Final Draft of CBP's New C-TPAT Security Standards for Importers Available

Below is a transcription of this final draft version of these new standards. (Changes from the third draft are underlined and explained at the end of this transcription, by numbered notes.)

(See ITT's Online Archives or 01/13/05 news, 05011305 for BP summary of third draft.)

C-TPAT Security Criteria - Importers

Importers must conduct a comprehensiveassessment of their international supply chains based upon the following C-TPAT security criteria.

Where an importer outsources or contracts elements of their supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the importer must work with these business partners toensure that pertinent security measures are in place and adhered to throughout their supply chain. ¹

Thesupply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through to point of distribution - and recognizes the diverse business models C-TPAT members employ.²

C-TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based upon risk analysis.

Therefore, the program allows for flexibility and the customization of security plans based on the member's business model.

Appropriate security measures, as listed throughout this document, must be implemented and maintained throughout the importer's supply chains - based on risk.³*

(*Importers shall have a documented and verifiable process for determining risk throughout their supply chains based on their business model (i.e. volume, country of origin, routing, potential terrorist threat via open source information, etc.)

Business Partner Requirement

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

security procedures.For those business partners eligible for C-TPAT certification (carriers, ports, terminals, brokers, consolidators, etc.) the importer must have documentation (e.g. C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified.^4A

For those business partners not eligible for C-TPAT certification, importers must require their business partners^4B to demonstrate that they are meeting C-TPAT security criteria via written/electronic confirmation (e.g., contractual obligations; via a letter from a senior business partner officer attesting to compliance; a written statement from the business partner demonstrating their compliance with C-TPAT security criteria ⁵ or an equivalent WCO accredited security program administered by a foreign customs authority; or, by providing a completed importer security questionnaire). Base upon a documented risk assessment process, non-C-TPAT eligible⁶ business partners must be subject to verification of compliance with C-TPAT security criteria by the importer. ⁷

point of origin.⁸Importers must ensure business partners develop security processes and procedures consistent with the C-TPAT security criteriato enhance the integrity of the shipment at point of origin.⁸ Periodic reviews of business partners' processes and⁹ facilities should be conducted based on risk, and should maintain the security standards required by the importer.

participation/certification in foreign Customs administrations supply chain security programs. Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign Customs Administration should be required to indicate their status of participation to the importer.

other internal criteria for selection.Internal requirements, such as financial soundness, capability of meeting contractual security requirements, and the ability to identify and correct security deficiencies as needed, should be addressed by the importer. Internal requirements should be accessed against a risk-based process as determined by an internal management team.

Container Security

Container integrity must be maintained to protect against the introduction of unauthorized material and/or persons.^10AAtpoint of stuffing^10B, procedures must be in place to properly¹¹ seal andmaintain the integrity of the shipping containers. A high security seal¹² must be affixed to all loaded containers¹³ bound for the U.S. All seals must meet or exceed the current PAS ISO 17712 standards for high security seals.¹⁴

Container Inspection.Procedures must be in place to verify the physical integrity of the container structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. A seven-point inspection process is recommended for all containers: Front wall, Left side, Right side, Floor, Ceiling/Roof, Inside/outside doors, and Outside/Undercarriage.

Container Seals.Written procedures must stipulate how seals are to be controlled and affixed to loaded containers¹⁵ - to include procedures for recognizing and reporting compromised seals and/or containers¹⁶ to CBP or the appropriate foreign authority. Only designated employees should distribute container seals for integrity purposes.

Container Storage.Containers¹⁷ must be stored in a secure area to prevent unauthorized¹⁸ access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas.

Physical Access Controls

Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry.

Employees.An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. ¹⁹

Visitors.Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification.

Deliveries (including mail).Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated.²⁰

Challenging and Removing Unauthorized Persons. Procedures must be in place to identify, challenge and address unauthorized/unidentified persons.

Personnel Security

Processes must be in place to screen prospective employees and to periodically check current employees.

Pre-Employment Verification. Application information, such as employment history and references must be verified prior to employment.

Background Checks/Investigations. Consistent with foreign, federal, state, and local regulations, background checks and investigations should be conducted for prospective employees. Once employed, periodic checks andreinvestigations should be performed based on cause, and/or the sensitivity of the employee's position.

Personnel Termination Procedures.Companies must have procedures in place to remove identification,facility, and system access for terminated employees ²¹.

Procedural Security

Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain.

Documentation Processing. Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction or erroneous information. Documentation control must include safeguarding computer access and information.

Manifesting Procedures.To help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information received from business partners²² is reported accurately and timely.

Shipping & Receiving. Arriving cargo should be reconciled against information²³ on the cargo manifest. The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Departing cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released.

Cargo Discrepancies. All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. Customs and/or other appropriate law enforcement agencies must be notified if illegal activities are detected - as appropriate.²⁴

Security Training and Threat Awareness

A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address the response to a situation and how to report it. Additional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mail.

Additionally, specific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies, and protecting access controls. These programs should offer incentives for active employee participation.

Physical Security

Cargo handling and storage facilities in domestic and foreign locations must have physical barriers and deterrents that guard against unauthorized access. Importers should incorporate the following C-TPAT physical security criteria throughout their supply chains as applicable:

Fencing. Perimeter fencing should enclose the areas around cargo handling and storage facilities. Interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be regularly inspected for integrity and damage.

Gates and Gate Houses. Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety.

Parking. Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas.

Building Structure. Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair.

Locking Devices and Key Controls. All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys.

Lighting. Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas.

Alarm Systems & Video Surveillance Cameras. Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas.

Information Technology Security

Password protection.Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures, and standards must be in place and provided to employees in the form of training.

Accountability. A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse.

Numbered Notes

¹ used to be "by their direct/contracted business partners"

² added language

³moved from another paragraph in this introductory section. Also the phrase "as listed throughout this document" is added.

^4Athis sentence used to be the second sentence directly under the title "Business Partner Requirement."

in addition, this sentence now gives examples of documentation.

^4Bthe language in the first sentence before the words "to demonstrate" is modified. In addition, the entire section "security procedures" now discusses those eligible for C-TPAT certification vs. those ineligible for C-TPAT certification. Previously, it stated that it covered those not already C-TPAT certified.

⁵ used to be "participation in C-TPAT "

⁶ added language

⁷ the following sentence used to be at the end of this paragraph and is now deleted: "Through these verifications, importers can more easily identify if outsourcing occurs at any point in their supply chain and if C-TPAT security standards are being met or exceeded by their business partners."

⁸ used to be "point of production" or "point of manufacture"

⁹ added language

^10A used to be "personnel"

^10Bused to be "Importers must require that at point of stuffing"

¹¹ added language

¹² used to be "mechanical seal"

¹³ used to be "sea containers"

¹⁴ used to be "mechanical seals"

¹⁵ used to say "secured, logged and affixed to loaded containers and verified throughout the supply chain"

¹⁶ used to say "or seal discrepancies"

¹⁷ used to say "All containers empty or full"

¹⁸ added word

¹⁹ this sentence has been modified to indicate that procedures must be documented for the issuance, etc. of access devices. Also this sentence used to be the sole sentence under the heading "Securing physical access", which no longer exists as a separate heading.

²⁰ the sentence used to state "procedures to periodically screen arriving packages and mail for potential threats should be implemented"

²¹ used to say "for personnel whose employment has been terminated"

²² used to state "foreign suppliers"

²³ used to be "advance information"

²⁴ added language

CBP's final draft C-TPAT security standards for importers (dated 02/11/05) availablefromBP via email by emailing documents@brokerpower.com.

BP Note

Although press and other reports indicate that this final draft is the 5^th version of this document, BP has only summarized and offered four versions, including this final draft. As a result, one of the versions of this draft document was probably not summarized and offered by BP.