GAO Finds CBP Has Enhanced C-TPAT, But Challenges Remain in Verifying Security Practices

In its report, the GAO was asked to assess the progress that CBP has made in (1) strengthening its policies for granting Customs-Trade Partnership Against Terrorism (C-TPAT) benefits, (2) addressing challenges in validating members' security practices, and (3) addressing management and staffing challenges, since the GAO issued its first report in 2005.

(See ITT's Online Archives or 06/21/05 and 06/22/05 news, 05062110 and 05062215, for BP summaries of the GAO's 2005 report on C-TPAT.)

Highlights of the GAO's findings and recommendations (as well as CBP's responses to the GAO's recommendations) are as follows:

CBP Has Strengthened its Policies for Granting C-TPAT Benefits

GAO found that CBP has strengthened its policies for granting benefits to C-TPAT importers (C-TPAT's largest member sector) and has efforts underway to strengthen its policies for granting benefits to C-TPAT members in other sectors.

NVOCC/OTI minimum security criteria. CBP is finalizing minimum security criteria for C-TPAT members in the non-vessel operating common carrier and freight consolidators/ocean transportation intermediary trade sector, the last trade sector awaiting such criteria. CBP plans to issue the final criteria for this last sector in mid-2008.

(CBP has already established minimum security criteria for C-TPAT members in the other nine C-TPAT trade sectors (importers, brokers, sea carriers, highway carriers, rail carriers, air carriers, foreign manufacturers, U.S. and foreign maritime port authorities and terminal operators, and Mexican long haul highway carriers).)

"Tiered" benefits currently for importers only. CBP has introduced "tiered" benefits for C-TPAT importers. Although CBP has considered implementing "tiered" benefits for other C-TPAT trade sectors, it has not been able to identify additional benefits to offer nonimporters in a "tiered" structure.

(CBP officials note that because nonimporter C-TPAT participants generally derive their benefits from the business world in the form of increased marketability once they are designated a C-TPAT member, CBP would have no additional benefits to offer these participants.)

CBP's Validation Process Has Certain Limitations

According to the GAO, CBP has taken steps to improve the C-TPAT validation process, but faces challenges verifying that C-TPAT members have security practices consistent with the minimum security criteria established for their particular trade sector.

Problems with VSAT. Problems were found with the portable, personal computer-based data-gathering instrument (called the Validation Security Assessment Tool - VSAT) that CBP provides to its security specialists to help ensure that validation information is consistently collected, documented, and uniformly applied to decisions regarding the awarding of benefits to C-TPAT members.

CBP's design of VSAT does not provide for reliable analysis of data regarding verification of C-TPAT members' security practices. For example, GAO notes that VSAT uses a binary format that requires security specialists to answer questions using a "yes/no" format with "no" being the default response. With this format, one cannot determine whether a "no" response denotes an intentional "no," "not applicable," or that the security specialist simply skipped or failed to complete the item. As a result, the accuracy and reliability of the data associated with CBP's validation of C-TPAT members' security practices are unknown.

Validations are based on information other than testing results. While VSAT allows specialists an opportunity to collect data on the results of members' internal or third-party audits and inspections of their supply chain security practices, CBP does not require security specialists to use these data in validating members' security practices as an alternative to direct testing, even though CBP views direct testing as impractical.

CBP does not ensure implementation of recommendations before granting benefits. CBP lacks a systematic process to ensure appropriate actions are taken in response to security specialists' recommendations in validation reports. Without such key internal control, CBP does not have reasonable assurance that companies implement its recommendations to enhance supply chain security practices in accordance with CBP criteria.

Certain C-TPAT Management and Performance Measures Remain Problematic

GAO found that although CBP has taken a number of actions to address C-TPAT management and staffing challenges, it continues to confront issues in effectively managing the program, including:

(a) Certain data are missing from the C-TPAT Portal, including interim processing dates (e.g., the date the security specialist sends members the 30-day validation letter), and this inhibits management's ability to determine compliance with its requirements for managing and operating the C-TPAT program; and

(b) CBP has developed performance measures for C-TPAT's facilitating the flow of commerce, but has not developed performance measures to assess the effectiveness of C-TPAT's efforts to improve supply chain security.

GAO Recommendations and CBP's Responses

In its report, GAO made five recommendations, and CBP responded as follows:

1. CBP should continue to improve the consistency with which validations are conducted and documented by revising the VSAT electronic instrument used in validations to include appropriate response options and eliminate the use of default "no" responses.

CBP response - CBP concurred with this recommendation and is developing a second generation automated tool which will eliminate the use of default "no" response and will address all security criteria. Phase I will be completed by June 30, 2008; additional sectors will be identified and rolled-out by August 30, 2008; and additional automated reports are to be operational by December 31, 2008.

1. CBP should strengthen the evaluation of security during validations by requiring validations to include the review and assessment of any available results from audits, inspections, or other reviews of a member's supply chain security.

CBP response - CBP agreed and will issue a policy memo by June 30, 2008 to the C-TPAT security specialists instructing them to request from the partner company any available internal audits, inspections or reviews which will serve as additional information to consider during the validation process. CBP will also include this topic at its fall 2008 internal training session.

1. CBP should ensure that C-TPAT validation report recommendations are implemented by establishing a policy for security specialists to follow-up with member companies when CBP requires them to make security enhancements to ensure that the necessary steps are taken.

CBP response - CBP agreed with this recommendation and will issue a policy memorandum and revise Standard Operating Procedures to the extent necessary to ensure that all actions required/recommendations are implemented and will explore ways to capture and quantify this information either in the C-TPAT Portal records management system or via other means.

1. CBP should ensure that the C-TPAT Portal records management system completely documents key data elements needed to track compliance with Security and Accountability for Every (SAFE) Port Act and other CBP internal requirements.

CBP response - CBP agreed and stated that by June 30, 2008, it will ensure that data elements needed to ensure compliance with previously stated performance indicators and as identified by CBP are available for the Portal records system.

1. CBP should identify and pursue opportunities in information collected during C-TPAT member processing activities that may provide direction for developing performance measures of enhanced supply chain security.

CBP response - CBP agrees that the C-TPAT program must continue to strive to develop outcome based measures and will conduct an analysis, which is due by December 31, 2008.

GAO Report (GAO-08-240, dated April 2008) available at http://www.gao.gov/new.items/d08240.pdf.