GAO Report Says C-TPAT Reduces Scrutiny with Limited Assurance of Improved Security (Part I)

This report examines: (1) what benefits U.S. Customs and Border Protection (CBP) provides to Customs-Trade Partnership Against Terrorism (C-TPAT) members, (2) how CBP determines eligibility for C-TPAT benefits, (3) what process CBP uses to verify that members have implemented security measures, and (4) how well CBP manages C-TPAT. Among other things, the GAO found that CBP's C-TPAT validation process is not rigorous enough to ensure that the security procedures outlined in members' security profiles are reliable, accurate, and effective.

The GAO also makes recommendations to improve the program's ability to meet its goals by providing appropriate guidance to specialists conducting validations, determining the extent to which C-TPAT members should be validated in lieu of the original goal to validate all members within 3 years of certification and implementing performance measures, a human capital plan, and a records management system for the program. According to the GAO, CBP generally agreed with the GAO's recommendations and cited corrective actions they either have taken or plan to take.

This is Part I of a multi-part series of summaries on this GAO report. Part I outlines the steps in CBP's review process for C-TPAT validation and highlights the weaknesses the GAO uncovered in CBP's validation process. See future summaries for GAO analysis of CBP's strategic plan for C-TPAT, CBP's progress in addressing weaknesses, and GAO's recommendations for improving the validation process.

GAO Outlines Steps in CBP's Review Process for C-TPAT Validation

The GAO explains that CBP's review process for C-TPAT membership consists of the following steps, culminating in validation:

Application - the company is to submit information and a signed agreement to voluntarily participate in C-TPAT

Security Profile - the company is to complete the supply chain security profile and send it to CBP electronically within 60 days of submitting the signed agreement and company information.

Certification - CBP reviews the supply chain security profile and asks for clarification, if necessary. Within 60 days of receiving the profile, CBP is to complete its review and, if favorable, send the company a signed copy of the C-TPAT agreement. The member is then considered certified and some benefits begin. However, with respect to importers, benefits are not granted until successful completion of CBP's vetting process.

Vetting - For certified C-TPAT importers, CBP is to conduct a separate vetting process to determine, through a review of the compliance with customs laws and regulations, and violation history of the importer, if there is questionable information that might preclude approval of benefits. CBP is to consult several data sources and, on a case-by-case basis, determine whether the importer should receive benefits. If CBP gives the importer a favorable review, benefits are to begin within a few weeks. If not, benefits are not to be granted until successful completion of the validation process.

Validation - CBP is to conduct a validation of selected certified C-TPAT members to ensure they have implemented the security measures outlined in their supply chain security profiles and any supplemental information provided to CBP. The validation is to be conducted jointly by CBP and a member representative. CBP is to provide the member with 30 days written notice before the validation. Validation findings are to be documented in a final report.

The GAO states that CBP grants benefits to C-TPAT members after it has reviewed and certified applicants' security profiles and completed the above-described vetting process. However, neither the certification nor vetting process provides an actual verification that the supply chain security measures contained in the C-TPAT member's security profile are accurate and are being followed before CBP grants the member benefits. (See ITT's Online Archives or 06/17/05 news, 05061705, for BP summary of CBP's move to a two-tiered C-TPAT benefits system, which reduces benefits for companies that have been certified but not yet validated.)

GAO Uncovers Weaknesses in CBP's Verification of C-TPAT Security Procedures

The GAO explains that it has found certain weaknesses in CBP's process for verifying the security procedures of C-TPAT members; these weaknesses include (partial list):

Validation process lacks rigor to achieve stated purpose. According to the GAO, the validation process is not rigorous enough to achieve its stated purpose, which is to ensure that the security procedures outlined in the members' security profiles are reliable, accurate, and effective.

For example, CBP has no written guidelines for its supply chain specialist to indicate what scope of effort is adequate for the validation to ensure that the member's security measures are reliable, accurate, and effective. Moreover, CBP has no baseline standard for what minimally constitutes a validation. The GAO indicates that the validation reports it reviewed did not consistently document how the elements of members' security profiles were selected for validation

CBP has not determined the extent to which validations are needed. The GAO states that CBP has not determined the extent to which it must conduct validations of members' security profiles to ensure that the operation of C-TPAT is consistent with its overall approach to managing risk. The GAO also found that CBP has not determined the number of supply chain specialists it needs or the extent to which validations are needed to provide reasonable assurance that it is employing a good risk management approach for the program.

(According to a 2004 CBP Trade Symposium document and recent testimony by CBP's Commissioner, in April 2005 C-TPAT specialists began using an Automated Validation Assessment Tool, which is an electronic questionnaire that automatically scores and weighs the findings of the Supply Chain Specialist to produce an overall assessment of the supply chain security measures in place. See ITT's Online Archives or 06/14/05 and 06/17/05 news, 05061410 and 05061705, for BP summaries.)

CBP cannot meet its goal of validating every C-TPAT member within 3 years. CBP officials have stated to the GAO that it is not be possible to meet the goal of validating every C-TPAT member within 3 years of certification.

Instead, CBP is using a risk-based approach, which considers a variety of factors to prioritize which members should be validated as resources allow. The GAO notes that while CBP officials are supposed to prioritize members for validation based on established criteria, they may consider other factors.

(For example, in August 2004, CBP began using a risk assessment tool developed for CBP's regulatory audits to assist in prioritizing importers for validation. This tool ranks importers by risk according to factors such as value of imports, import volume, and method of transportation used by the importer for its goods. CBP tailored the tool to consider only those factors it deemed relevant to C-TPAT. Applying the tool with this revised set of factors, CBP officials told GAO that they produced a list that ranked each certified importer according to its risk. However, these ranked importers are the re-evaluated, along with members from other trade sectors, using CBP's internal selection process criteria.)

GAO Report (GAO-05-404, dated March 2005) available athttp://www.gao.gov/new.items/d05404.pdf