Making Sense of the New MSC

One of the biggest obstacles facing both current and prospective members of the CTPAT program is new MSC compliance. Across the supply chain industry, there is a lot of confusion about what the term means as well as how to go about fulfilling the requirements, but Veroot is here to help you make sense of CTPAT MSC.

What does MSC Mean?

In 2020, the U.S. Customs and Border Protection (CBP) released a new set of regulations dramatically changing the landscape of the Customs Trade Partnership Against Terrorism (CTPAT) program.

The set of rules that outlines what is required to be a member of the CTPAT program is called the Minimum Security Criteria, or “MSC,” as it is commonly known.  The MSC has always governed the way U.S. companies apply for and maintain CTPAT membership, but the 2020 revision to minimum security guidelines brought with it a significant expansion to program requirements.

The new MSC released in 2020 was a pretty drastic change to the overall program first developed in 2003, but the U.S. needed to stay relevant in the global supply chain landscape. From the introduction of CTPAT in 2003 to the recent overhaul, the world saw massive changes in information technology, a more than 88% increase in overall U.S. imports, and issues with money laundering and human trafficking. So it stands to reason that the rules would need to be rewritten for CTPAT membership to remain meaningful and valuable.

What Changed in 2020?  

Under new guidelines, existing and prospective members must complete a new CTPAT Security Profile to attain membership. Changes to the profile include the addition of 40+ new questions (about 160 total), approximately 20+ supplementary documents, 4 new categories (Upper Management Responsibility, Agricultural Processes, Education/Training & Cybersecurity), and a much stricter Security Profile evaluation and CTPAT acceptance process.

A particular example of the enhanced MSC would be the need to document how your company prevents money laundering across your supply chain.  Under new CBP CTPAT standards, U.S. Customs wants to know what guardrails, trainings, and sign-offs have been put in place to prevent criminal activity as well as how your company disseminates and tracks these notifications.  Another example would be to document the IT policies within your company – and have each employee agree to abide by cybersecurity requirements.

The 2020 Minimum Security Criteria Specifics:

In total, 12 areas of the new MSC need to be addressed to maintain CBP CTPAT compliance:

1. Corporate Security – Security Vision, Upper Management Support & Responsibility
2. Corporate Security – Risk Assessment
3. Corporate Security – Business Partners. 
4. Corporate Security – IT and Cybersecurity
5. Transportation Security – Conveyance and Instruments of International Traffic Security 
6. Transportation Security – Seal Security
7. Transportation Security – Procedural Security
8. Transportation Security – Agricultural Security
9. People and Physical Security– Physical Security
10. People and Physical Security– Physical Access Controls
11. People and Physical Security– Personnel Security
12. People and Physical Security– Education, Training and Awareness

Another huge benefit of the MSC update is that other countries now see the U.S. CBP’s CTPAT program as much more robust.  This means that other countries that use the equivalents to CTPAT called Authorized Economic Operator (“AEO”) or Partners in Protection (“PIP”) programs view the new CTPAT MSC as even more legitimate than previous versions.  In other words, they see the U.S. program as complementary to their AEO/PIP programs and extend latitude and benefits to companies with CTPAT.  This is further promoted with a program called Mutually Recognized Arrangements or MRA – where countries share data and offer reciprocity across border protection programs. 

One of the most significant changes we have seen in the CTPAT program is the CBP’s mandate to do a thorough validation inspection of every participating company to make sure the MSC is truly being followed.  In the early days of CTPAT, companies could just skate along and do the bare minimum and hope for the best.  Now as CTPAT is being taken more seriously from a global perspective, it has become critical to implement and document all required processes and make sure all functionality is in place.

How do I Comply with New MSC Requirements?

• Focus on documentation of CTPAT compliance.
• Keep your eye on renewal dates and ensure your records are up-to-date and ready for SCSS inspection.
• Maintain open lines of communication with vendors and be sure Security Questionnaires are all completed and scored.
• Ensure internal compliance processes are well-established and adhere to the SOPs outlined in your Security Profile.
• Reference the CBP CTPAT website for MSC specifics. Find the official statement on how to complete your new Security Profile here

If you need additional guidance, don’t be afraid to ask! Companies like Veroot exist to make CTPAT compliance less complicated. Whether you are a current member preparing for an annual renewal/revalidation or a prospective CTPAT member preparing your first-ever Security Profile, Veroot has the right solution to help you meet MSC requirements. Check out our CTPAT solutions for more information on how our team can help you achieve your CTPAT goals.