CUSTOMS-TRADE PARTNERSHIP AGAINST TERRORISM

Transcription

1 CUSTOMS-TRADE PARTNERSHIP AGAINST TERRORISM 1. What is C-TPAT? (a) The C-TPAT (Customs -Trade Partnership Against Terrorism) is a voluntary United States Customs and Border Protection (CBP) business initiative designed to build cooperative relationships that strengthen overall supply chain and border security. (b) The C-TPAT initiative recognizes that CBP can provide the highest level of security to the public and to other stakeholders only through close cooperation with the ultimate owners of the supply chain: importers, carriers, brokers, warehouse operators and manufacturers. (c) Through this initiative, Customs is asking businesses to ensure the integrity of their security practices and communicate their security guidelines to their business partners within the supply chain. 2. C-TPAT Objectives (a) CBP recognizes that a safe and secure supply chain is the most critical part of its work in keeping the U.S. safe. For this reason, CBP is seeking a strong anti-terrorism partnership with the trade community through C-TPAT. Trade partners will have a commitment to both trade security and trade compliance, which are rooted in the same business practices. CBP wants to work closely with companies whose good business practices ensure supply chain security and compliance with trade laws. 3. Who is Eligible for C-TPAT? (a) Currently, open enrollment for C-TPAT is available for the following business types related to the U.S. import supply chain cargo handling and movement: (i) (ii) (iii) (iv) (v) (vi) (vii) U.S. Importers of record U.S./Canada Highway Carriers U.S./Mexico Highway Carriers Rail Carriers Sea Carriers Air Carriers U.S. Marine Port Authority/Terminal Operators (viii) U.S. Air Freight Consolidators, Ocean Transportation Intermediaries and Non-Vessel Operating Common Carriers (NVOCC) (ix) Mexican manufacturers

2 (x) Certain Invited Foreign Manufacturers 4. Licensed U.S. Customs Brokers (a) Utilizing risk management principles, C-TPAT seeks to enroll compliant low-risk companies who are directly responsible for importing, transporting, and coordinating commercial import cargo into the United States. The goal is to identify compliant trusted import traders who have good supply chain security procedures and controls to reduce screening of their imported cargo. In turn, this enables CBP to focus screening efforts on import cargo transactions involving unknown or high-risk import traders. CBP will be consulting with the trade community to develop the most effective approach for each sector to participate in C-TPAT. 5. The Application Process (a) Businesses must apply to participate in C-TPAT. Participants complete an online electronic application on that includes submission of corporate information, a supply chain security profile, and an acknowledgement of an agreement to voluntarily participate. (b) In completing the supply chain security profile, companies must conduct a comprehensive self-assessment of their supply chain security procedures using the C-TPAT security criteria or guidelines jointly developed by CBP and the trade community for their specific enrollment category. The criteria or guidelines, available for review in this section and on the CBP website, encompass the following areas: follow. (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) (ix) (x) Business Partner Requirements, Procedural Security, Physical Security, Personnel Security, Education and Training, Access Controls, Manifest Procedures, Information Security, and Conveyance Security. See C-TPAT Online Application Instructions on the pages that (c) Upon satisfactory completion of the C-TPAT Online application and supply chain security profile, participants will be assigned a CBP C-TPAT Supply Chain

3 Security Specialist (SCSS). A SCSS will contact the participant to begin the C-TPAT validation process. 6. The Benefits of Participation in C-TPAT (a) C-TPAT offers trade-related businesses an opportunity to play an active role in the war against terrorism. By participating in this first worldwide supply chain security initiative, companies will ensure a more secure and expeditious supply chain for their employees, suppliers and customers. Beyond these essential security benefits, CBP will offer benefits to certain certified C-TPAT member categories, including: (b) A reduced number of CBP inspections (reduced border delay times). (c) Priority processing for CBP inspections. (Front of the Line processing for inspections when possible.) (d) Assignment of a C-TPAT Supply Chain Security Specialist (SCSS) who will work with the company to validate and enhance security throughout the company s international supply chain. (e) Potential eligibility for CBP Importer Self-Assessment program (ISA) with an emphasis on self-policing, not CBP audits. (f) Eligibility to attend C-TPAT supply chain security training seminars. (g) It is clear that security issues will play an ever more important role in international trade logistics. Today s voluntary programs may become mandatory programs in the future. Many companies recognize that participation in C-TPAT is part of a best practices approach to achieving leadership in their industry. 7. How the Partnership Works (a) CBP C-TPAT account managers will contact participants to begin joint work on establishing or updating account action plans to reflect C-TPAT commitments. (b) Action plans will track participants progress in making security improvements, communicating C-TPAT criteria or guidelines to business partners, and establishing improved security relationships with other companies. Failure to meet C-TPAT commitments will result in suspension of C-TPAT benefits. Benefits will be reinstated upon correcting deficiencies in compliance and/or security. 8. Confidentiality of Data (a) CBP has stated that all information on supply chain security submitted by companies applying for the C-TPAT program will be confidential. CBP will not disclose a company s participation in C-TPAT. 9. C-TPAT Costs of Participation

4 (a) Firstly, C-TPAT participation is voluntary. Secondly, CBP recognizes that not all companies are in a position to meet C-TPAT minimum security criteria or guidelines. All eligible companies that import into the U.S. or provide import cargo movement or handling services should assess their supply chain security procedures to determine if they can qualify. CBP intent is to not impose security requirements that will be cost prohibitive. For this reason, CBP has worked in concert with the trade community in developing security criteria and guidelines that reflect a realistic business perspective. Potential C-TPAT participants may find that they already have many of these guidelines in place. (b) That said, enhanced security and C-TPAT participation will cost money. Also, those firms that have historically had few or no security guidelines in place will find that there will be added costs of getting up to speed organizationally. C-TPAT is also not intended to create any new liabilities for companies beyond existing trade laws and regulations. However, joining C-TPAT will commit companies to follow through on actions specified in the signed agreement. These actions include self-assessing security systems, submitting security questionnaires, developing security enhancement plans, and communicating C-TPAT guidelines to companies in the supply chain. If a company fails to uphold its C-TPAT commitments, CBP would take action to suspend benefits or cancel participation. 10. Viability for Small- and Medium-Sized Companies (a) Initially, it was mostly large companies that rely heavily on international supply chains that applied and became active participants in the program. (b) CBP, however, encourages all companies to take an active role in promoting supply chain and border security. In that regard, C-TPAT is not just a big-company program. Medium and small companies should evaluate the requirements and benefits of C- TPAT carefully in deciding whether to apply for the program. Moreover, even without official participation in C-TPAT, companies should still consider employing C-TPAT guidelines in their security practices. 11. Must vs. Should (a) Note that C-TPAT Security Criteria and Security Guidelines use the words must and should a great deal. These words have specific, yet logical and intuitive meanings. Must means that it is a requirement. A business will not achieve program participation status unless the requirement is met. Should means that while the procedure is likely considered to be an industry best practice it is not necessarily a requirement for program participation. (b) Businesses can anticipate, however, that over time, more shoulds will become musts. many Web sites use the protocol to obtain confidential user information, such as credit card numbers. To access the C-TPAT Security Link Portal: 12. Recommendations vs. Guidelines vs. Criteria (a) The C-TPAT program has continued to evolve. When the program was first established, CBP issued what were called Security Recommendations. These Recommendations evolved into Security Guidelines.

5 (b) In late October 2004, CBP, in discussion with the trade community, began drafting more clearly-defined, minimum-security criteria for businesses wishing to participate in the C-TPAT program. After months of dialogue, CBP developed minimum-security criteria designed to accomplish two important goals: first, to offer flexibility for accommodating the diverse business models represented within the international supply chain; and second, to achieve CBP s twin goals of security and facilitation. (c) Security Criteria are now the established minimum security requirements for participation in the C-TPAT program. Security Criteria have been established for: Importers, Rail Carriers, Foreign Manufacturers, Highway Carriers and Sea Carriers. For other groups, the Security Guidelines remain in effect. 13. Supply Chain Security Best Practices Catalog (a) On March 9, 2006, the U.S. Customs and Border Protection issued its long-awaited Supply Chain Security Best Practices Catalog. This is a 56-page booklet that is organized based on C-TPAT Security Criteria. The best practices included in the catalog are those that have been identified through more than 1,400 validations and site visits by CBP C- TPAT Supply Chain Security Specialists (SCSS). Best Practices are defined as: (i) (ii) (iii) (iv) (v) Security measures that exceed the C-TPAT Security Cri-teria, Incorporate management support, Have written policies and practices that govern their use, Employ a system of checks and balances, and Have measures in place to ensure continuity. (b) I he catalog is essentially a statement of what CBP considers to be practices that will meet or exceed its Security Criteria, and has therefore become very popular in the industry. Available online at: commercial_enforcement/ctpat/ctpat_best_practices.ctt/ctpat_best_practices.pdf. 14. C-TPAT Security Link Portal (a) The C-TPAT Security Link Portal is a secure, full-service, Internet web portal that will allow qualifying C-TPAT participants to: 15. Enter new applications. (a) Instantly submit information updates and add new information. (b) Maintain a living Supply Chain Security Profile that can be updated as needed and must be updated and recertified on a yearly basis.

6 (c) Communicate directly with CBP C-TPAT and/or their designated C-TPAT Supply Chain Security Specialists using a secure system. (d) Receive information directly from CBP to include cargo security alerts and sanitized intelligence information. 16. Maintain a list of authorized users. (a) All C-TPAT participants will be required to use the C-TPAT Security Link Portal to ensure that all company information and Supply Security Profile information is accurate and complete. C-TPAT participants and certified members will be required to enter, update, and maintain several key fields of information to assist in the verification of program eligibility. This includes the posting of current C-TPAT Supply Chain Security Profile and business profile information. CBP is using 128 bit Secure Sockets Layer (SSL) encryption. SSL uses a system that uses two keys to encrypt data. Both Netscape Navigator and Internet Explorer support SSL, and partners. Each party must have consented to the release of their company name among the C-TPAT membership. The SVI is the point of electronic access to verify the C-TPAT status of another Status Verification Interface Participant (SVIP). (b) Go to: For information on the C-TPAT Security Link Portal, visit the C- TPAT web page at: enforcement/ctpat/ (c) Go to the Status Verification section to Generate an SVI. (d) Read and accept the Consent to Use Company Name terms and conditions that appear on the introductory screen for the SVI. Active acceptance of the Agreement (i.e., selecting the I Accept box) will be required to access the SVI. (e) For more information on the C-TPAT Security Link Portal, go to: commercial_enforcement/ctpat/implement_portal. 17. C-TPAT Status Verification Interface (SVI) (a) As stated in the C-TPAT Security Criteria, Certified C-TPAT partners need to verify the participation status of other eligible C-TPAT business partners. To address this need, CBP has created the Status Verification Interface (SVI). The SVI allows consenting certified C-TPAT partners to verify the participation status of other consenting certified C-TPAT Access to the C-TPAT SVI is now found in the C-TPAT Security Link Portal. SVI Access is granted to certified C-TPAT partners who meet the specific SVIP criteria. To quality as a SVIP, participants must have: (b) (c) Access to the Internet C-TPAT Security Link Portal; Achieved certification status as a C-TPAT participant; (d) Generated an SVI alpha-numeric status identification number (ID) in the C-TPAT Security Link Portal;

7 (e) Accepted the terms of the electronic C-TPAT CONSENT TO USE COMPANY NAME form found in the C-TPAT Security Link Portal. (f) For SVI instructions, frequently asked questions, SVI fact sheet and/or access to the SVI interface go to: xp/cgov/import/commercial enforcementyctpat/svi. (g) For More Information on C-TPAT (h) For ongoing information and updates on the C-TPAT program, go to the U.S. Customs and Border Protection Web site at C-TPAT Online Application Instructions (a) For important instructions for submitting an online C-TPAT application go to: enforcement/ctpat/online app/ and select Instructions for Completing the C-TPAT Online Application. The Online Application itself can be found at: Part 1 Summary 1. Complete the Company Profile information 2. Read and Agree to the terms of the C-TPAT Agreement to Voluntarily Participate. 3. Save your submission. 4. Wait for an confirming your submission and granting C-TPAT Security Link Portal access using a temporary password. 5. Note: Companies will have 60 days to complete their Online C-TPAT Application using the C-TPAT Security Link Portal. Part 2 Summary 1. Login to the C-TPAT Security Link Portal using your address and temporary password. 2. Change your Temporary Password. 3. Complete the structured Online Supply Chain Security Profile 4. Save your Security Profile submission. 5. Note: Companies will have 60 days to complete their Online Application using the C-TPAT Security Link Portal. Part 1

8 1. Select/verify your C-TPAT Business Type and click Next. The Application Exception Token field is reserved for future use and does not apply to most applicants. 2. Enter/verify your C-TPAT Business Code and click Next. You may select Cancel Profile at any point in the process to stop your application submission. 3. Enter/verify your Company Name, and click Next. 4. Enter/verify your complete Company Physical Address and Mailing Address if applicable, and click Next. 5. Select the term that best describes Company s Owner- ship Type, Years in Business range, and Number of Employees range, and click Next. 6. Select Add Contact to enter Company Points of Contact (POC). 7. Enter Company Points of Contact (POC). You must enter at least one (1) company officer as a contact. They do not have to be the primary POC. Consultants/Contractors may be entered as an alternate POC with additional information required. The Primary POC must be a Company Employee and is designated by checking the POC field. Select the contact type. 8. Use Add Contact to enter additional company Points of Contact (POC). 9. You may add an unlimited number of POC. Select the contact type. 10. Warning: Each POC you add will have access to your C-TPAT Security Link web portal information and can change information. 11. Be sure to limit your C-TPAT Security Link Portal POC access to those personnel that are part of your company s C-TPAT program management team. 12. Enter Company Identification (ID) numbers. 13. The ID fields vary according to your Business Type. 14. Review/verify the summary of company information. 15. Read/review the Online C-TPAT Agreement for your Business Type. 16. If you accept the Online C-TPAT Agreement and wish to continue with your application, Click I Agree. 17. You will receive an with instructions on how to Login and continue with your application. Part 2 1. Initial Portal Login, Change Password

9 2. The User Name is the user s address that was provided to the C-TPAT program. 3. The Password will be the Temporary Password that is sent to you via after successful completion of Part 1 of the C-TPAT Online Application. 4. First time Users will be required to Change their Tempo- rary password. 5. Users with Expired Passwords will be required to Change their old password. Passwords will expire every 90 days. 6. If the User is designated as a Company Contact for more than one company, a list of companies will appear. The User must select the company name and click continue to proceed. 7. Review Home Screen Fields. 8. Security Profile Completion 9. Place the Cursor on the Partner Menu and Select Security Profile. 10. The C-TPAT Supply Chain Security Profile is now re- quired to be maintained in the structured template found in their C-TPAT Security Link Web Portal Security Pro-file section. 11. Participants must provide a narrative description of the procedures they use to ensure adherence to C-TPAT Security Criteria or Guidelines as applicable for their C-TPAT enrollment category. 12. For information on C-TPAT Security Criteria or Guidelines, refer to the C-TPAT web page located at enforcement/ ctpat/. 13. In the Text Box for each section, C-TPAT participants must provide a narrative description of the security pro-cedures in place. Give examples. 14. Any back-up documentation may be uploaded in the Documents section via the C-TPAT Partner Document Exchange function. Answers such as Non-Applicable or Does Not Apply are NOT acceptable. If you feel that a section does not apply to your situation, give a succinct explanation of why you feel this does not apply to your company. 15. Participants navigate through the Supply Chain Security Profile Sections selecting the Next button or by clicking on the blue hyperlink for the section. 16. Clicking Save will ensure all work is updated. 17. After all Security Profile Sections have been completed, you will be able to Submit your Security Pro- file for review.

10 18. If any of the Supply Chain Security Profile sections are BLANK, an error message will be generated. 19. Your completed Security Profile will be assigned to and re- viewed by a C-TPAT Supply Chain Security Specialist. For each section of the Security Profile, any comments made by the C-TPAT Supply Chain Security Specialist reviewer will appear in the Comment section. 20. The block also indicates whether the section is Critical and whether the section is Approved or Rejected. Section Approval/Rejection is also designated by a Green Check (Approval) or a Red X (Rejected). 21. Rejected sections must be corrected and sufficient information provided. (a) (b) (c) C-TPAT Validation Process Validation Basics C-TPAT Validation 22. C-TPAT validation is a process through which U.S. Customs and Border Protection (CBP) meets with program participant representatives, and visits selected domestic and foreign sites, to verify that the supply chain security measures contained in the C-TPAT participant s security profile are accurate and being followed. Goals of C-TPAT Validation 23. Since the decision to provide expedited release of cargo, and/ or a reduced number of examinations, may be directly linked to a company s C-TPAT documentation, the principal goal of a validation is to ensure that the company s C-TPAT security profile is reliable, accurate and effective. CBP expects, however, that validations will also provide a forum through which CBP and a C-TPAT participant can build a stronger partnership by discussing supply chain security issues, sharing best practices, and cooperatively developing solutions to address potential vulnerabilities. The face-to-face nature of a validation encourages both CBP and the C- TPAT participant to better understand the role each plays in securing U.S. borders against international terrorism. Validation vs. Audit 24. A C-TPAT validation is not a CBP audit. Whereas CBP routinely performs audits in a variety of operational areas (e.g. trade compliance, NAFTA), C -TPAT validations do not measure a company s adherence to existing government rules and regulations. Instead, the validation is focused on the verification of supply chain security processes and procedures that a company voluntarily agrees to verify or perform under the auspices of the C-TPAT program. 25. Validations are meant to be focused and concise. Although they may extend beyond two weeks on some occasions due to CBP planning and travel, CBP maintains that they will not involve more than ten working days of a company s time. Which Participants Will Get a Validation? CBP plans on validating the security profiles of all C-TPAT participants. Normally a company s initial validation will occur within three years of becoming a certified member of C- TPAT. Validation Scheduling

11 1. The order in which a C-TPAT participant s profile will be selected for validation will be based on risk management principles. Validations may be initiated based on import volume, security related anomalies, strategic threat posed by geographic regions, or other risk related information. Alternatively, a validation may be performed as a matter of routine program oversight. CBP Headquarters will provide C-TPAT participants with approximately (30) thirty days advance notice prior to the beginning of any validation. The C-TPAT SCSS will work with the company s C-TPAT point of contact to schedule all validation visits. Reporting of Validation Findings At the conclusion of a validation, company management will be briefed on the findings of the validation. Additionally, a written Validation Report will be prepared and presented to the company shortly thereafter. Impact of Validation Findings 2. If the validation findings are satisfactory, the results will increase the level of benefits provided to importer participants. If the validation findings reveal significant weaknesses in the company s application of C-TPAT guidelines or criteria, some or all of the participant s C-TPAT benefits may be suspended or removed until corrective action is implemented and verified. Role of Security Criteria or Guidelines C-TPAT security criteria or guidelines were developed jointly by CBP and the trade community. Participating companies must use these criteria or guidelines to assess their own supply chain security programs. The criteria or guidelines are used to measure the company s overall commitment to C-TPAT and viability in the program. The validation process ensures the company s C-TPAT commitment includes physical and procedural security requirements that enhance and verify supply chain security. Process Guidelines Introduction 1. The Customs-Trade Partnership Against Terrorism (C -TPAT) program is U.S. Customs and Border Protection s (CBP) premier trade security program. The purpose of C - TPAT is to partner with the trade community for the purpose of securing the U.S. and intemational supply chains from possible intrusion by terrorist organizations. C-TPAT requires the trade company participant to document and validate their supply chain security procedures in relation to existing CBP C-TPAT criteria or guidelines as applicable. CBP requires that C-TPAT company participants develop an internal validation process to ensure the existence of security measures documented in their Supply Chain Security Profile and in any supplemental information provided to CBP. As a part of the C-TPAT process, CBP C-TPAT Supply Chain Security Specialists (SCSS) and the C-TPAT participant will jointly conduct a validation of the company s supply chain security procedures. The validation process is essential to verifying the company s commitment to C-TPAT. Objective 1. The purpose of the validation is to ensure that the C-TPAT participant s international supply chain security measures contained in the C-TPAT participant s security profile have been implemented and are being followed in accordance with established C-TPAT criteria or guidelines. The validation team evaluates the status and effectiveness of key security

12 measures in the participant s profile to make recommendations and recognize best practices where appropriate. Validation Principles 1. The guiding principle of the C-TPAT program is enhancing and ensuring supply chain security though a government-industry partnership. The C-TPAT program is voluntary and designed to share information that will protect the supply chain from being compromised by terrorists and terrorist organizations. The validation process will enable CBP and the C-TPAT participant to jointly review the participant s C-TPAT security profile to ensure that security actions in the profile are being effectively executed. Throughout the process there will also be the opportunity to discuss security issues and to share best practices with the ultimate goal of securing the international supply chain. C-TPAT validations are not audits. In addition, they will be focused, concise, and will last not longer than ten working days. 2. Based on the participant s C-TPAT security profile and the recommendations of the validation team, CBP Headquarters will also oversee the specific security elements to be validated. Conducting a Validation Validation Selection Process 1. To ensure accuracy, the security profiles of C-TPAT participants will be validated. The C-TPAT participant s security profile will be selected for validation based on the company s import supply chain risk. Validations may be initiated based on many factors including: security related anomalies, strategic threat posed by geographic regions, other risk related information, or strategic import volume. Unannounced validations will not be conducted. C-TPAT participants will be given approximately thirty days advance written notice along with a request for any supporting documentation that is needed. Validation Teams 1. A validation team consisting of C-TPAT SCSS and a representative^) of the C- TPAT participant will conduct C-TPAT validation visits. 2. SCSS on a validation team are composed of trained CBP specialists knowledgeable in international supply chain security matters. SCSS receive supply chain security training to assist them in working with industry representatives to promote effective supply chain security programs. Generally, the lead SCSS performing the validation will be the company s assigned C-TPAT representative responsible for reviewing and assessing the company s security profile and other accessible information to determine the scope of the validation. This will help ensure that the validation is effective, focused, and limited in duration. Validation Procedures 1. The SCSS validation team leader will provide the company with a written notification of the scheduled validation. The notice will be issued at least thirty days prior to the

13 start of the validation and will include a request for supporting documentation or materials, if any. The validation team leader will also contact the C-TPAT participant to establish a single point of contact at the corporate level. Prior to the commencement of the validation, the C-TPAT SCSS team will review the participant s C-TPAT security profile, any supplemental information received from the company, and any CBP headquarters instructions, to determine the intended scope of the validation. In preparation for the validation, the validation team may also consider specific C-TPAT security criteria and guidelines. The security criteria and guidelines are used to determine the sufficiency of specific aspects of a participant s C-TPAT security profile. It is understood that the criteria and guidelines are not inclusive with respect to effective security practices. C-TPAT Security Criteria and Guidelines are available for each C-TPAT enrollment category at Validation Venue 1. Under normal circumstances, the validation will begin with a briefing of C-TPAT participant company officials via phone or at the company s primary U.S. office location. The validation team will discuss the participant s role in the C-TPAT program. The validation team will also focus on the scope of the validation including validation visit locations throughout the company s international supply chain. If additional information is required to validate a portion of a C-TPAT participant s supply chain, the validation team will coordinate the required request with the company officials. Validation Visit 1. A validation visit is a detailed review of the participant s import supply chain security procedures to determine if sufficient security procedures are in place to meet current C- TPAT guidelines or criteria. The specific sites of the validation visits will be determined based on the C-TPAT SCSS validation risk analysis and coordinated with the C-TPAT participant representative. A validation may require multiple visits at foreign locations. Individual validation visits are usually performed in no more than one day. Validation Report 1. Validation visit findings are documented in a Validation Report and forwarded to the C-TPAT participant. The report findings will identify supply chain security recommendations or best practices. If significant supply chain security weaknesses or recommendations are found, a participant s C-TPAT benefits may be suspended or removed depending on the circumstances. If a company has their C-TPAT benefits suspended, C-TPAT will recommend that the company implement an action plan containing corrective actions to address specific supply chain security weaknesses. C-TPAT Security Criteria and Guidelines 1. The following sections include CBP C-TPAT Security Criteria and Security Guidelines that may be used by the C-TPAT Validation Team in the planning phase of an on-site validation. These Criteria and Guidelines, therefore, will be helpful in the revalidation review of key aspects of a participant s C-TPAT security profile. Therefore, prior to conducting an on-site validation, the validation team may review and discuss appropriate security recommendations

14 contained in these criteria and guidelines in the context of the participant s C-TPAT security profile. This will assist the team in limiting the scope of the validation and in customizing the validation to the C-TPAT participant involved. (a) (b) (c) C-TPAT for Importers C-TPAT Security Criteria for Importers C-TPAT Security Criteria Importers 2. Importers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security criteria. Where an importer outsources or contracts elements of their supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the importer must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/sup plier/vendor) through to point of distribution - and recognizes the diverse business models C-TPAT members employ. C- TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based upon risk analysis. Therefore, the program allows for flexibility and the customization of security plans based on the member s business model. Appropriate security measures, as listed throughout this document, must be implemented and maintained throughout the importer s supply chains - based on risk. Business Partner Requirement 1. Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors. Security procedures 1. For those business partners eligible for C-TPAT certification (carriers, ports, terminals, brokers, consolidators, etc.) the importer must have documentation (e.g., C -TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified. 2. For those business partners not eligible for C-TPAT certification, importers must require their business partners to demonstrate that they are meeting C-TPAT security criteria via written/electronic confirmation (e.g., contractual obligations; via a letter from a senior business partner officer attesting to compliance; a written statement from the business partner demonstrating their compliance with C-TPAT security criteria or an equivalent WCO accredited security program administered by a foreign customs authority; or, by providing a completed importer security questionnaire).based upon a documented risk assessment process, non-c- TPAT eligible business partners must be subject to verification of compliance with C-TPAT security criteria by the importer. Point of Origin

15 1. Importers must ensure business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin. Periodic reviews of business partners processes and facilities should be conducted based on risk, and should maintain the security standards required by the importer. 2. Participation / Certification in Foreign Customs Administrations Supply Chain Security Programs 3. Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign Customs Administration should be required to indicate their status of participation to the importer. Other Internal criteria for selection 1. Internal requirements, such as financial soundness, capability of meeting contractual security requirements, and the ability to identify and correct security deficiencies as needed, should be addressed by the importer. Internal requirements should be assessed against a risk-based process as determined by an internal management team. Container Security 1. Container integrity must be maintained to protect against the introduction of unauthorized material and/or persons. At point of stuffing, procedures must be in place to properly seal and maintain the integrity of the shipping containers. A high security seal must be affixed to all loaded containers bound for the U.S. All seals must meet or exceed the current PAS ISO standards for high security seals. Container Inspection 1. Procedures must be in place to verify the physical integrity of the container structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. A seven-point inspection process is recommended for all containers: (a) (b) (c) (d) (e) (f) (g) (h) Front wall Left side Right side Floor Ceiling/Roof Inside/outside doors Outside/Undercarriage Container Seals

16 2. Written procedures must stipulate how seals are to be controlled and affixed to loaded containers - to include procedures for recognizing and reporting compromised seals and/ or containers to US Customs and Border Protection or the appropriate foreign authority. Only designated employees should distribute container seals for integrity purposes. Container Storage 1. Containers must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas. Physical Access Controls 1. Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry. Employees 1. An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g., keys, key cards, etc.) must be documented. Visitors 2. Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification. Deliveries (including mail) 1. Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated. Challenging and Removing Unauthorized Persons 1. Procedures must be in place to identify, challenge and address unauthorized/ unidentified persons. Personnel Security 1. Processes must be in place to screen prospective employees and to periodically check current employees. Pre-Employment Verification

17 1. Application information, such as employment history and references must be verified prior to employment. Background checks 1 investigations 1. Consistent with foreign, federal, state, and local regulations, background checks and investigations should be conducted for prospective employees. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employee s position. Personnel Termination Procedures 1. Companies must have procedures in place to remove identification, facility, and system access for terminated employees. Procedural Security 1. Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain. Documentation Processing 1. Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information. Manifesting Procedures 1. To help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information received from business partners is reported accurately and timely. Shipping & Receiving 1. Arriving cargo should be reconciled against information on the cargo manifest. The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Departing cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released. Cargo Discrepancies 1. All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. Customs and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities are detected - as appropriate. Security Training and Threat Awareness

18 1. A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address a situation and how to report it. Additional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mail. 2. Additionally, specific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies, and protecting access controls. These programs should offer incentives for active employee participation. Physical Security 1. Cargo handling and storage facilities in domestic and foreign locations must have physical barriers and deterrents that guard against unauthorized access. Importers should incorporate the following C-TPAT physical security criteria throughout their supply chains as applicable. Fencing 1. Perimeter fencing should enclose the areas around cargo handling and storage facilities. Interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be regularly inspected for integrity and damage. Gates and Gate Houses 1. Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. Parking 1. Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas. Building Structure 1. Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. Locking Devices and Key Controls 1. All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Lighting

19 1. Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas. Alarms Systems & Video Surveillance Cameras 1. Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas. Information Technology Security Password Protection 1. Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training. Accountability 1. A system must be in place to identity the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. Importer - C-TPAT Agreement to Voluntarily Participate 1. This Agreement is made between (hereinafter referred to as the Importer ) and U.S. Customs and Border Protection (hereinafter referred to as CBP ) to participate in the Customs-Trade Partnership Against Terrorism (C -TPAT), a voluntary and cooperative partnership established to achieve the goals of building more secure and more efficient borders. 2. This Agreement between the Importer and CBP is intended to enhance the joint efforts of the Importer and CBP to protect the supply chain, identify security gaps, and implement specific security measures and best practices. Specifically, the Importer agrees to: 1. Conduct a comprehensive assessment of the Importer s global supply chain(s) based upon established C-TPAT security criteria to include: Business Partner Requirements, Cargo Security, Container Security, Physical Access Controls, Personnel Security, Procedural Security, Security Training/ Threat Awareness, Physical Security, and Information Technology Security. The supply chain is defined from point of origin (manufacturer/supplier/ vendor) to point of distribution. 2. Develop a written and verifiable process for determining risk throughout the Importer s global supply chain(s) based upon the Importer s business model (e.g., volume, country of origin, routing, potential terrorist threat, etc.)

20 3. Implement and maintain appropriate security measures throughout the Importer s global supply chain(s) in a written and verifiable format that is consistent with C-TPAT security criteria and based upon risk analysis as determined by the Importer s business model. 4. Complete and upload the Importer s Supply Chain Security Profile document. Develop and implement a written and verifiable process for the selection of all business partners in the Importer s global supply chain(s) including manufacturers, product suppliers, and vendors based upon C-TPAT security criteria regarding Business Partner Requirements. Where the Importer outsources or contracts elements of their supply chain(s), the Importer must ensure that appropriate security measures are in place, effective, and com-plied with. 6. Develop and implement a periodic Self-Assessment Pro- gram in a written and verifiable format to ensure that appropriate security measures consistent with C-TPAT security criteria are maintained and are sufficient throughout the Importer s global supply chain(s), and implement changes as necessary or needs arise. 5. Notify CBP at industry. partnership@dhs.gov of all changes and/or modifications to the Importer s information on file including Official Company Name, Street Address, Company Point of Contact, Telephone Number, Fax Number, and Upon acceptance, review, and/or certification in the C-TPAT, CBP will:- (a) Provide feedback and guidance to the Importer on the in- formation provided in the Supply Chain Security Profile within 60 days of receipt. (b) Provide technical assistance and recommendations to the Importer to improve the Importer s supply chain(s) pursuant to C-TPAT security criteria. (c) Provide incentives and benefits to include expedited processing of C- TPAT shipments. 7. Assign a C-TPAT supply chain specialist to serve as the CBP liaison for validations, security issues, procedural updates, communication, and training. 8. Ensure all information provided by the Importer to CBP will remain confidential. CBP will not disclose the Importer s identity as a C-TPAT partner without the Importer s consent. 9. This Agreement will be administered pursuant to a plan jointly developed by CBP and the Importer. This Agreement is subject to review and acceptance by CBP and the Importer and may be terminated upon written notice by either party. 10. This Agreement cannot, by law, exempt the Importer from any statutory or regulatory sanctions in the event that discrepancies are discovered during a physical examination of cargo or the review of documents associated with the Importer s transactions with CBP. 11. This Agreement does not relieve the Importer of any responsibilities with respect to United States law, including CBP regulations.

21 General Items FAQs 1. For a list of 43 Frequently Asked Questions and Answers Regarding Minimum Security Criteria for Importers refer to: import/ commercial_enforcement/ctpat/ security_criteria/criteria_importers/questions.xml. C-TPAT Application 1. Instructions for submitting an online C-TPAT application are at: onlineapp. Select Instructions for Completing the C-TPAT Online Application. 2. The C-TPAT Online Application itself can be found at: 3. For More Information 4. For more information about C-TPAT for importers go to: Search for C-TPAT for Importers.