Updated C-TPAT requirements for 2020

Minimum Security Criteria – Foreign Manufacturers

(updated to the latest version - May 7, 2020)

First focus area: Enterprise security

1. Security vision and responsibility

To promote a culture of security, CTPAT Members should demonstrate their commitment to supply chain security and the CTPAT Program through a statement of support. The statement must be signed by a senior company official and displayed in appropriate locations at the company.

To build a strong Supply Chain Security Program, a company must bring together representatives from all relevant departments into a cross-functional team.

These new security measures need to be incorporated into the company's existing processes, creating a more sustainable structure and emphasizing that supply chain security is everyone's responsibility.

The supply chain security program must be designed, supported and implemented by an appropriately documented and reviewed component. The purpose of this assessment component is to document that a system is in place and personnel will carry out their responsibilities and that all security processes outlined by the security program are being implemented as necessary. next. The audit plan should be updated as needed based on appropriate changes in the organization's operations and level of risk.

Company contacts (POCs) with CTPAT must be knowledgeable about CTPAT program requirements. These individuals should provide regular updates to upper management on program-related matters, including the progress or results of any security-related audits, drills, and certifications. CTPAT.

2. Risk assessment

CTPAT members must conduct and document the number of risks in their supply chain. CTPAT members must conduct an overall risk assessment (RA) to determine where security vulnerabilities may exist.

The RA must identify threats, assess risks, and incorporate sustainable measures to mitigate vulnerabilities.

The member must apply the CTPAT requirements to the member's specific role in the supply chain.

The international risk assessment shall document or map the movement of a Member's goods across the entire supply chain from the point of origin to the importer's distribution centre. The mapping must include all business partners directly and indirectly involved in the export/transportation of goods.

Where applicable, mapping should include recording how cargo moves in and out of shipping facilities/cargo hubs and noting if cargo must be stored at one of the locations. this point for a long time no. Cargo will have more security holes in storage, waiting to move on to the next leg of the journey.

The risk assessment must be reviewed annually, or more often according to the risk factors

CTPAT members must have written procedures to address crisis management, business continuity, security recovery plans, and business resumption.

3. Business partners

CTPAT members are required to have a written risk-based process for screening new business partners and monitoring existing partners. One element that Members must include in this process is examining activity related to money laundering and terrorist financing. To assist with this process, please refer to the CTPAT Alert Indicators for Transaction-Based Anti-Money Laundering and Counter-Terrorism.

The business partner screening process must take into account whether the partner is a CTPAT Member or a member of an approved Authorized Economic Operator (AEO) program with a Mutual Recognition Agreement. (MRA) with the United States (or an approved MRA). Certification in an approved CTPAT or AEO is acceptable evidence for meeting program requirements for business partners and Members must obtain proof of certification and continue to follow these business partners to ensure they maintain certification.

When a CTPAT Member outsources or contracts elements of its supply chain, the Member must undertake due diligence (through visits, questionnaires, etc.) to secure these business partners have security measures that meet or exceed the CTPAT (Minimum Security Criteria - MSC) Minimum Security Criteria.

If weaknesses are identified during a business partner's security assessment, they should be addressed as soon as possible and remedial action should be taken in a timely manner. The member must confirm that the deficiencies have been mitigated through documented evidence.

To ensure their business partners continue to comply with CTPAT's security criteria, Members are required to update their security assessments of their business partners on a regular basis or on a regular basis. circumstances/risks.

For shipments to the United States, if a Member contracts for transportation services with another highway carrier, the Member must use a CTPAT certified highway carrier or a highways work directly for Members as outlined in a written contract. The contract must provide for compliance with all minimum security requirements (MSCs).

CTPAT members are required to adopt a social compliance program that is documented, at a minimum, addressing how the company ensures goods imported into the United States are not exploited, manufactured, or manufactured. , in whole or in part, with prohibited forms of labor, i.e. forced, imprisoned, bonded, or forced child labor.

4. Cybersecurity

CTPAT members must have written comprehensive cybersecurity policies and/or procedures to protect information technology (IT) systems. The written IT policy should, at a minimum, cover all individual Cybersecurity criteria.

To protect Information Technology (IT) systems against common cybersecurity threats, a company must install sufficient software/hardware to protect against malicious software (viruses, spyware, sabotage, Trojans, etc.) and internal/external intrusion (firewall) in the Member's computer system. Members must ensure that their security software is current and receives regular security updates. Members must have policies and procedures in place to prevent attacks through social engineering. If a data vulnerability occurs or other unseen event results in data and/or device loss, procedures must include restoring (or replacing) IT systems and/or data.

CTPAT members using the network must regularly check the security of their IT infrastructure. If vulnerabilities are found, corrective actions must be taken as soon as possible.

Cybersecurity policies should address how a Member shares information about cybersecurity threats with governments and other business partners.

A system must be in place to identify unauthorized access to IT systems/data or abuse of policies and procedures including unauthorized access to internal systems or external websites and counterfeiting. tampering with or altering business data by employees or contractors.

All violators are subject to appropriate disciplinary action.

Cybersecurity policies and procedures should be reviewed annually, or more frequently, based on risk or context. After review, policies and procedures should be updated as necessary.

User access must be restricted based on the job description or the assigned task. Authorized access must be reviewed regularly to ensure access to sensitive systems based on business requirements.

Computer and network access must be removed when transferring employees.

Individuals with access to Information Technology (IT) systems must use separately designated accounts.

Access to IT systems must be protected from intrusion through the use of strong passwords, passphrases or other forms of authentication, and user access to IT systems must be protected.

Passwords and/or passphrases must be changed as soon as possible if evidence of compromise or reasonable suspicion of compromise exists.

Members who allow their users to connect remotely to the network must use security technologies, such as virtual private networks (VPNs), to allow employees to securely access the company's intranet only when they are outside the office. Members must also have procedures in place to prevent remote access from unauthorized users.

If a Member allows employees to use personal devices to perform company work, all such devices must comply with the company's cybersecurity policies and procedures to include updates. Routine security and secure methods of accessing the corporate network.

Cybersecurity policies and procedures should include measures to prevent the use of counterfeit or improperly licensed technology products.

Data must be backed up once a week or as appropriate. All sensitive and confidential data must be stored in an encrypted format.

All other IT media, hardware or equipment containing sensitive information related to the export/import process must be authorized for access by the user. When disposed of, they must be properly sanitized and/or disposed of in accordance with the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitation or other appropriate industry guidelines.

Second focus area: Transport security

5. Transport security and international traffic security tools

International Transport Instruments and Instruments (IITs) must be stored in a secure area to prevent unauthorized access, which may result in structural changes to the International Instrument of Transport or (if possible) allow seals/doors to be compromised.

Inspections under the CTPAT should include written procedures for both security and agricultural inspections.

CTPAT members are to ensure that the following systematic agricultural and security inspections under CTPAT are conducted. The requirements for these inspections will vary depending on whether the supply chain originates on land (Canada or Mexico) or if the supply chain originates overseas (by sea or by air). . Prior to loading/packing, all empty Instruments of International Traffic (IITs) must be inspected and vehicles must also be inspected as they cross the land border into the United States.

Inspection requirements for CTPAT shipments via sea, air and land border (if applicable) by rail or intermodal freight: 7-point inspection is required on all containers empty and bill of lading equipment (ULD); and 8-point checks must be conducted on all refrigerated containers and ULDs:

1. Front bulkhead; 2. Left side; 3. Right side; 4. Flooring; 5. Ceiling / Roof; 6. Internal / external doors, including the reliability of the locking mechanisms of the door; 7. Outside/undercarriage; and 8. Fan covers in refrigerated containers.

Additional inspection requirements for the passage of land border crossings through expressway carriers: Transport and IIT checks must be conducted at vehicle storage yards / IITs.

If practicable, checks should be carried out upon entering and exiting the yard and at the loading point.

These systematic checks should include 17 point checks:

Tractor head: 1. Bumper / tire / rim; 2. Door, tool compartment and locking mechanism; 3. Battery box; 4. Ventilators; 5. Fuel tank; 6. Interior compartment / bedroom; and 7. Faring/roof.

Trailers: 1. Fifth wheel area - check the natural skids / compartments; 2. Outside - front/side view; 3. Front - bumper / door; 4. Front side; 5. Left flank; 6. Right flank; 7. Floors; 8. Ceiling/roof; 9. Inner/external door and locking mechanism; and 10.Outside / undercarriage

Vehicles and instruments of international traffic (where appropriate) should be equipped with external hardware that can reasonably withstand attempts to remove it. Doors, handles, bars, bolts, studs, brackets and all other parts of the container locking mechanism must be fully inspected for tampering and any hardware inconsistencies prior to mounting the device. sealed.

The check of all empty international transport and instruments should be documented in the checklist. The following elements must be recorded in the checklist:

• Container Number / Trailer / International Traffic Number Tool;

• Test day;

• Testing time;

• The name of the employee conducting the inspection; and

• Specific areas of the International Traffic Instrument were examined.

If the inspection is supervised, the supervisor should also sign the checklist.

The International Container/Transport Inspection Record should be part of the shipping documentation. The consignee must receive a complete set of shipping documents prior to receiving the goods.

All security checks should be performed in a controlled access area and, where applicable, monitored through a CCTV system.

If pest contamination is visible during international vehicle/engineering inspection, rinsing/aspiration must be carried out to remove the contamination. Documentation must be retained for one year to demonstrate compliance with these testing requirements.

Based on the risk, management should conduct random checks of the means of transport after the transporter has carried out using the means of transport / International Traffic Check Tool.

Transport checks should be performed periodically, with a higher frequency based on risk. Tests should be conducted randomly without warning, so they won't be predictable. Inspections should be conducted at various locations where shipping is vulnerable: the shipping yard, after the truck has been loaded, and en route to the US border.

CTPAT members should work with their transportation providers to track shipments from origin to final destination. Specific requirements for tracking, reporting and sharing data should be included in the terms of service agreements with service providers.

Shippers should have access to their carrier's GPS fleet monitoring system, so that they can monitor the status of their shipment.

For shipments that cross land borders that are near the US border, a “no stop” policy should be in place.

6. Security Seal

CTPAT members are to have detailed and documented procedures for high security sealing that describe how seals are released and controlled at the facility and during transit. Procedures should provide steps to take if a seal is changed, tampered with, or has an incorrect seal number, including documentation of the event, communication protocols for partners, and investigation of the case. job. Findings from the investigation should be recorded and any corrective action taken as quickly as possible.

These written procedures must be maintained at the operational level at the facility so that they are easily accessible. Procedures must be reviewed at least once a year and updated as needed.

Written seal control must include the following elements:

Control access to seals:

• Seal management is restricted to authorized personnel.

• Safe storage.

Storage, distribution and tracking (Sealed Logs):

• Record receipt of new seals.

• Release the seal recorded in the diary.

• Track seals through logs.

• Only authorized, trained personnel can seal the International Instrument of Transport (IIT).

Seal control in transit:

• When removing IIT's seals (or after stopping), verify that the seals are intact and there must be no signs of tampering.

• Confirm the seal number matches what is noted on the shipping document.

Seals broken in transit:

• If the cargo (load) is inspected, record the replacement seal number.

• Drivers must send notice as soon as the seal is broken, showing who broke the seal and providing a new seal number.

• The carrier must immediately notify the shipper, broker and importer of the change of the seal and the number of replacement seals.

• Shipper must note the replacement seal number in the seal log.

Wrong lead seal:

• Retain altered or tampered seals to aid in the investigation.

• Investigate discrepancies; Follow up with remedies (if warranted).

• When applicable, report compromised seals to CBP and the appropriate foreign government to assist in the investigation.

All CTPAT shipments that can be sealed must be sealed immediately after loading / containerization / packing by the responsible party (i.e. the shipper or the packer acting on the shipper's behalf). ) has a high-security seal that meets or exceeds the requirements of the ISO 17712 standard for high-security seals. Qualified cable seals and bolt seals are both acceptable. All seals used must be securely and properly attached to the Instrument of International Traffic transporting CTPAT Member cargo to/from the United States.

CTPAT (stock seal maintenance) members must be able to demonstrate that the high security seals they use meet or exceed the most current (new) ISO 17712 standard.

If a Member maintains an inventory of seals, the company manager or security supervisor is to conduct a seal assessment which includes periodic inventory of stored seals and reconciliation with a sealed inventory log. lead and shipping documents. All audits must be recorded.

As part of the overall seal assessment process, the shipping supervisor and/or warehouse manager must periodically verify the quantity of seal used on shipping and International Transport Instruments.

The CTPAT seal verification process must be followed to ensure all high security seals (bolts/cables) are properly attached to the International Shipping Tool and that they are working as designed. This process is called VVTT process: V (View) - See the mechanism of sealing and locking the container; make sure they are ok; V (Verify) - Verify seal numbers against shipping documents for accuracy; T (Tug) - Pull on the lead seal to make sure it is glued properly; T (Twist) - Twist and rotate the bolt of the seal to ensure that parts of it do not come apart, come apart, or any part of the seal comes loose.

7. Security procedures

When goods are stored overnight, or for an extended period, measures must be taken to secure the goods from unauthorized access.

Cargo handling areas, and immediately surrounding areas, should be inspected regularly to ensure they remain free of visible pest contamination.

Loading of goods into containers/IITs should be supervised by security staff/managers or other designated personnel.

As documented proof of correct sealing, digital images should be taken at the loading point. To the extent practicable, these images should be electronically forwarded to the destination for verification purposes.

Procedures must be in place to ensure that all information used in clearing goods is legible; complete; exactly; protection against exchange, loss or introduction of false information; and reported on time

If paper documents are used, forms and other import/export related documents must be secured to prevent unauthorized use.

The shipper or his agent must ensure that bills of lading (BOLs) and/or Manifests accurately reflect the information provided to the carrier and the carrier must perform due diligence to ensure the documents This is correct. BOLs and declarations must be filed with U.S. Customs and Border Protection (CBP) in a timely manner.

BOL information filed with CBP must show the first foreign location/facility where the carrier owns the goods for shipment to the United States. Weight and quantity must be correct.

CTPAT members are to have written procedures for reporting incidents, including a description of the establishment's internal hierarchical process.

A notification protocol must be in place to report any suspicious activity or security incidents (such as drug arrests, theft detection, etc.) affect the security of the member's supply chain. Where possible, a Member shall report any global incidents to its Supply Chain Security Specialist, the nearest port of entry, any appropriate law enforcement authorities, and business partners. may be part of the supply chain affected. Notice to CBP must be made as soon as possible and before any vehicle or IIT crosses the border.

Notification procedures must include accurate contact information listing the name and phone number of the employee to be notified, as well as to law enforcement agencies. Procedures must be reviewed periodically to ensure that communication is correct.

Procedures must be in place to identify, address challenges and unauthorized/unknown persons. Staff should know the procedure for handling an unknown/unauthorized person challenge, how to respond to the situation, and be familiar with the process of removing an unauthorized individual from the premises.

CTPAT members should establish a mechanism to report security-related issues anonymously. Once an allegation is received, it should be investigated and, if possible, taken corrective action.

All shortages, overloads, and other significant discrepancies or anomalies should be investigated and resolved, as appropriate.

Incoming goods should be reconciled with the information on the cargo manifest. Departures should be verified against orders or deliveries.

Seal numbers assigned to specific shipments should be communicated to the consignee prior to departure.

The seal number must be printed electronically on the bill of lading or other shipping document.

Members must initiate their own internal investigation of any security-related incidents (terrorism, drugs, theft, fugitives, etc.) The company's investigation must not obstruct/interfere with any investigation conducted by a government law enforcement agency. The internal company investigation should be documented, completed as soon as possible, and made available to CBP/CTPAT and any other law enforcement agencies, as appropriate, upon request.

8. Agricultural security

CTPAT Members must, according to their business model, have written procedures in place designed to prevent visible pest contamination to include compliance with Wood Packing Materials regulations (WPM). Visible pest control measures must be followed throughout the supply chain. Measures related to WPM must meet the International Standard (IPPC) of the International Plant Protection Convention for Phytosanitary Measures No. 15 (ISPM 15).

9. Physical security

All cargo handling and storage facilities, including trailer yards and offices, must have physical fencing and/or containment measures that prevent unauthorized access.

Perimeter fencing should enclose areas around cargo handling and storage facilities. If a cargo handling facility, internal fencing should be used to secure the cargo and cargo handling area.

Based on risk, additional internal fencing should separate different types of goods such as domestic, international, high value and/or hazardous materials. Fences should be regularly inspected for integrity and damage by designated personnel. If damage is found in the fence, repairs should be done as soon as possible.

The gate where vehicles and/or personnel enter or exit (as well as other exit points) must be managed or monitored. Individuals and vehicles may be subject to local and employment law checks.

Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage, and transportation areas.

Adequate lighting should be provided inside and outside the facility including, as appropriate, the following areas: entrances and exits, cargo storage and handling areas, fencing and parking areas .

Automatic timers or light sensors that automatically turn on appropriate security lights are useful additions to lighting fixtures.

Security technology should be used to monitor facilities and prevent unauthorized access to sensitive areas.

Members who rely on security technology to perform physical security must have written policies and procedures governing the use, maintenance, and protection of this technology.

At a minimum, these policies and procedures should provide:

• Access to locations where technology is controlled or managed is limited to authorized personnel;

• Procedures must be in place to test/check the technology on a regular basis;

• Testing includes verifying that all equipment is in good working order and, where applicable, is in place;

• Operational test and inspection results are recorded;

• If corrective actions are needed, they should be taken as soon as possible and the corrective action documented;

• The recorded results of these tests must be maintained for a period sufficient for evaluation purposes.

If a third-party (off-site) central monitoring station is used, the CTPAT Member must have written procedures specifying critical system functionality and authentication protocols such as (but not limited to) ) change security codes, add or remove authorized staff, modify passwords, and system access or deny.

$( ".custom_form .btn_submit" ).click(function() { var name=$("#CustomForm_name").val(); var mail=$("#CustomForm_email").val(); var phone=$("#CustomForm_mobile").val(); var code=$("#CustomForm_code").val(); var re = /[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}/igm; var re_phone = /^[\+]?[(]?[0-9]{3}[)]?[-\s\.]?[0-9]{3}[-\s\.]?[0-9]{4,6}$/im; if(name == ''){ alert('Vui lòng điền đầy đủ thông tin, chúng tôi sẽ gửi tài liệu qua email của bạn!'); $("#CustomForm_name").focus(); } else { if(phone == ''){ alert('Vui lòng điền đầy đủ thông tin, chúng tôi sẽ gửi tài liệu qua email của bạn!'); $("#CustomForm_mobile").focus(); } else { if ( !re_phone.test(phone)){ $("#CustomForm_mobile").val(''); $("#CustomForm_mobile").focus(); alert('Định dạng số điện thoại không đúng! Vui lòng nhập lại số điện thoại!'); } else { if(mail == ''){ alert('Vui lòng điền đầy đủ thông tin, chúng tôi sẽ gửi tài liệu qua email của bạn!'); $("#CustomForm_email").focus(); } else { if ( !re.test(mail)) { $("#CustomForm_email").val(''); $("#CustomForm_email").focus(); alert('Định dạng email không đúng! Đề nghị nhập lại email!'); } else { $.ajax({ type: "POST", url: "/site/savemail", dataType: 'json', data:{name:name, phone:phone, mail:mail, code:code}, cache: false, success: function(data) { alert('Bạn đã đăng ký thành công - Xin hãy kiểm tra Email - Chúng tôi đã gửi tài liệu qua Email của bạn.'); $("#CustomForm_name").val(''); $("#CustomForm_mobile").val(''); $("#CustomForm_email").val(''); } }); } } } } } });