New CTPAT Minimum Security Criteria Increases Resilience, Minimizes Compliance Burdens

Editor’s Note: Anthony Pelli, Senior Supply Chain Risk Consultant, BSI

It's been 18 years since the Customs Trade Partnership Against Terrorism (CTPAT) was started, just weeks after the September 11 terrorist attacks, to help secure the nation's borders and impose greater control over the goods coming into the country.

The U.S. Customs and Border Protection (CBP) agency initiated this voluntary joint government-business program with the intent of protecting the United States from acts of terrorism by building cooperative relationships that strengthen overall supply chain and border security.

Judging by sheer numbers of participants, the program has been a success, with more than 11,000 certified partners “spanning the gamut of the trade community,” according to CBP. But it's begun to show its age nearly two decades after inception.

Since CTPAT's launch, the volume and complexity of trade into the United States have increased exponentially, and the role of technology has had an indelible impact on the supply chain. Operational risks unheard of at the start of the century also have emerged.

Now, after two years of work that included incorporating the input of supply chain professionals, the Minimum Security Criteria (MSC) for the CTPAT program has been updated to include added requirements and recommendations related to supply chain security management, cybersecurity, protection against agricultural contaminants, prevention of money laundering and terrorism financing, and advancements in security technology.

All CTPAT members are expected to comply with the updated MSC by 2020, regardless of whether they are scheduled for a validation that year. CBP notes that while validations under the updated MSC will commence in early 2020, most members will not undergo a validation that year because they are on a four-year validation cycle.

By implementing CTPAT's MSC, released in May, companies can maximize their resilience by instilling a culture of collaboration that aligns their own standards with common business best practices.

Here are a few ways that implementing new CTPAT MSC elements will increase your supply chain resiliency:

Security Vision and Responsibility

The Security Vision and Responsibility category creates buy-in from all levels of a company, to increase awareness and support for supply-chain security efforts. Many companies already have the required policies and procedures in place, they just need to structure them more effectively. The Security Vision and Responsibility category now requires that a cross-functional team, including representatives of all relevant departments, help prepare the organization in the event of personnel turnover.

By implementing more structure to make your supply-chain security program a year-round, 24-7 endeavor, the new MSC can help ensure protocols in place are the best fit for your organization. Before the revision, companies were used to gearing up every four years for CTPAT certification or revalidation and didn't necessarily have ongoing management of supply chain security in the years between validations.

Due to the fragmented nature of supply chain security, it's usually rare for one individual or department to be able to maintain the certification. Security Vision and Responsibility asks for one entity to consolidate the elements of the CTPAT certification effort and develop internal policies and procedures for addressing CTPAT criteria.

For example, IT policies at the corporate level could be different from the IT policies at a facility level. Under the new criteria, someone will need to identify those policies, examine what standards those policies are based upon, and isolate which elements of each policy correspond to the new cybersecurity criteria.

Information Sharing

The new MSC creates a more thorough information-sharing program, both with CTPAT and within a company's own supply chain, should a violation or incident occur. The additional information and reporting required throughout the supply chain ensures that all business units throughout it are adhering to the same standards.

Again, many companies have general security policies but these new criteria require that a company unify the policies across the company.

To ensure all business units within a supply chain are adhering to the same set of standards, you need to implement an overarching verification mechanism to ensure that your suppliers are securing their own supply chains. The MSC will help make certain this happens.

Getting Started

All CTPAT members who will need to comply with the updated MSC by 2020 can get started by using internationally recognized standards to help facilitate this process. For example, ISO 28000, designed to standardize security management for supply chains, can act as a handrail for this form of security and will support the other aspects of compliance. ISO 27001, for information security management, will help with the cybersecurity portion of a company's compliance with CTPAT.

These standards are critical tools for providing evidence of implementation and increasing supply-chain resiliency, while minimizing the overall burden of compliance with the new MSC.

With only 3 months left until the 2020 deadline, many companies will be caught scrambling trying to meet the new requirements; however, with a proper plan in place, organizations can meet these requirements while still enjoying the benefits of CTPAT and minimize overall compliance burdens.

The clock is ticking…what is your company doing to prepare for the changes?

SC
MR