Ultimately, making sure you have a maintenance process to address each aspect of the MSC will save a lot of headaches when audit time rolls around.

1. RISK ASSESSMENT

• Components:
  • Security Risk Assessment of International Supply Chain(s)
  • Conduct Internal and /or External Audits to evaluate CTPAT compliance 
  • Evaluate results of Risk Assessment and Audits (Including identified security weaknesses)
  • Implement a Corrective Action Plan Process to eliminate any identified security weaknesses in the supply chain(s)
• Helpful Veroot Links:
  • CTPAT Virtual Validation: What to Expect & How to Prep
  • How to Conduct a 5-Step Risk Assessment
  • The Ultimate Guide to Building a CTPAT Cargo Map

2. BUSINESS PARTNER REQUIREMENTS

• Components:
  • Implement procedures for the Selection and Screening of Business Partners
  • Verify Business Partners’ Security Protocols and compliance with CTPAT (Use a Security Questionnaire)
  • Log Status of Business Partners (CTPAT Certified or AEO Certified)
  • Outline SOPs for business partners who are not currently CTPAT or AEO-certified
  • Conduct periodic outreach, audits, and annual questionnaires
• Helpful Veroot Links:
  • Answered: Your Top 5 FAQs About CTPAT Security Questionnaires
  • How AEO, MRA & CTPAT Fit Together for Global Supply Chain Security
  • Customs Broker Q&A: How to Meet CTPAT Client Outreach Requirements

3. CONTAINER/TRAILER SECURITY

• Components:
  • Make sure Pre-Load Security Inspections are taking place
  • Educate your team and business partners on Agricultural Compliance
  • Container Loading & Seals (Security Protocols & Compliance) 
  • Container / Shipment Tracking & Monitoring
  • Log Container / Cargo / Seal Discrepancies (Including Security Breaches)
  • Update Law Enforcement Notification Protocols & Policy
• Helpful Veroot Links:
  • CTPAT Agricultural Security Requirements: Top 8 FAQ
  • CTPAT Container Inspection Form (Download)

4. PROCEDURAL SECURITY

• Components:
  • Document Shipment Methods
  • Document Manifesting Procedures
  • Cargo Verification & Discrepancy Protocols
  • Law Enforcement Notification Protocols & Policy
• Helpful Veroot Links:
  • The Ultimate Guide to Building a CTPAT Cargo Map

5. PHYSICAL SECURITY

• Components:
  • Checklists to ensure the security of the fencing/perimeter, gates, and gatehouses, building structure, locking devices / key controls, as well as confirm all lighting is functional and working
  • Alarms Systems and Video Surveillance Cameras / Monitoring
  • If you have distributed locations, you will want to conduct Facility Inspections, either by on-site visit or with a questionnaire designed to confirm the facility is secure
• Helpful Veroot Links:
  • Cameras for CTPAT Physical Security

6. PHYSICAL ACCESS CONTROLS

• Components:
  • Ensure the Employee Identification System is updated and effective
  • Implement Visitor Controls
  • Train on the proper intake of Shipping and deliveries (Including mail)
  • Build and enforce a policy for changing/removing unidentified or unauthorized persons from the premises
• Helpful Veroot Links:
  • The Total Guide to CTPAT Visitor Management Protocol

7. PERSONNEL SECURITY

• Components:
  • Conduct pre-employment screening and verification
  • Decide if background checks/ periodic investigations are required (and for whom)
  • Update Personnel Termination Procedures

8. SECURITY TRAINING/THREAT AWARENESS

• Components:
  • Develop a Threat Awareness Program
  • Conduct Security Training (CTPAT Employee Training on Security Breach Reporting Protocols and policies)
• Helpful Veroot Links:
  • CTPAT Training & Security Awareness 101
  • Understanding CTPAT Social Compliance Policies

9. INFORMATION TECHNOLOGY SECURITY

• Components:
  • Update Company IT Policy
  • Implement IT Training
  • Ensure password protection protocols are in place
  • Establish an accountability system to monitor IT for breaches and/or identify employee misuse

CONSIDER THE X-FACTORS

In many cases, having proper building security, visitor management, and well-defined personnel security is standard practice for the average business. But at the other end of the CTPAT management spectrum, you have your “X-Factor” criteria. Those include items like Risk Assessment, Business Partner Requirements, Container/Trailer Inspection, and Security Training/Threat Awareness. These may vary widely from company to company based on your role. You are responsible for creating documented processes for each of these areas and providing your SCSS with proof that you are following the procedures you’ve outlined. The difference with this category is that they involve taking responsibility for variables involved in your supply chain through things like education, monitoring, evaluation, and sometimes correction of compliance procedures.

Below are some of the key items to consider when evaluating the impact each component will have on your CTPAT management plan:

RISK ASSESSMENT

• Number of countries/regions from which you import goods
• Perceived threat level and special considerations from CBP for each country/region
• Make sure to classify their risk on a threat map

BUSINESS PARTNER REQUIREMENTS

• Number of business partners – suppliers/manufacturers, brokers, carriers, etc.
• Number of additional third parties involved in your supply chain

CONTAINER/TRAILER SECURITY

• Number of containers you are responsible for inspecting
• Sites where inspections take place
• Parties involved in the inspection process
• Logistics of training and education for all personnel involved in the inspection process

SECURITY TRAINING/THREAT AWARENESS

• Security Training/Threat Awareness curriculum
• Number of business partners to train
• Number of employees to train
• Distribution to business partners and employees along with their confirmed acceptance of implementing the training.

Once you map out the basics for each section, step back and evaluate the complexity of executing them internally. How many points of contact will you be dealing with? How will you stay on top of communication? Who will be responsible? What info sources/external resources will you need?

CREATE A GAME PLAN

Now it’s time to execute. Choosing a methodology for managing CTPAT the right way comes down to two things: internal capacity and workload. Make sure that the method you choose leverages your time reuses your efforts, and makes CTPAT maintenance a breeze. A good workflow program or electronic database is extraordinarily helpful in keeping this all organized and easy to demonstrate your work from previous years. 

SUMMARY

We hope this information helps you build a strategy for managing your CTPAT program in a way that is both sustainable and compliant with MSC requirements – but if any part of the plan feels unclear, Veroot is here to help. Our CTPAT Software helps hundreds of companies automate all the components of CTPAT maintenance we detailed above, and our team of highly experienced consultants is available to help develop a customized program management game plan that makes the most sense for your organization. Get started today!