UPDATED/NEW 2020 CTPAT SECURITY PROFILE IS UP AND RUNNING

  1. You have to respond to a new security profile and provide up-to-date documentation to support the answers. CBP removed the present security profile questionnaire from the CTPAT’s member’s portal and saved it under the section called Trade Account Information /Documents.
  2. Of the 12 sections, many of which have been updated, four (4) new ones have been added: Upper Management Responsibility, Agricultural Processes, Education/Training and Cybersecurity. These sections include more than 44 questions, with new requirements. The balance is an enhanced version of all of the other sections.
  3. The most challenging section is the updated Cybersecurity IT section which has 21 questions.

CYBERSECURITY/IT

WHAT IS CYBERSECURITY?

Cybersecurity refers to the body of technologies, processes and practices designed to protect networks, devices, programs and data from attack, damage or unauthorized access.

For Cybersecurity, the size of your company is not defined by the amount of hardware and software that your company has but by the RISK exposure that you have. For example, a company that has ten (10) computers dedicated to use in the office, with no remote access has much less risk than a company with five (5) computers with remote access and accepts credit card payments.

HOW CAN NORMAN JASPAN ASSOCIATES, INC. (NJA) HELP YOU COMPLY WITH CYBERSECURITY?

NJA is able to synthesize the Cybersecurity stringent criteria, regardless of the size of your company. NJA has created an audit checklist, which also contains examples of different types of software and hardware along with a glossary of cybersecurity terms, that will enable you do the following:

  • Determine your Risk Exposure and what action is required to meet the MSC (Minimum Security Criteria).
  • Create or verify that your IT Policy is reflective of what your company is doing to meet the CTPAT MSC.
  • Respond to the Cybersecurity section questions in the new MSC 2020.

In addition, we will work with your company to establish a cybersecurity training program, with phishing exercises, if applicable, that can be administered by your own company.

WHAT DOES THE CTPAT MEMBER REALLY KNOW ABOUT CYBERSECURITY?

Most small to medium size companies do not have extensive knowledge about cybersecurity and probably rely on an Internal IT department or external IT consultant to address computer issues. Depending on the size and depth of the internal IT department and the services of the external IT consultant, most of them only focus on repairing hardware problems, installing software and hardware and addressing email issues.

HOW DOES CYBERSECURITY AFFECT MY SUPPLY CHAIN?

Cybersecurity is found in its entirety in all twelve (12) different CTPAT eligibility categories. In order to pass a validation, you must physically demonstrate (on the computer and in written documentation) that you have the MSC or have your security profile approved. CTPAT members as well as their business partners must meet the requirements. These partners include anyone with access to their information such as the Customs Broker, Freight Forwarder, Third Party Warehouse and Foreign Supplier.

Since Cybersecurity is a never-ending battle to prevent attacks, damage or unauthorized access, the IT user must constantly learn and reevaluate. A Cybersecurity attack is NOT a question of IF but WHEN.

HISTORY AND BACKGROUND OF UPDATED/NEW 2020 CTPAT SECURITY PROFILE

Effective January 1, 2020, U.S. Customs and Border Protection (CBP) implemented an updated version of the CTPAT Minimum Security Criteria (MSC) for CTPAT members and their supply chain business partners. The new MSC applies to all 12 Industry categories. It is the first major revision since 2003. In addition; they added one additional Eligibility Requirement which is as follows:

NEW ELIGIBILTY REQUIREMENT

A CTPAT member or applicant must maintain no evidence of financial debt to CBP for which the responsible party has exhausted all administrative and judicial remedies for relief, a final judgment or administrative disposition has been rendered, and the final bill or debt remains unpaid at the time of the initial application or annual renewal. Evidence of financial debt can result in membership application being declined, or if you are already a member, being suspended from the CTPAT program.

All Industries will be expected to upgrade their security to meet the new requirements. Please see dates of implementation.

The changes include three new criteria categories (Security Vision and Responsibility, Cybersecurity and Agricultural Security) plus an enhanced version of all of the other sections. Below is an overview of the three sections:

1) Corporate Security-A) Security vision and responsibility (NEW) B) Risk Assessment, C) Business partner requirements D) Cybersecurity (NEW)

2) Transportation Security-A) Conveyance and IIT security B) Seal Security C) Procedural Security E) Agricultural Security (NEW)

3) People and physical security—A) Physical access B) Physical Security C) Personnel security D) Security training, threat awareness (NEW).

The new MSC is not only going to hold the CTPAT member accountable but now the spotlight is going to focus on the first and second tier business partners.

For many CTPAT members and their service providers, this is a lot to digest all at once. For some, this is going to represent a major change in the way they are doing business. For those CTPAT members who are only a member because it is required by their customer, the new MSC will be overwhelming. In addition, there is no discretion in latitude that CBP previously provided the CTPAT member in their ability to demonstrate their adherence to MSC, (both domestic and especially foreign.

We will develop the proper procedures, questionnaires, and checklists as well as security training in order to bridge the gap between what you physically have in place and what is required. For over 19 years, we have successfully assisted applicants to join the CTPAT program and have traveled around the world to prepare and be present for foreign validations. The latter is of significant importance during a revalidation when there is no domestic validation and your ability to maintain your CTPAT status rests solely with your foreign supplier and their business partners being able to demonstrate that they are meeting the MSC.

CTPAT Resources (all items are "clickable" to download):

  1. Dates of Implementation CTPAT: https://www.normanjaspanassociates.com/wp-content/uploads/2020/06/The-updated-CTPAT-Security-Profile-is-now-available.docx
  2. CTPAT minimum criteria by category: https://www.cbp.gov/border-security/ports-entry/cargo-security/c-tpat-customs-trade-partnership-against-terrorism/apply/security-criteria 
  3. ISO Seals: http://www.cbp.gov/sites/default/files/documents/Bulletin%20-%20April%202014%20-%20ISO%2017712%20High%20Security%20Seals.pdf 
  4. Report Suspicious Activity: https://www.cbp.gov/sites/default/files/assets/documents/2016-Mar/ctpat-report-suspicious-activity.pdf
  5. Container Seal Inspection-https://www.normanjaspanassociates.com/wp-content/uploads/2019/07/ContainerTrailerandSealInspectionProcedures.pdf
  6. CTPATs-TBML-(Trade Based Money Laundering)-Warning Indicators
  7. HSI TBML -(Trade Based Money Laundering) CTPAT 2019 Conference
  8. HSI PGA Forced Labor CTPAT
  9. PEST CONTAMINATION SOUTHERN BORDER
  10. Internal Conspiracy -ENG and Internal Conspiracy
  11. 2018 CTPAT Internal Conspiracy
  12. Non-Compliance Wood Packing Material
  13. Different types of Acceptable WPM Markings
  14. PEST CONTAMINATION NORTHERN BORDER
  15. PEST CONTAMINATION RAIL
  16. How to Protect your Network from Ransomware
  17. Seal Procedures for CTPAT member and their Supply Chain Partners
  18. CTPAT's Glossary of Terms

ContainerTrailerandSealInspectionProcedures