Details of CBP's C-TPAT Security Guidelines for Licensed U.S. Customs Brokers

(See ITT's Online Archives or 04/26/06 news, 06042605, for BP summary announcing CBP's issuance of C-TPAT security guidelines for brokers, NVOCCs, OTIs, foreign manufacturers, air carriers, rail carriers, etc.)

C-TPAT Application Qualifications for Brokers

1. Be an active U.S. Licensed Customs Broker.
2. Have a business office staffed in the US.
3. Have an active U.S. Customs Broker's License and Filer Code of record ID(s) in either of the following formats:

a. Customs Broker's License Serial Number

b. Filer Code

1. Have a designated company officer that will be the primary cargo security officer responsible for C-TPAT.
2. Commit to maintaining CBP's C-TPAT Security Guidelines for Brokers.
3. Create and provide CBP with a C-TPAT supply chain security profile, which identifies how the broker will meet, maintain and enhance internal policy to meet the C-TPAT Security Guidelines for Brokers.

Penalties for Providing False Information

CBP states that the failure to provide true, accurate and complete information in an application may result in denial of this application. Severe penalties are provided by law for knowingly and willfully falsifying or concealing a material fact or using any false document in submitting this application. If a broker is found in violation of the terms and conditions of this program, CBP may cancel the broker's privileges and it may be subject to fines, penalties and criminal charges.

C-TPAT Security Guidelines for Brokers

CBP states that brokers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security guidelines.

Where a broker out sources or contracts elements of their supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the broker must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. (The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through to point of distribution and recognizes the diverse business models C-TPAT members employ.)

CBP states that C-TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based upon risk analysis. Therefore, the program allows for flexibility and the customization of security plans based on the member's business model.

CBP states that as listed in its security guidelines document appropriate security measures, based on risk, must be implemented and maintained throughout the broker's supply chains.

Business Partner Requirements

CBP states that brokers must have written and verifiable processes for the screening selection of business partners including customers, contractors, carriers, and vendors. Ensure that contract companies who provide transportation, security, and cargo handling related services commit to C-TPAT Security Guidelines. Periodically review the performance of the service providers to detect weakness or potential weaknesses in security.

Security Procedures

Service Provider Screening and Selection Procedures. The C-TPAT Broker should have documented service provider screening and selection procedures to screen the contracted service provider for validity, financial soundness, ability to meet contractual security requirements, and the ability to identify and correct security deficiencies as needed. Service Provider procedures should utilize a risk-based process as determined by an internal management team.

Customer Screening Procedures. The C-TPAT Broker should have documented procedures to screen prospective customers for validity, financial soundness, the ability of meeting contractual security requirements, and the ability to identify and correct security deficiencies as needed. Customer screening procedures should utilize a risk-based process as determined by an internal management team.

Physical Access Controls

Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors and protect company assets. CBP states that access controls must include the positive identification of all employees, visitors and vendors at all points of entry.

Employees. An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented.

Visitors Controls. Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification.

Deliveries (including mail). Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated.

Challenging and Removing Unauthorized Persons.Procedures must be in place to identify, challenge and address unauthorized/unidentified persons.

Personnel Security

CBP states that processes must be in place to screen prospective employees and to periodically check current employees. Maintain a current permanent employee list (foreign and domestic), which includes the name, date of birth, national identification number or social security number, position held and submit such information to CBP upon written request, to the extent permitted by law.

Pre-Employment Verification. Application information, such as employment history and references must be verified prior to employment.

Background checks/investigations. Consistent with foreign, federal, state and local regulations, background checks and investigations should be conducted for prospective employees. Periodic checks and reinvestigations should be performed based on cause and/or the sensitivity of the employee's position.

Personnel Termination Procedures. Companies must have procedures in place to remove identification; facility and system access for terminated employees.

Procedural Security

CBP states that security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling and storage of cargo in the supply chain.

Documentation Processing. Procedures must be in place to ensure that all documentation used in the clearing of merchandise/cargo is legible, complete, accurate and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information.

Manifesting Procedures. To help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information received from business partners is reported accurately and timely.

Cargo Discrepancies. All shortages, overages and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. CBP and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities are detected.

Security Training and Threat Awareness

CBP states that a threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address a situation and how to report it. Additional training should be provided to employees in sensitive areas.

Additionally, specific training should be offered to assist employees in recognizing internal conspiracies and protecting access controls. These programs should offer incentives for active employee participation.

Physical Security

Brokers should incorporate the following C-TPAT physical security guidelines throughout their facilities as applicable.

Building Structure. Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair.

Locking Devices and Key Controls. All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys.

Lighting. Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, fence lines and parking areas.

Alarms Systems & Video Surveillance Cameras. Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas.

Information Technology Security

Information Technology (IT) integrity must be maintained to protect data from unauthorized access or manipulation.

Password Protection. Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training.

Accountability. A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse.

(See ITT's Online Archives or 02/27/02 news 02022705, for BP summary of CBP's issuance of C-TPAT security recommendations for brokers.)

Broker C-TPAT Security Guidelines (dated 04/24/06) available at http://www.cbp.gov/xp/cgov/import/commercial_enforcement/ctpat/security_guideline/guideline_broker.xml.

BP Note

According to CBP sources, these C-TPAT guidelines are precursors to C-TPAT criteria (that are expected to have effective dates, etc.), which are expected to be developed.