Importers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security criteria.

            Where an importer outsources or contracts elements of its supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the importer must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through to point of distribution – and recognizes the diverse business models C-TPAT members employ.

Business partner requirement

            Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

            For those business partners eligible for C-TPAT certification (carriers, ports, terminals, brokers, consolidators, etc.) the importer must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified.

            For those business partners not eligible for C-TPAT certification, importers must require their business partners to demonstrate that they are meeting C-TPAT security criteria via written/electronic confirmation. Based upon a documented risk assessment process, non-C-TPAT eligible business partners must be subject to verification of compliance with C-TPAT security criteria by the importer.

Point of Origin

            Importers must ensure business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin. Periodic reviews of business partners’ processes and facilities should be conducted based on risk, and should maintain the security standards required by the importer.

            Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign customs administration should be required to indicate their status of participation to the importer.

            Internal requirements, such as financial soundness, capability of meeting contractual security requirements, and the ability to identify and correct security deficiencies as needed, should be addressed by the importer. Internal requirements should be assessed against a risk-based process as determined by an internal management team.

            Container integrity must be maintained to protect against the introduction of unauthorized material and/or persons. At point of stuffing, procedures must be in place to properly seal and maintain the integrity of the shipping containers. A high security seal must be affixed to all loaded containers bound for the U.S. All seals must meet or exceed the current PAS ISO 17712 standards for high security seals.

            Procedures must be in place to verify the physical integrity of the container structure prior to stuffing, to include the reliability of the locking mechanisms of the doors.

            Written procedures must stipulate how seals are to be controlled and affixed to loaded containers – to include procedures for recognizing and reporting compromised seals and/or containers to U.S. Customs and Border Protection or the appropriate foreign authority. Only designated employees should distribute container seals for integrity purposes.

            Containers must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas.

            Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry.

            An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented.

            Procedures must be in place to identify, challenge and address unauthorized/unidentified persons.

            Processes must be in place to screen prospective employees and to periodically check current employees.

            Application information, such as employment history, must be verified prior to employment.

            Consistent with foreign, federal, state, and local regulations, background checks and investigations should be conducted for prospective employees. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employee’s position.

            Companies must have procedures in place to remove identification, facility, and system access for terminated employees.

  Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain.

  Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information.

Shipping and receiving

            The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Departing cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released.

            All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or investigated appropriately.

            Cargo handling and storage facilities in domestic and foreign locations must have physical barriers and deterrents that guard against unauthorized access. Importers should incorporate the following C-TPAT physical security criteria throughout their supply chains as applicable.

            Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair.

            Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training.

            A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse.