Customs is increasing the requirements for C-TPAT participation. C-TPAT participants must now conduct a "comprehensive assessment" of their international supply chains and must "ensure that pertinent security measures are in place and adhered to throughout their supply chain." Customs now expects C-TPAT participants to do a risk assessment of their business partners, and periodically review the processes and facilities based on that risk assessment.
The new requirements are effective immediately for new importer applications. Customs has announced that the new requirements will be phased in for current members of the C-TPAT Program.
Phase 1 must be completed within 60 days of March 25, 2005 and includes:
Procedures must be in place to verify the physical integrity of the container prior to stuffing. A high security seal must be affixed to all loaded containers. The seal must meet or exceed PAS ISO 17712 standards.
Written procedures must stipulate how seals are to be controlled.
Containers must be stored in a secured area.
Foreign and domestic facilities must have physical barriers including fencing, guard houses, and adequate lighting.
Private passenger vehicles should be prohibited from cargo handling and storage areas.
Buildings must be secured with adequate locking devices and controls on the issuance of keys
Alarm systems and video surveillance should be used.
Physical Access Controls
Positive identification of employees, visitors and vendors.
Challenging and removing unauthorized persons).
Phase 2 of the implementation of the new requirements for current C-TPAT members must be implemented by 120 days from March 25th. This phase includes:
Documented Pre-employment verification
Pre-employment background checks and periodic reinvestigations.
Personnel Termination Procedures.
Documentation controls to assure that information is legible, complete and accurate.
Manifest Controls to assure that the information provided to business partners is reported accurately and timely.
Shipping and receiving controls to assure that the cargo is reconciled against the manifest.
Cargo discrepancies must be investigated and resolved. Law enforcement must be notified if appropriate.
Information Technology Security
A periodic change of passwords and written IT security policies, procedures and standards.
A system must also be in place to identify improper access, tampering or the altering of business data, with appropriate disciplinary actions for violators.
Training and Threat Awareness
The third phase must be completed within 180 days of March 25th. This phase focuses on the implementation of business partner requirements, including:
Written and verifiable procedures for the selection of business partners. These must include verification of C-TPAT certification or proof that the business meets C-TPAT security criteria. Non-C-TPAT business partners must be subject to verification of compliance, and these qualifications must be periodically reviewed.