Overview

The updated MSC has been rewritten. All sections have been updated and 3 new categories added reflecting how supply chain security has evolved since the CTPAT initiative began.  While the program began to simply counter the threat of terrorism, CTPAT’s objectives have broadened to include human trafficking, counterfeiting and contraband.

CTPAT members are expected to implement the updated criteria across their organization during the remainder of 2019 with them being in effect across their operations by 2020.

Omega recommends that CTPAT members review the updated MSC in its entirety, available from members CTPAT portal, and familiarize themselves with the requirements.

We have though described the key requirements, in our judgement, and recommendations on how they should be integrated into your supply chain security program.  We hope you find this information helpful.

Must v Should

Each of the MSC are designated with either ‘must’ or ‘should’. Criteria assigned with a ‘must’ should by no means be considered best practices, but rather objectives, certainly for those companies with Tier III aspirations.

Corporate Security

• The CTPAT point of contact must be knowledgeable about CTPAT and update upper management regularly on the program including audits and validations.
• CTPAT members should demonstrate their commitment to supply chain security through a statement of support signed by a senior company official. In CBP’s experience, CTPAT is rarely included in succession plans when the point of contact moves to a different organization. This requirement attempts to make the program more durable within member organizations.
• CTPAT members should establish a CTPAT taskforce with representation from various departments including human resources. This taskforce should meet once a year, 60 to 90 days from the date of its CTPAT portal update, unless a security breach has occurred in which case it should meet sooner. In this meeting the taskforce should review the organization’s supply chain security program and update it on an ongoing basis.

Risk Assessment

• CTPAT members must be perform a risk assessment annually, at minimum, or more frequently as risk dictates.

• The risk assessment should describe how all cargo moves through the supply chain from point of origin to distribution centers covering all direct and indirect suppliers. It should describe whether any cargo is at rest at any location.

• CTPAT members should assign a risk weighting to each country. CBP prefers numerical weightings, such as high risk = 3, medium risk = 2 and low risk = 1. Since terrorism is no longer the primary consideration, risk of contraband, counterfeiting and human trafficking should be included in the assessment. China, for example, may be considered ‘high risk’ due to illegal fentanyl imports.  CBP does not require members to contract third party specialists to analyze risk since there is an abundance of public information available.  Cargo type should also be considered in this risk assessment also: FCL or LCL.

• CTPAT members should work with business partners such as their freight forwarders and language in contracts should cover CTPAT compliance. Audits at freight forwarder sites are also recommended as a means of verifying supply chain security.

Business Partners

• Business partners refers to all companies the CTPAT member partners with, including but not limited to, foreign suppliers, US domestic carriers, carriers in countries of origin, customs brokers and freight forwarders.

• CTPAT members should verify that partners are either:

1. CTPAT members
2. Certified members of a supply chain security program that has an Mutual Recognition Agreement (MRA) with the United States Customs and Border Protection or complies with the CTPAT MSC
3. Compliant with the MSC. Compliance should not be measured by questionnaires alone, but more effective onsite supply chain security audits also as determined by risk.

Regardless of whether a questionnaire or an onsite audit was utilized to verify compliance with the MSC, the business partner is required to remedy all issues via the completion of a corrective action plan.

• Business partners are expected to comply with both cybersecurity and anti-terrorism financing requirements. When establishing relationships with new business partners, CTPAT members should be aware of these potential red flags: high employee turnover, short time in business, irregular hours of operation, business location and anonymous or unknown ownership.

• CTPAT members should have a documented social compliance program addressing how it prevents the importation of goods to the United States produced, mined or manufactured with the various forms of forced labor.

Cybersecurity

• CTPAT members must have comprehensive, written cybersecurity polices protecting their IT system covering anti-virus, frequent security software updates and policies and procedures against ‘social engineering’; when an outside party builds a relationship with a member of the organization with the objective of them divulging confidential information.

• When applying cybersecurity requirements to overseas manufacturers CTPAT members should consider whether they have a network. If not, then cybersecurity is not applicable.

• If CTPAT member employees access company intranet from remote locations, a secure VPN needs to be used.

Container Security

• CTPAT members should require that container inspections now include the new requirements for agricultural security. Containers should be free from pests and spilled seeds via either a vacuum, sweep or a blow out of the container prior to loading.

CTPAT Audits

• CTPAT audits on overseas manufacturers should be updated to cover the requirements of the new MSC. Omega is in the process of reviewing its supply chain security audit protocols and all changes shall be in effect before the end of 2019 so that clients remain compliant with CBPs new requirements from 2020 onwards.

For more information on Omega’s CTPAT services, please contact us.