CTPAT 3PLs MSC March 2020

Minimum Security Criteria – Third Party Logistics Providers (3PLs)
March 2020
Note: Criteria ID numbers may not be sequential. ID numbers not listed are not applicable to 3PLs.
First Focus Area: Corporate Security

July 2019
1. Security Vision & Responsibility – For a CTPAT Member’s supply chain security program to become and remain
effective, it must have the support of a company’s upper management. Instilling security as an integral part of a
company’s culture and ensuring that it is a companywide priority is in large part the responsibility of the company’s leadership.
Must /
ID Criteria Implementation Guidance
Should
1.1 In promoting a culture of security, CTPAT Members should Statement of support should highlight the importance of protecting the Should
demonstrate their commitment to supply chain security and supply chain from criminal activities such as drug trafficking, terrorism,
the CTPAT Program through a statement of support. The human smuggling, and illegal contraband. Senior company officials who
statement should be signed by a senior company official and should support and sign the statement may include the president, CEO,
displayed in appropriate company locations. general manager, or security director. Areas to display the statement of
support include the company's website, on posters in key areas of the
company (reception; packaging; warehouse; etc.), and/or be part of
company security seminars, etc.
1.2 To build a robust Supply Chain Security Program, a company Supply Chain Security has a much broader scope than traditional security Should
should incorporate representatives from all of the relevant programs. It is intertwined with Security, in many departments such as
departments into a cross-functional team. Human Resources, Information Technology, and Import/Export offices.
Supply Chain Security programs built on a more traditional, security
These new security measures should be included in existing department-based model may be less viable over the long run because
company procedures, which creates a more sustainable the responsibility to carry out the security measures are concentrated
structure and emphasizes that supply chain security is among fewer employees, and, as a result, may be susceptible to the loss
everyone's responsibility. of key personnel.
CTPAT Minimum Security Criteria – 3PLs| March 2020
Page 1
Must /
Should
1.3 The supply chain security program must be designed with, The goal of a review for CTPAT purposes is to ensure that its employees Must
supported by, and implemented by an appropriate written are following the company’s security procedures. The review process
review component. The purpose of this review component is does not have to be complex. The Member decides the scope of reviews
to document that a system is in place whereby personnel are and how in-depth they will be - based on its role in the supply chain,
held accountable for their responsibilities and all security business model, level of risk, and variations between specific
procedures outlined by the security program are being locations/sites.
carried out as designed. The review plan must be updated as
needed based on pertinent changes in an organization’s Smaller companies may create a very simple review methodology;
operations and level of risk. whereas, a large multi-national conglomerate may need a more extensive
process, and may need to consider various factors such as local legal
requirements, etc. Some large companies may already have a staff of
auditors that could be leveraged to help with security reviews.
A Member may choose to use smaller targeted reviews directed at

specific procedures. Specialized areas that are key to supply chain
security such as inspections and seal controls may undergo reviews
specific to those areas. However, it is useful to conduct an overall
general review periodically to ensure that all areas of the security
program are working as designed. If a member is already conducting
reviews as part of its annual review, that process could suffice to meet
this criterion.
For members with high-risk supply chains (determined by their risk

assessment), simulation or tabletop exercises may be included in the
review program to ensure personnel will know how to react in the event
of a real security incident.
1.4 The Company’s Point(s) of Contact (POC) to CTPAT must be CTPAT expects the designated POC to be a proactive individual who Must
knowledgeable about CTPAT program requirements. These engages and is responsive to his or her Supply Chain Security Specialist.
individuals need to provide regular updates to upper Members may identify additional individuals who may help support this
management on issues related to the program, including the function by listing them as contacts in the CTPAT Portal.
progress or outcomes of any audits, security related
exercises, and CTPAT validations.
Page 2
2. Risk Assessment – The continuing threat of terrorist groups and criminal organizations targeting supply chains underscores the need
for Members to assess existing and potential exposure to these evolving threats. CTPAT recognizes that when a company has multiple
supply chains with numerous business partners, it faces greater complexity in securing those supply chains. When a company has
numerous supply chains, it should focus on geographical areas/supply chains that have higher risk.
When determining risk within their supply chains, Members must consider various factors such as the business model, geographic
location of suppliers, and other aspects that may be unique to a specific supply chain.
Key Definition: Risk – A measure of potential harm from an undesirable event that encompasses threat, vulnerability, and
consequence. What determines the level of risk is how likely it is that a threat will happen. A high probability of an occurrence will
usually equate to a high level of risk. Risk may not be eliminated, but it can be mitigated by managing it – lowering the vulnerability or
the overall impact on the business.
Must /
Should
2.1 CTPAT Members must conduct The overall risk assessment (RA) is made up of two key parts. The first part is a self-assessment of Must
and document the amount of the Member’s supply chain security practices, procedures, and policies within the facilities that it
risk in their supply chains. controls to verify its adherence to CTPAT’s minimum-security criteria, and an overall management
CTPAT Members must conduct review of how it is managing risk.
an overall risk assessment (RA)
to identify where security The second part of the RA is the international risk assessment. This portion of the RA includes the
vulnerabilities may exist. The identification of geographical threat(s) based on the Member's business model and role in the supply
RA must identify threats, chain. When looking at the possible impact of each threat on the security of the member’s supply
assess risks, and incorporate chain, the member needs a method to assess or differentiate between levels of risk. A simple
sustainable measures to method is assigning the level of risk between low, medium, and high.
mitigate vulnerabilities. The
member must take into CTPAT developed the Five Step Risk Assessment guide as an aid to conducting the international risk
account CTPAT requirements assessment portion of a member’s overall risk assessment, and it can be found on U.S. Customs and
specific to the member’s role in Border Protection’s website at https://www.cbp.gov/sites/default/files/documents/C-
the supply chain. TPAT%27s%20Five%20Step%20Risk%20Assessment%20Process.pdf.
For Members with extensive supply chains, the primary focus is expected to be on areas of higher
risk.

Page 3
Must /
Should
2.3 Risk assessments must be Circumstances that may require a risk assessment to be reviewed more frequently than once a year Must
reviewed annually, or more include an increased threat level from a specific country, periods of heightened alert, following a
frequently as risk factors security breach or incident, changes in business partners, and/or changes in corporate
dictate. structure/ownership such as mergers and acquisitions etc.
2.4 CTPAT Members should have A crisis may include the disruption of the movement of trade data due to a cyberattack, a fire, or a Should
written procedures in place carrier driver being hijacked by armed individuals. Based on risk and where the Member operates or
that address crisis sources from, contingency plans may include additional security notifications or support; and how to
management, business recover what was destroyed or stolen to return to normal operating conditions.
continuity, security recovery
plans, and business
resumption.
3. Business Partners – CTPAT Members engage with a variety of business partners, both domestically and internationally. For those
business partners who directly handle cargo and/or import/export documentation, it is crucial for the Member to ensure that these
business partners have appropriate security measures in place to secure the goods throughout the international supply chain. When
business partners subcontract certain functions, an additional layer of complexity is added to the equation, which must be
considered when conducting a risk analysis of a supply chain.
Key Definition: Business Partner – A business partner is any individual or company whose actions may affect the chain of custody
security of goods being imported to or exported from the United States via a CTPAT Member’s supply chain. A business partner may
be any party that provides a service to fulfill a need within a company’s international supply chain. These roles include all parties
(both directly and indirectly) involved in the purchase, document preparation, facilitation, handling, storage, and/or movement of
cargo for, or on behalf, of a CTPAT Importer or Exporter Member. Two examples of indirect partners are subcontracted carriers and
overseas consolidation warehouses – arranged for by an agent/logistics provider.

Page 4
Must /
Should
3.1 CTPAT Members must have a written, risk The following are examples of some of the vetting elements that can help determine if a Must
based process for screening new business company is legitimate:
partners and for monitoring current
partners. A factor that Members should • Verifying the company’s business address and how long they have been at that
include in this process is checks on activity address;
related to money laundering and terrorist • Conducting research on the internet on both the company and its principals;
funding. To assist with this process, please • Checking business references; and
consult CTPAT’s Warning Indicators for • Requesting a credit report.
Trade-Based Money Laundering and
Terrorism Financing Activities. Examples of business partners that need to be screened are direct business partners
such as manufacturers, product suppliers, pertinent vendors/service providers, and
transportation/logistics providers. Any vendors/service providers that are directly
related to the company’s supply chain and/or handle sensitive information/equipment
are also included on the list to be screened; this includes brokers or contracted IT
providers. How in-depth to make the screening depends on the level of risk in the
supply chain.
3.3 Written screening processes must include Some of the warning signs could be willing to pay above the standard rate, in cash; Must
indicators to identify shipments or having little knowledge of the commodity to be shipped; being evasive; minimal contact
customers that might not be legitimate. If information (cell phone, P.O. box); new business/no business history, etc.
a higher risk factor is flagged when
screening a shipment/customer, the carrier
must complete a more in depth review. If
the vetting leads to substantial doubt to
the veracity of the shipment/customer, the
carrier must notify U.S. Customs and
Border Protection of its suspicions.

Page 5
Must /
Should
3.4 The business partner screening process Business partners’ CTPAT certification may be ascertained via the CTPAT Portal’s Status Must
must take into account whether a partner Verification Interface system.
is a CTPAT Member or a member in an
approved Authorized Economic Operator If the business partner certification is from a foreign AEO program under an MRA with
(AEO) program with a Mutual Recognition the United States, the foreign AEO certification will include the security component.
Arrangement (MRA) with the United States Members may visit the foreign Customs administration’s website where the names of
(or an approved MRA). Certification in the AEOs of that Customs administration are listed, or request the certification directly
either CTPAT or an approved AEO is from their business partners.
acceptable proof for meeting program
requirements for business partners, and Current United States MRAs include: New Zealand, Canada, Jordan, Japan, South Korea,
Members must obtain evidence of the the European Union (28 member states), Taiwan, Israel, Mexico, Singapore, the
certification and continue to monitor these Dominican Republic, and Peru.
business partners to ensure they maintain
their certification.
3.5 When a CTPAT Member outsources or Importers and exporters tend to outsource a large portion of their supply chain Must
contracts elements of its supply chain, the activities. Importers (and some exporters) are the parties in these transactions that
Member must exercise due diligence (via usually have leverage over their business partners and can require that security
visits, questionnaires, etc.) to ensure these measures are implemented throughout their supply chains, as warranted. For those
business partners have security measures business partners that are not CTPAT or accepted MRA members, the CTPAT Member
in place that meet or exceed CTPAT’s will exercise due diligence to ensure (when it has the leverage to do so) that these
Minimum Security Criteria (MSC). business partners meet the program’s applicable security criteria.
To verify adherence to security requirements, importers conduct security assessments of

their business partners. The process to determine how much information is to be
gathered regarding a business partner’s security program is based on the member’s risk
assessment, and if there are numerous supply chains, high-risk areas are the priority.
Determining if a business partner is compliant with the MSC can be accomplished in

several ways. Based on risk, the company may conduct an onsite audit at the facility,
hire a contractor/service provider to conduct an onsite audit, or use a security
questionnaire. If security questionnaires are used, the level of risk will determine the
amount of detail or evidence required to be collected. More details may be required
from companies located in high-risk areas. If a Member is sending a security
questionnaire to its business partners, consider requiring the following items:

Page 6
Must /
Should
•Name and title of the person(s) completing it;

•Date completed;
•Signature of the individual(s) who completed the document;
•*Signature of a senior company official, security supervisor, or authorized company
representative to attest to the accuracy of the questionnaire;
•Provide enough detail in responses to determine compliance; and
•Based on risk, and if allowed by local security protocols, include photographic evidence,
copies of policies/procedures, and copies of completed forms like Instruments of
international traffic inspection checklists and/or guard logs.
*Signatures may be electronic. If a signature is difficult to obtain/verify, the respondent

may attest to the questionnaire’s validity via email, and that the responses and any
supporting evidence was approved by a supervisor/manager (name and title are
required).
3.7 To ensure their business partners continue Periodically reviewing business partners’ security assessments is important to ensure Should
to comply with CTPAT’s security criteria, that a strong security program is still in place and operating properly. If a member never
Members should update their security required updates to its assessment of a business partner’s security program, the
assessments of their business partners on a Member would not know that a once viable program was no longer effective, thus
regular basis, or as circumstances/risks putting the member’s supply chain at risk.
dictate.
Deciding on how often to review a partner’s security assessment is based on the
Member’s risk assessment process. Higher risk supply chains would be expected to have
more frequent reviews than low risk ones. If a Member is evaluating its business
partner’s security by in person visits, it may want to consider leveraging other types of
required visits. For example, cross-train personnel that test for quality control to also
conduct security verifications.
Circumstances that may require the self-assessment to be updated more frequently

include an increased threat level from a source country, changes in source location, new
critical business partners (those that actually handle the cargo, provide security to a
facility, etc.).

Page 7
Must /
Should
3.8 For inbound shipments to the United The carrier should provide a list of subcontracted carriers and drivers to the facilities Must
States, if a Member subcontracts where it picks up and delivers cargo. Any changes to the subcontractor list should be
transportation services to another highway immediately conveyed to relevant partners.
carrier, the Member must use a CTPAT
certified highway carrier or a highway When reviewing service providers for compliance, the Member should verify that the
carrier that works directly for the Member company subcontracted is actually the company transporting the loads—and has not
as delineated through a written contract. further subcontracted loads without approval.
The contract must stipulate adherence to
all minimum security criteria (MSC) Members should limit subcontracting transportation services to one level only. If
requirements. exceptions are allowed for further subcontracting, the CTPAT Member and the shipper
should be notified that the load was further subcontracted.
4. Cybersecurity – In today’s digital world, cybersecurity is the key to safeguarding a company’s most precious assets – intellectual
property, customer information, financial and trade data, and employee records, among others. With increased connectivity to the
internet comes the risk of a breach of a company’s information systems. This threat pertains to businesses of all types and sizes.
Measures to secure a company’s information technology (IT) and data are of paramount importance, and the listed criteria provide a
foundation for an overall cybersecurity program for Members.
Key Definitions: Cybersecurity – Cybersecurity is the activity or process that focuses on protecting computers, networks, programs,
and data from unintended or unauthorized access, change or destruction. It is the process of identifying, analyzing, assessing, and
communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, considering costs
and benefits taken.
Information Technology (IT) – IT includes computers, storage, networking and other physical devices, infrastructure and processes
to create, process, store, secure, and exchange all forms of electronic data.

Page 8
Must /
Should
4.1 CTPAT Members must have comprehensive Members are encouraged to follow cybersecurity protocols that are based on Must
written cybersecurity policies and/or procedures recognized industry frameworks/standards. The *National Institute of Standards
to protect information technology (IT) systems. and Technology (NIST) is one such organization that provides a Cybersecurity
The written IT policy, at a minimum, must cover Framework (https://www.nist.gov/cyberframework) that offers voluntary guidance
all of the individual Cybersecurity criteria. based upon existing standards, guidelines, and practices to help manage and
reduce cybersecurity risks both internally and externally. It can be used to help
identify and prioritize actions for reducing cybersecurity risk, and it is a tool for
aligning policy, business, and technological approaches to managing that risk. The
Framework complements an organization’s risk management process and
cybersecurity program. Alternatively, an organization without an existing
cybersecurity program can use the Framework as a reference to establish one.
*NIST is a non-regulatory federal agency under the Department of Commerce that

promotes and maintains measurement standards, and it is the technology
standards developer for the federal government.
4.2 To defend Information Technology (IT) systems Must
against common cybersecurity threats, a
company must install sufficient
software/hardware protection from malware
(viruses, spyware, worms, Trojans, etc.) and
internal/external intrusion (firewalls) in
Members' computer systems. Members must
ensure that their security software is current and
receives regular security updates. Members must
have policies and procedures to prevent attacks
via social engineering. If a data breach occurs or
another unseen event results in the loss of data
and/or equipment, procedures must include the
recovery (or replacement) of IT systems and/or
data.

Page 9
Must /
Should
4.3 CTPAT Members using network systems must A secure computer network is of paramount importance to a business, and Must
regularly test the security of their IT ensuring that it is protected requires testing on a regular basis. This can be done
infrastructure. If vulnerabilities are found, by scheduling vulnerability scans. Just like a security guard checks for open doors
corrective actions must be implemented as soon and windows at a business, a vulnerability scan (VS) identifies openings on your
as feasible. computers (open ports and IP addresses), their operating systems, and software
through which a hacker could gain access to the company’s IT system. The VS does
this by comparing the results of its scan against a database of known vulnerabilities
and produces a correction report for the business to act upon. There are many
free and commercial versions of vulnerability scanners available.
The frequency of the testing will depend on various factors including the
company’s business model and level of risk. For example, companies should run
these tests whenever there are changes to a business’s network infrastructure.
However, cyber-attacks are increasing among all sizes of businesses, and this needs
to be considered when designing a testing plan.
4.4 Cybersecurity policies should address how a Members are encouraged to share information on cybersecurity threats with the Should
Member shares information on cybersecurity Government and business partners within their supply chain. Information sharing
threats with the government and other business is a key part of the Department of Homeland Security's mission to create shared
partners. situational awareness of malicious cyber activity. CTPAT Members may want to
join the National Cybersecurity and Communications Integration Center (NCCIC -
https://www.us-cert.gov/nccic). The NCCIC shares information among public and
private sector partners to build awareness of vulnerabilities, incidents, and
mitigations. Cyber and industrial control systems users can subscribe to
information products, feeds, and services at no cost.
4.5 A system must be in place to identify Must
unauthorized access of IT systems/data or abuse
of policies and procedures including improper
access of internal systems or external websites
and tampering or altering of business data by
employees or contractors. All violators must be
subject to appropriate disciplinary actions.

Page 10
Must /
Should
4.6 Cybersecurity policies and procedures must be An example of a circumstance that would dictate a policy update sooner than Must
reviewed annually, or more frequently, as risk or annually is a cyber attack. Using the lessons learned from the attack would help
circumstances dictate. Following the review, strengthen a Member's cybersecurity policy.
policies and procedures must be updated if
necessary.
4.7 User access must be restricted based on job Must

description or assigned duties. Authorized access
must be reviewed on a regular basis to ensure
access to sensitive systems is based on job
requirements. Computer and network access
must be removed upon employee separation.
4.8 Individuals with access to Information To guard IT systems against infiltration, user access must be safeguarded by going Must
Technology (IT) systems must use individually through an authentication process. Complex login passwords or passphrases,
assigned accounts. biometric technologies, and electronic ID cards are three different types of
authentication processes. Processes that use more than one measure are
Access to IT systems must be protected from preferred. These are referred to as two-factor authentication (2FA) or multi-factor
infiltration via the use of strong passwords, authentication (MFA). MFA is the most secure because it requires a user to
passphrases, or other forms of authentication present two or more pieces of evidence (credentials) to authenticate the person’s
and user access to IT systems must be identity during the log-on process.
safeguarded.
MFAs can assist in closing network intrusions exploited by weak passwords or
Passwords and/or passphrases must be changed stolen credentials. MFAs can assist in closing these attack vectors by requiring
as soon as possible if there is evidence of individuals to augment passwords or passphrases (something you know) with
compromise or reasonable suspicion of a something you have, like a token, or one of your physical features - a biometric.
compromise exists.
If using passwords, they need to be complex. The National Institute of Standards
and Technology's (NIST) NIST Special Publication 800-63B: Digital Identity
Guidelines, includes password guidelines (https://pages.nist.gov/800-63-3/sp800-
63b.html). It recommends the use of long, easy to remember passphrases instead
of words with special characters. These longer passphrases (NIST recommends
allowing up to 64 characters in length) are considered much harder to crack
because they are made up of an easily memorized sentence or phrase.

Page 11
Must /
Should
4.9 Members that allow their users to remotely VPNs are not the only choice to protect remote access to a network. Multi-factor Must
connect to a network must employ secure authentication (MFA) is another method. An example of a multi-factor
technologies, such as virtual private networks authentication would be a token with a dynamic security code that the employee
(VPNs), to allow employees to access the must type in to access the network.
company’s intranet securely when located
outside of the office. Members must also have
procedures designed to prevent remote access
from unauthorized users.
4.10 If Members allow employees to use personal Personal devices include storage media like CDs, DVDs, and USB flash drives. Care Must
devices to conduct company work, all such must be taken if employees are allowed to connect their personal media to
devices must adhere to the company’s individual systems since these data storage devices may be infected with malware
cybersecurity policies and procedures to include that could propagate using the company’s network.
regular security updates and a method to
securely access the company’s network.
4.11 Cybersecurity policies and procedures should Computer software is intellectual property (IP) owned by the entity that created it. Should
include measures to prevent the use of Without the express permission of the manufacturer or publisher, it is illegal to
counterfeit or improperly licensed technological install software, no matter how it is acquired. That permission almost always takes
products. the form of a license from the publisher, which accompanies authorized copies of
software. Unlicensed software is more likely to fail as a result of an inability to
update. It is more prone to contain malware, rendering computers and their
information useless. Expect no warranties or support for unlicensed software,
leaving your company on its own to deal with failures. There are legal
consequences for unlicensed software as well, including stiff civil penalties and
criminal prosecution. Software pirates increase costs to users of legitimate,
authorized software and decrease the capital available to invest in research and
development of new software.
Members may want to have a policy that requires product key labels and
certificates of authenticity to be kept when new media is purchased. CDs, DVDs,
and USB media include holographic security features to help ensure you receive
authentic products and to protect against counterfeiting.

Page 12
Must /
Should
4.12 Data should be backed up once a week or as Data backups should take place as data loss may affect individuals within an Should
appropriate. All sensitive and confidential data organization differently. Daily backups are also recommended in case production
should be stored in an encrypted format. or shared servers are compromised/lose data. Individual systems may require less
frequent backups, depending on what type of information is involved.
Media used to store backups should preferably be stored at a facility offsite.

Devices used for backing up data should not be on the same network as the one
used for production work. Backing up data to a cloud is acceptable as an “offsite”
facility.
4.13 All media, hardware, or other IT equipment that Some types of computer media are hard drives, removable drives, CD-ROM or CD-R Must
contains sensitive information regarding the discs, DVDs, or USB drives.
import/export process must be accounted for
through regular inventories. When disposed, The National Institute of Standards and Technology (NIST) has developed the
they must be properly sanitized and/or government’s data media destruction standards. Members may want to consult
destroyed in accordance with the National NIST standards for sanitation and destruction of IT equipment and media.
Institute of Standards and Technology (NIST)
Guidelines for Media Sanitization or other Media Sanitization:
appropriate industry guidelines. https://www.nist.gov/publications/nist-special-publication-800-88-revision-1-
guidelines-media-sanitization
Second Focus Area: Transportation Security
5. Conveyance and Instruments of International Traffic Security – Smuggling schemes often involve the modification of conveyances
and Instruments of International Traffic (IIT), or the hiding of contraband inside IIT. This criteria category covers security measures
designed to prevent, detect, and/or deter the altering of IIT structures or surreptitious entry into them, which could allow the
introduction of unauthorized material or persons.
At the point of stuffing/loading, procedures need to be in place to inspect IIT and properly seal them. Cargo in transit or “at rest” is
under less control, and is therefore more vulnerable to infiltration, which is why seal controls and methods to track
cargo/conveyances in transit are key security criteria.

Page 13
Breaches in supply chains occur most often during the transportation process; therefore, Members must be vigilant that these key
cargo criteria be upheld throughout their supply chains.
Key Definition: Instruments of International Traffic (IIT) – IIT includes containers, flatbeds, unit load devices (ULDs), lift vans, cargo
vans, shipping tanks, bins, skids, pallets, caul boards, cores for textile fabrics, or other specialized containers arriving (loaded or
empty), in use or to be used in the shipment of merchandise in international trade.
Must /
Should
5.1 Conveyances and Instruments of International Traffic (IIT) must be The secure storage of conveyances and Instruments of Must
stored in a secure area to prevent unauthorized access, which could International Traffic (both empty and full) is important to guard
result in an alteration to the structure of an Instrument of against unauthorized access.
International Traffic or (as applicable) allow the seal/doors to be
compromised.
5.2 The CTPAT inspection process must have written procedures for both With the prevalence of smuggling schemes that involve the Must
security and agricultural inspections. modification of conveyances or Instruments of International
Traffic, it is imperative that Members conduct inspections of
conveyances and Instruments of International Traffic to look for
visible pests and serious structural deficiencies. Likewise, the
prevention of pest contamination via conveyances and IIT is of
paramount concern, so an agricultural component has been
added to the security inspection process.
Pest contamination is defined as visible forms of animals, insects

or other invertebrates (alive or dead, in any lifecycle stage,
including egg casings or rafts), or any organic material of animal
origin (including blood, bones, hair, flesh, secretions, excretions);
viable or non-viable plants or plant products (including fruit,
seeds, leaves, twigs, roots, bark); or other organic material,
including fungi; or soil, or water; where such products are not the
manifested cargo within instruments of international traffic (i.e.
containers, unit load devices, etc.).

Page 14
Must /
Should
5.3 CTPAT Members must ensure that the following systematic CTPAT Security and agricultural inspections are conducted on Must
security and agricultural inspections are conducted. Requirements for instruments of international traffic (IIT) and conveyances to
these inspections will vary depending upon if the supply chain is land- ensure their structures have not been modified to conceal
based (Canada or Mexico) or if the supply chain originates overseas contraband or have been contaminated with visible agricultural
(ocean and air modes). Prior to stuffing/packing, all empty pests.
Instruments of International Traffic (IIT) must be inspected, and
conveyances must also be inspected when they are crossing land Expectations for overseas supply chains are to inspect all IIT at
borders into the United States. the point of stuffing/packing. However, if an ocean/air based
supply chain is higher risk, it may warrant including more
Inspection requirements for CTPAT shipments via ocean, air, and land extensive inspection procedures to include conveyances and/or
borders (as applicable) by rail or intermodal freight: inspections at marine port terminals or air logistics
facilities. Usually, there are higher levels of risk involved in
A seven-point inspection must be conducted on all empty containers shipments with land border crossings, which is why both the
and unit load devices (ULDs); and an eight-point inspection must be conveyance and IIT undergo multiple inspections.
conducted on all empty refrigerated containers and ULDs:
Some examples of IIT for various modes are ocean containers,
1. Front wall; refrigerated containers/trailers, over-the-road trailers, flatbed
2. Left side; trailers, tank containers, rail/boxcars, hoppers, and unit load
3. Right side; devices (ULDs).
4. Floor;
5. Ceiling/Roof; The Public Library Section of the CTPAT Portal contains training
6. Inside/outside doors, including the reliability of the material on security and agricultural conveyance/Instruments of
locking mechanisms of the doors; International Traffic inspections.
7. Outside/Undercarriage; and
8. Fan housing on refrigerated containers.
Additional inspection requirements for land border crossings via

highway carriers:
Inspections of conveyances and IIT must be conducted at

conveyance/IIT storage yards.
Where feasible, inspections must be conducted upon entering and

departing the storage yards and at the point of loading/stuffing.

Page 15
Must /
Should
These systematic inspections must include 17-point inspections:
Tractors:
1. Bumper/tires/rims;
2. Doors, tool compartments and locking mechanisms;
3. Battery box;
4. Air breather;
5. Fuel tanks;
6. Interior cab compartments/sleeper; and
7. Faring/roof.
Trailers:
1. Fifth wheel area - check natural compartment/skid plate;

2. Exterior - front/sides;
3. Rear - bumper/doors;
4. Front wall;
5. Left side;
6. Right side;
7. Floor;
8. Ceiling/roof;
9. Inside/outside doors and locking mechanisms; and
10.Outside/Undercarriage.

Page 16
Must /
Should
5.4 Conveyances and Instruments of International Traffic (as appropriate) Consider using containers/trailers with tamper resistant hinges. Must
must be equipped with external hardware that can reasonably Members may also place protective plates or pins on at least two
withstand attempts to remove it. The door, handles, rods, hasps, of the hinges of the doors and/or place adhesive seal/tape over
rivets, brackets, and all other parts of a container’s locking mechanism at least one hinge on each side.
must be fully inspected to detect tampering and any hardware
inconsistencies prior to the attachment of any sealing device.
5.5 The inspection of all conveyances and empty Instruments of Should

International Traffic should be recorded on a checklist. The following
elements should be documented on the checklist:
• Container/Trailer/Instruments of International Traffic number;

• Date of inspection;
• Time of inspection;
• Name of employee conducting the inspection; and
• Specific areas of the Instruments of International Traffic that were
inspected.
If the inspections are supervised, the supervisor should also sign the
checklist.
The completed container/Instruments of International Traffic

inspection sheet should be part of the shipping documentation
packet. The consignee should receive the complete shipping
documentation packet prior to receiving the merchandise.
5.6 All security inspections should be performed in an area of controlled Should

access and, if available, monitored via a CCTV system.
5.7 If visible pest contamination is found during the Keeping records on the types of contaminants found, where they Must
conveyance/Instruments of International Traffic inspection, were found (conveyance location), and how the pest
washing/vacuuming must be carried out to remove such contamination was eliminated, are helpful actions that may assist
contamination. Documentation must be retained for one year to Members in preventing future pest contamination.
demonstrate compliance with these inspection requirements.

Page 17
Must /
Should
5.8 Based on risk, management personnel should conduct random Supervisory searches of conveyances are conducted to counter Should
searches of conveyances after the transportation staff have internal conspiracies.
conducted conveyance/Instruments of International Traffic
inspections. As a best practice, supervisors can hide an item (like a toy or
colored box) in the conveyance to determine if the field test
The searches of the conveyance should be done periodically, with a screener/conveyance operator finds it.
higher frequency based on risk. The searches should be conducted at
random without warning, so they will not become predictable. The Supervisory personnel could be a security manager, held
inspections should be conducted at various locations where the accountable to senior management for security, or other
conveyance is susceptible: the carrier yard, after the truck has been designated management personnel.
loaded, and en route to the United States border.
5.11 A tracking and monitoring activity log or equivalent technology (such Conveyances are tracked to prevent them from being diverted to Must
as GPS) must be used to track the conveyance while it is en route to tamper with the load or structure of the conveyance/Instruments
the United States. If driver logs are used, the driver must record any of International Traffic to allow contraband to be introduced in
stops and note that inspections of the conveyance, Instruments of the shipment. Based on risk, transportation providers may want
International Traffic (IIT), and the seal were conducted. to track and monitor their conveyances/Instruments of
International Traffic in real time. There are many tracking tools
available to users free of charge via their smart cell phones. For
small carriers, applications such as Life 360, Find Friends from
Google, and WhatsApp allow users to track people and
conveyances.
5.14 CTPAT Members should work with their transportation providers to Should
track conveyances from origin to final destination point. Specific
requirements for tracking, reporting, and sharing of data should be
incorporated within terms of service agreements with service
providers.
5.16 For land border shipments that are in proximity to the United States Cargo at rest is cargo at risk. Scheduled stops would not be Should
border, a “no-stop” policy should be implemented with regard to covered by this policy, but would have to be considered in an
unscheduled stops. overall tracking and monitoring procedure.

Page 18
Must /
Should
5.19 If a GPS tracking system is used, carriers should use a sensor Should
coupling/connector or equivalent technology from the tractor to the
trailer to ensure the trailer is also monitored and tracked.
5.20 Carriers should use electronic dispatch logs; the logs should be Electronic dispatch logs provide a more accessible means of Should
recorded and kept for audit purposes. conducting management oversight and enabling information to
be shared and/or compared with additional assessment data. It
is recommended that records of the logs be maintained for a
sufficient amount of time to allow for audits to be conducted and
for investigative purposes, if a breach were to occur in a supply
chain.
5.21 For cross-border shipments, pre-designated transit routes must be Waypoints are specific geographical locations defined by sets of Must
established, which include anticipated transit times between coordinates -longitude and latitude- used for navigational
waypoints. Once the time between the assigned points has been purposes, including driving or transit routes.
determined, for both peak and non-peak times, these times must be
recorded and incorporated into the tracking process. It is recommended waypoints include the length of time between
the yard to the loading point/trailer pickup, the U.S. border, and
If GPS technology is employed, geo-fencing must be implemented to the delivery destinations. If a stop is made to collect export
include alarm notification when a carrier deviates from the assigned documents or to verify seals, these can also be included as
route. The parameters for geo-fencing must be set at minimal waypoints.
allowable tolerances for the pre-established transit route.
5.22 Carriers must have systems or written procedures in place to respond Must
to significant route deviations and late arrivals to the loading
dock/area, transfer points, or the final destination. Drivers must notify
the dispatcher of any significant route delays due to weather, traffic,
and/or rerouting. Dispatch must independently verify the cause of
the delay.
5.23 After a stop, drivers must inspect the conveyance’s sealing or locking Must
devices for any signs of tampering prior to resuming the trip. These
inspections must be documented.

Page 19
Must /
Should
5.24 In areas of high risk, and immediately prior to arrival at the border Should
crossing, CTPAT Members should incorporate a "last chance"
verification process for U.S. bound shipments for checking
conveyances/Instruments of International Traffic for signs of
tampering to include visual inspections of conveyances and the VVTT
seal verification process. Properly trained individuals should conduct
the inspections.
V – View seal and container locking mechanisms; ensure they are OK;
V – Verify seal number against shipment documents for accuracy;
T – Tug on seal to make sure it is affixed properly;
T – Twist and turn the bolt seal to make sure its components do not
unscrew, separate from one another, or any part of the seal becomes
loose.
5.26 Drivers must report and record any anomalies or unusual structural These include U.S. Department of Transportation (DOT) Must
modifications found on the conveyance following a Government inspections or other regulatory agency inspections. It also
inspection. includes inspections taking place in Mexico and Canada.
5.27 Management must regularly conduct random reviews of the tracking Random reviews are required to ensure tracking logs are properly Must
and monitoring procedures. The review findings must be recorded. maintained and conveyance tracking and monitoring procedures
The review must cover verification of the tracking log against time- are being followed. Time-indicative documents include fuel
indicative documents and internal systems; unaccounted transit time receipts, scale logs, toll receipts, ACE, Mexico SAT, broker status
lapses must also be included. Management should conduct periodic information, etc. Conducting en route verifications is a measure
random verifications en route. used in high risk areas to verify procedures are being followed in
“real time.”
5.28 CTPAT highway carriers should notify appropriate parties (e.g., Should
shipper, consignee, and importer) of any significant delays including
mechanical failures during transit.
5.29 If a credible (or detected) threat to the security of a shipment or Must

conveyance is discovered, the Member must alert (as soon as feasibly
possible) any business partners in the supply chain that may be
affected and any law enforcement agencies, as appropriate.

Page 20
6. Seal Security – The sealing of trailers and containers to attain continuous seal integrity, continues to be a crucial element of a secure
supply chain. Seal security includes having a comprehensive written seal policy that addresses all aspects of seal security, such as using
the correct seals per CTPAT requirements; properly placing a seal on IIT, and verifying that the seal has been affixed properly.
Must /
Should
6.1 CTPAT Members must have detailed, written high-security seal procedures Must
that describe how seals are issued and controlled at the facility and during
transit. Procedures must provide the steps to take if a seal is altered,
tampered with, or has the incorrect seal number, including documentation
of the event, communication protocols to partners, and investigation of the
incident. The findings from the investigation must be documented, and any
corrective actions must be implemented as quickly as possible.
These written procedures must be maintained at the local operating level

so that they are easily accessible. Procedures must be reviewed at least
once a year and updated as necessary.
Written seal controls must include the following elements:
Controlling Access to Seals:

• Management of seals is restricted to authorized personnel.
• Secure storage.
Inventory, Distribution, & Tracking (Seal Log):

• Recording the receipt of new seals.
• Issuance of seals recorded in log.
• Track seals via the log.
• Only trained, authorized personnel may affix seals to Instruments of
International Traffic (IIT)
Controlling Seals in Transit:

• When picking up sealed IIT (or after stopping) verify the seal is intact with
no signs of tampering.
• Confirm the seal number matches what is noted on the shipping
documents.
Page 21
Must /
Should
Seals Broken in Transit:

• If a load is examined, record the replacement seal number.
• The driver must immediately notify dispatch when a seal is broken,
indicate who broke the seal, and provide the new seal number.
• The carrier must immediately notify the shipper, broker, and importer of
the seal change and the replacement seal number.
• The shipper must note the replacement seal number in the seal log.
Seal Discrepancies:
• Retain altered or tampered seals to aid in investigations.
• Investigate the discrepancy; follow-up with corrective measures (if
warranted).
• As applicable, report compromised seals to CBP and the appropriate
foreign government to aid in the investigation.
6.2 All CTPAT shipments that can be sealed must be secured immediately after The high-security seal used must be placed on the Must
loading/stuffing/packing by the responsible party (i.e. the shipper or packer Secure Cam position, if available, instead of the right
acting on the shippers behalf) with a high-security seal that meets or door handle. The seal must be placed at the bottom of
exceeds the most current International Organization for Standardization the center most vertical bar of the right container door.
(ISO) 17712 standard for high-security seals. Qualifying cable and bolt seals Alternatively, the seal could be placed on the center
are both acceptable. All seals used must be securely and properly affixed to most left-hand locking handle on the right container
Instruments of International Traffic that are transporting CTPAT Members’ door if the secure cam position is not available. If a bolt
cargo to/from the United States. seal is being used, it is recommended that the bolt seal
be placed with the barrel portion or insert facing upward
with the barrel portion above the hasp.
6.3 Less Than Truck Load (LTL) carriers must (at the very least) use a high Must
security padlock when picking up local freight in an international LTL
environment where consolidation hubs are not used. At the last pickup site
prior to crossing the border, the carrier must seal the load with an ISO
17712 compliant high-security seal.
LTL carriers must have strict controls limiting access to padlocks, keys, or
combinations that can open the padlocks.

Page 22
Must /
Should
6.5 CTPAT Members (that maintain seal inventories) must be able to document Acceptable evidence of compliance is a copy of a Must
that the high-security seals they use meet or exceed the most current ISO laboratory testing certificate that demonstrates
17712 standard. compliance with the ISO high-security seal standard.
CTPAT Members are expected to be aware of the
tamper indicative features of the seals they purchase.
6.6 If a Member maintains an inventory of seals, company management or a Must

security supervisor must conduct audits of seals that includes periodic
inventory of stored seals and reconciliation against seal inventory logs and
shipping documents. All audits must be documented.
As part of the overall seal audit process, dock supervisors and/or

warehouse managers must periodically verify seal numbers used on
conveyances and Instruments of International Traffic.
6.7 CTPAT’s seal verification process must be followed to ensure all high- When applying cable seals, they need to envelop the Must
security seals (bolt/cable) have been affixed properly to Instruments of rectangular hardware base of the vertical bars in order
International Traffic, and are operating as designed. The procedure is to eliminate any upward or downward movement of the
known as the VVTT process: seal. Once the seal is applied, make sure that all slack
has been removed from both sides of the cable. The
V – View seal and container locking mechanisms; ensure they are OK; VVTT process for cable seals needs to ensure the cables
V – Verify seal number against shipment documents for accuracy; are taut. Once it has been properly applied, tug and pull
T – Tug on seal to make sure it is affixed properly; the cable in order to determine if there is any cable
T – Twist and turn the bolt seal to make sure its components do not slippage within the locking body.
unscrew, separate from one another, or any part of the seal becomes loose.

Page 23
7. Procedural Security – Procedural Security encompasses many aspects of the import-export process, documentation, and cargo
storage and handling requirements. Other vital procedural criteria pertain to reporting incidents and notification to pertinent law
enforcement. Additionally, CTPAT often requires that procedures be written because it helps maintain a uniform process over time.
Nevertheless, the amount of detail needed for these written procedures will depend upon various elements such as a company’s
business model or what is covered by the procedure.
CTPAT recognizes that the technology used in supply chains continues to evolve. The terminology used throughout the criteria
references written, paper-based procedures, documents, and forms. Electronic documents and signatures, and other digital
technologies, however, are also acceptable ways to document required procedures.
The CTPAT Program is not designed to be a “one size fits all” model. Each company must decide (based on its risk assessment) how
to implement and maintain procedures. However, it is more effective to incorporate security processes within existing procedures
rather than create a separate manual for security protocols. This creates a more sustainable structure and helps emphasize that
supply chain security is everyone’s responsibility.
Must /
Should
7.1 When cargo is staged overnight, or for an extended period of Must
time, measures must be taken to secure the cargo from
unauthorized access.
7.2 Cargo staging areas, and the immediate surrounding areas, must Preventative measures such as the use of baits, traps, or other Must
be inspected on a regular basis to ensure these areas remain free barriers can be used as necessary. Removal of weeds or reduction
of visible pest contamination. of overgrown vegetation may help in the elimination of pest
habitat within staging areas.
7.4 The loading/stuffing of cargo into containers/IIT should be Should
supervised by a security officer/manager or other designated
personnel.

Page 24
Must /
Should
7.5 As documented evidence of the properly installed seal, digital Photographic evidence may include pictures taken at the point of Should
photographs should be taken at the point of stuffing. To the stuffing to document evidence of the cargo markings, the loading
extent feasible, these images should be electronically forwarded process, the location where the seal was placed, and properly
to the destination for verification purposes. installed seal.
7.6 Procedures must be in place to ensure that all information used in Must
the clearing of merchandise/cargo is legible; complete; accurate;
protected against the exchange, loss, or introduction of erroneous
information; and reported on time.
7.7 If paper documents are used, forms and other import/export Measures, such as using a locked filing cabinet, can be taken to Should
related documentation should be secured to prevent secure the storage of unused forms, including manifests, to
unauthorized use. prevent unauthorized use of such documentation.
7.8 The shipper or its agent must ensure that bill of ladings (BOLs) When picking up sealed Instruments of International Traffic, 7.8
and/or manifests accurately reflect the information provided to carriers may rely on the information provided in the shipper's
the carrier, and carriers must exercise due diligence to ensure shipping instructions.
these documents are accurate. BOLs and manifests must be filed
with U.S. Customs and Border Protection (CBP) in a timely Requiring the seal number to be electronically printed on the bill
manner. BOL information filed with CBP must show the first of lading (BOL) or other export documents helps guard against
foreign location/facility where the carrier takes possession of the changing the seal and altering the pertinent document(s) to
cargo destined for the United States. The weight and piece count match the new seal number.
must be accurate.
However, for certain supply chains, goods may be examined in
transit, by a foreign Customs authority, or by CBP. Once the seal
is broken by the government, there needs to be a process to
record the new seal number applied to the IIT after examination.
In some cases, this may be handwritten.

Page 25
Must /
Should
7.10 Personnel must review the information included in import/export Must
documents to identify or recognize suspicious cargo shipments.
Relevant personnel must be trained on how to identify

information in shipping documents, such as manifests, that might
indicate a suspicious shipment.
Based on risk, CTPAT Members should take into account those

CTPAT key warning indicators for money laundering and terrorism
financing activities most applicable to the functions that they
and/or their business entities perform in the supply chain. A
document on key warning indicators is available in the CTPAT
Portal (Public Library section).
Highway carrier personnel must be trained to review manifests

and other documents in order to identify or recognize suspicious
cargo shipments such as those that:
• Originate from or have unusual destination locations;

• Are paid by cash or a certified check;
• Use unusual routing methods;
• Exhibit unusual shipping/receiving practices;
• Provide vague, generalized, or a lack of information.
7.12 Drivers must collect personal garbage and dispose of it before Must
entering the United States. Otherwise, the driver must declare it
to U.S. Customs and Border Protection, so it may be properly
disposed.

Page 26
Must /
Should
7.13 Based on risk, highway carriers must have specific procedures in An example of an internal conspiracy would be a driver and Must
place to mitigate the risk of collusion between employees, such as dispatch staff colluding to falsify travel times to undermine
between driver and dispatch personnel, which might allow a tracking and monitoring procedures. Procedures to prevent
security measure to be overcome. collusion may include assignment rotation, restricted driver
access to physical location of dispatcher operations, separate
break rooms for dispatch staff and drivers, placement of GPS
monitors out of the drivers' view, frequent documented audits of
dispatcher logs, and trend analysis using GPS data to compare
drivers' average time against which dispatch staff members are on
duty.
7.14 If legally allowed, and permissible under union rules, carriers Should
should conduct random screening of truck drivers’ luggage and
personal belongings. If any suspicious anomalies are found during
the screening, the carrier should document and report its findings
to U.S. Customs and Border Protection.
7.17 In accordance with U.S. Department of Transportation standards, Cargo at rest is cargo at risk. A comprehensive maintenance Should
CTPAT highway carriers should have a comprehensive vehicle program may help avoid unforeseen stops due to mechanical
preventive maintenance program in place and ensure the drivers issues.
are performing adequate checks of their vehicles. Maintenance
records should be kept for a minimum of one year.
7.18 In areas of high risk, where operationally feasible, the highway Should
carrier should use a convoy method (e.g., a minimum of two
trucks traveling together) to transport cargo. Each truck in the
convoy should have the means to communicate with the other
trucks in the convoy and with the dispatch staff.

Page 27
Must /
Should
7.23 CTPAT Members must have written procedures for reporting an Examples of incidents warranting notification to U.S. Customs and Must
incident, which includes a description of the facility's internal Border Protection include (but are not limited to) the following:
escalation process.
• Discovery of tampering with a container/IIT or high-security
A notification protocol must be in place to report any suspicious seal;
activities or security incidents (such as drug seizures, discovery of • Discovery of a hidden compartment in a conveyance or IIT;
stowaways, etc.) that take place anywhere around the world and • An unaccounted new seal has been applied to an IIT;
which affects the security of the member's supply chain. As • Smuggling of contraband, including people; stowaways;
applicable, the Member must report any global incidents to its • Unauthorized entry into conveyances, locomotives, vessels, or
Supply Chain Security Specialist, the closest port of entry, any aircraft carriers;
pertinent law enforcement agencies, and business partners that • Extortion, payments for protection, threats, and/or intimidation;
may be part of the affected supply chain. Notifications to CBP • Unauthorized use of a business entity identifier (i.e., Importer of
must be made as soon as feasibly possible and in advance of any Record (IOR) number, Standard Carrier Alpha (SCAC) code, etc.).
conveyance or IIT crossing the border.
Notification procedures must include the accurate contact

information that lists the name(s) and phone number(s) of
personnel requiring notification, as well as for law enforcement
agencies. Procedures must be periodically reviewed to ensure
contact information is accurate.
7.24 Procedures must be in place to identify, challenge, and address Must

unauthorized/unidentified persons. Personnel must know the
protocol to challenge an unknown/unauthorized person, how to
respond to the situation, and be familiar with the procedure for
removing an unauthorized individual from the premises.

Page 28
Must /
Should
7.25 CTPAT Members should set up a mechanism to report security Internal problems such as theft, fraud, and internal conspiracies Should
related issues anonymously. When an allegation is received, it may be reported more readily if the reporting party knows the
should be investigated, and if applicable, corrective actions should concern may be reported anonymously.
be taken.
Members can set up a hotline program or similar mechanism that
allows people to remain anonymous if they fear reprisal for their
actions. It is recommended that any report be kept as evidence to
document that each reported item was investigated and that
corrective actions were taken.
7.27 All shortages, overages, and other significant discrepancies or Must
anomalies must be investigated and resolved, as appropriate.
7.28 Arriving cargo should be reconciled against information on the Should

cargo manifest. Departing cargo should be verified against
purchase or delivery orders.
7.29 Seal numbers assigned to specific shipments should be Should

transmitted to the consignee prior to departure.
7.30 Seal numbers should be electronically printed on the bill of lading Should
or other shipping documents.
7.31 CTPAT highway carriers (or an authorized party transmitting on The Trade Act of 2002 does not require highway carriers to Must
behalf of the carrier) must transmit an electronic manifest for transmit electronic information in advance to U.S. Customs and
bobtails and for empty containers/trailers prior to the arrival of Border Protection on empty containers – only for loaded
the conveyance at the U.S. Customs and Border Protection ones. CTPAT is requiring that the carrier submit the conveyance
primary booth using the Automated Commercial Environment and driver information before the truck arrives at a U.S. Customs
(ACE) Electronic Truck Manifest (e-Manifest) system. and Border Protection booth.

Page 29
Must /
Should
7.37 Following a significant security incident, Members must initiate a A security incident is a breach in which security measures have Must
post-incident analysis immediately after becoming aware of the been circumvented, eluded, or violated, and have resulted or will
incident and in order to determine where the supply chain may result in a criminal act. Security incidents include acts of
have been compromised. This analysis must not impede/interfere terrorism, smuggling (narcotics, human, etc.), and the presence of
with any known investigations conducted by a government law stowaways.
enforcement agency. The company’s post-incident analysis
findings must be documented, completed as soon as feasibly
possible, and, if allowed by law enforcement authorities, made
available to the SCSS upon request.

Page 30
8. Agricultural Security – Agriculture is the largest industry and employment sector in the U.S. It is also an industry threatened by
the introduction of foreign animal and plant contaminants such as soil, manure, seeds, and plant and animal material which may
harbor invasive and destructive pests and diseases. Eliminating contaminants in all conveyances and in all types of cargo may
decrease CBP cargo holds, delays, and commodity returns or treatments. Ensuring compliance with CTPAT’s agricultural
requirements will also help protect a key industry in the U.S. and the overall global food supply.
Key Definition: Pest contamination – The International Maritime Organization defines pest contamination as visible forms of
animals, insects or other invertebrates (alive or dead, in any lifecycle stage, including egg casings or rafts), or any organic material
of animal origin (including blood, bones, hair, flesh, secretions, excretions); viable or non-viable plants or plant products
(including fruit, seeds, leaves, twigs, roots, bark); or other organic material, including fungi; or soil, or water; where such products
are not the manifested cargo within instruments of international traffic (i.e. containers, unit load devices, etc.).
Must /
Should
8.1 CTPAT Members must, in WPM is defined as wood or wood products (excluding paper products) used in supporting, protecting, Must
accordance with their or carrying a commodity. WPM includes items such as pallets, crates, boxes, reels, and dunnage.
business model, have written Frequently, these items are made of raw wood that may not have undergone sufficient processing or
procedures designed to treatment to remove or kill pests, and therefore remain a pathway for the introduction and spread of
prevent visible pest pests. Dunnage in particular has been shown to present a high risk of introduction and spread of
contamination to include pests.
compliance with Wood
Packaging Materials (WPM) The IPPC is a multilateral treaty overseen by the United Nation’s Food and Agriculture Organization
regulations. Visible pest that aims to secure coordinated, effective action to prevent and to control the introduction and
prevention measures must be spread of pests and contaminants.
adhered to throughout the
supply chain. Measures ISPM 15 includes internationally accepted measures that may be applied to WPM to reduce
regarding WPM must meet significantly the risk of introduction and spread of most pests that may be associated with WPM.
the International Plant ISPM 15 affects all wood packaging material requiring that they be debarked and then heat treated or
Protection Convention’s fumigated with methyl bromide and stamped or branded with the IPPC mark of compliance. This mark
(IPPC) International Standards of compliance is colloquially known as the "wheat stamp". Products exempt from the ISPM 15 are
for Phytosanitary Measures made from alternative materials, like paper, metal, plastic or wood panel products (i.e. oriented
No. 15 (ISPM 15). strand board, hardboard, and plywood).

Page 31
Third Focus Area: People and Physical Security
9. Physical Security – Cargo handling and storage facilities, Instruments of International Traffic storage areas, and facilities where
import/export documentation is prepared in domestic and foreign locations must have physical barriers and deterrents that guard
against unauthorized access.
One of the cornerstones of CTPAT is flexibility, and security programs should be customized to fit each company’s circumstances.
The need for physical security can vary greatly based on the Member’s role in the supply chain, its business model, and level of risk.
The physical security criteria provides a number of deterrents/obstacles that will help prevent unwarranted access to cargo,
sensitive equipment, and/or information, and Members should employ these security measures throughout their supply chains.
Must /
Should
9.1 All cargo handling and storage facilities, including trailer yards and offices Must
must have physical barriers and/or deterrents that prevent unauthorized
access.
9.2 Perimeter fencing should enclose the areas around cargo handling and Other acceptable barriers may be used instead of fencing, Should
storage facilities. If a facility handles cargo, interior fencing should be such as a dividing wall or natural features that are
used to secure cargo and cargo handling areas. Based on risk, additional impenetrable or, otherwise impede, access such as a steep
interior fencing should segregate various types of cargo such as domestic, cliff or dense thickets.
international, high value, and/or hazardous materials. Fencing should be
regularly inspected for integrity and damage by designated personnel. If
damage is found in the fencing, repairs should be made as soon as
possible.
9.4 Gates where vehicles and/or personnel enter or exit (as well as other It is recommended that the number of gates be kept to the Must
points of egress) must be manned or monitored. Individuals and vehicles minimum necessary for proper access and safety. Other
may be subject to search in accordance with local and labor laws. points of egress would be entrances to facilities that are
not gated.
9.5 Private passenger vehicles should be prohibited from parking in or Locate parking areas outside of fenced and/or operational Should
adjacent to cargo handling and storage areas, and conveyances. areas - or at least at substantial distances from cargo
handling and storage areas.

Page 32
Must /
Should
9.6 Adequate lighting must be provided inside and outside the facility Automatic timers or light sensors that automatically turn Must
including, as appropriate, the following areas: entrances and exits, cargo on appropriate security lights are useful additions to
handling and storage areas, fence lines, and parking areas. lighting apparatus.
9.7 Security technology should be used to monitor premises and prevent Electronic security technology used to secure/monitor Should
unauthorized access to sensitive areas. sensitive areas and access points includes: burglary alarm
systems (perimeter and interior) –these are also known as
Intrusion Detection Systems (IDS); access control devices;
and video surveillance systems (VSS) -including Closed
Circuit Television Cameras (CCTVs). A CCTV/VSS system
could include components such as Analog Cameras (coax-
based), Internet Protocol-based (IP) cameras (network-
based), recording devices, and video management
software.
Secure/sensitive areas, which would benefit from video

surveillance, may include: cargo handling and storage
areas, shipping/receiving areas where import documents
are kept, IT servers, yard and storage areas for Instruments
of International Traffic (IIT), areas where IIT are inspected,
and seal storage areas.
9.8 Members who rely on security technology for physical security must have Security technology needs to be tested on a regular basis Must
written policies and procedures governing the use, maintenance, and to ensure it is working properly. There are general
protection of this technology. guidelines to follow:
At a minimum, these policies and procedures must stipulate: • Test security systems after any service work and during
and after major repairs, modifications, or additions to a
• That access to the locations where the technology is controlled or building or facility. A system’s component may have been
managed is limited to authorized personnel; compromised, either intentionally or unintentionally.
• The procedures that have been implemented to test/inspect the • Test security systems after any major changes to phone
technology on a regular basis; or internet services. Anything that might affect the
system’s ability to communicate with the monitoring

Page 33
Must /
Should
• That the inspections include verifications that all of the equipment is center should be double-checked.
working properly, and if applicable, that the equipment is positioned
correctly; • Make sure video settings such as motion activated
recording; motion detection alerts; images per second
• That the results of the inspections and performance testing is (IPS), and quality level, have been set up properly.
documented;
• Make sure camera lenses (or domes that protect the
• That if corrective actions are necessary, they are to be implemented as cameras) are clean and lenses are focused. Visibility should
soon as possible and the corrective actions are documented; not be limited by obstacles or bright lights.
• That the documented results of these inspections be maintained for a • Test to make sure security cameras are positioned
sufficient time for audit purposes. correctly and remain in the proper position (cameras may
have been deliberately or accidentally moved).
If a third party central monitoring station (off-site) is used, the CTPAT
Member must have written procedures stipulating critical systems
functionality and authentication protocols such as (but not limited to)
security code changes, adding or subtracting authorized personnel,
password revisions, and systems access or denials.
Security technology policies and procedures must be reviewed and

updated annually, or more frequently, as risk or circumstances dictate.
9.9 CTPAT Members should use licensed/certified resources when Today’s security technology is complex and evolves Should
considering the design and installation of security technology. rapidly. Oftentimes companies purchase the wrong
security technology that proves to be ineffective when
needed and/or pay more than was necessary. Seeking
qualified guidance will help a buyer select the right
technology options for their needs and budget.
According to the National Electrical Contractors

Association (NECA), in the U.S. 33 states currently have
licensing requirements for professionals engaged in the
installation of security and alarm systems.

Page 34
Must /
Should
9.10 All security technology infrastructure must be physically secured from Security technology infrastructure includes computers, Must
unauthorized access. security software, electronic control panels, video
surveillance or closed circuit television cameras, power
and hard drive components for cameras, as well as
recordings.
9.11 Security technology systems should be configured with an alternative A criminal trying to breach your security may attempt to Should
power source that will allow the systems to continue to operate in the disable the power to your security technology in order to
event of an unexpected loss of direct power. circumnavigate it. Thus, it is important to have an
alternative source of power for your security technology.
An alternative power source may be an auxiliary power
generation source or backup batteries. Backup power
generators may also be used for other critical systems such
as lighting.
9.12 If camera systems are deployed, cameras should monitor a facility’s Sensitive areas, as appropriate, may include cargo handling Should
premises and sensitive areas to deter unauthorized access. Alarms and storage areas, shipping/receiving areas where import
should be used to alert a company to unauthorized access into sensitive documents are kept, IT servers, yards and storage areas
areas. for Instruments of International Traffic (IIT), areas where
IIT are inspected, and seal storage areas.
9.13 If camera systems are deployed, cameras must be positioned to cover Positioning cameras correctly is important to enable the Must
key areas of facilities that pertain to the import/export process. cameras to record as much as possible of the physical
“chain of custody” within the facility’s control.
Cameras should be programmed to record at the highest picture quality
setting reasonably available, and be set to record on a 24/7 basis. Based on risk, key areas or processes may include cargo
handling and storage; shipping/receiving; cargo loading
process, sealing process; conveyance arrival/exit; IT
servers; container inspections (security and agricultural);
seal storage; and any other areas that pertain to securing
international shipments.

Page 35
Must /
Should
9.14 If camera systems are deployed, cameras should have an A failure of video surveillance systems could be the result Should
alarm/notification feature, which would signal a “failure to of someone disabling the system in order to breach a
operate/record” condition. supply chain without leaving video evidence of the crime.
The failure to operate feature can result in an electronic
notification sent to predesignated person(s) notifying
them that the device requires immediate attention.
9.15 If camera systems are deployed, periodic, random reviews of the camera If camera footage is only reviewed for cause (as part of an Must
footage must be conducted (by management, security, or other investigation following a security breach etc.), the full
designated personnel) to verify that cargo security procedures are being benefit of having cameras is not being realized. Cameras
properly followed in accordance with the law. Results of the reviews are not only investigative tools. If used proactively, they
must be summarized in writing to include any corrective actions taken. may help prevent a security breach from occurring in the
The results must be maintained for a sufficient time for audit purposes. first place.
Focus the random review of the footage on the physical

chain of custody to ensure the shipment remained secure
and all security protocols were followed. Some examples
of processes that may be reviewed are the following:
• Cargo handling activities;

• Container inspections;
• The loading process;
• Sealing process;
• Conveyance arrival/exit; and
• Cargo departure, etc.
Purpose of the review: The review is intended to evaluate

overall adherence and effectiveness of established security
processes, identify gaps or perceived weaknesses, and
prescribe corrective actions in support of improvement to
security processes. Based on risk (previous incidents or an
anonymous report on an employee failing to follow
security protocols at the loading dock, etc.), the Member
may target a review periodically.

Page 36
Must /
Should
Items to include in the written summary:

• The date of the review;
• Date of the footage that was reviewed;
• Which camera/area was the recording from;
• Brief description of any findings; and
• If warranted, corrective actions.
9.16 If cameras are being used, recordings of footage covering key If a breach were to happen, an investigation would need to Should
import/export processes should be maintained on monitored shipments be conducted, and maintaining any camera footage that
for a sufficient time to allow an investigation to be completed. covered the packing (for export) and loading/sealing
processes would be of paramount importance in
discovering where the supply chain may have been
compromised.
For monitoring, the CTPAT program recommends allotting

at least 14 days after a shipment has arrived at its first
point of distribution. This is where the container is first
opened after clearing Customs.

Page 37
10. Physical Access Controls – Access controls prevent unauthorized access into facilities/areas, help maintain control of employees and
visitors, and protect company assets. Access controls include the positive identification of all employees, visitors, service providers,
and vendors at all points of entry.
Must /
Should
10.1 CTPAT Members must have written procedures governing how Access devices include employee identification badges, visitor and Must
identification badges and access devices are granted, changed, vendor temporary badges, biometric identification systems,
and removed. proximity key cards, codes, and keys. When employees are
separated from a company, the use of exit checklists help ensure
Where applicable, a personnel identification system must be in that all access devices have been returned and/or deactivated.
place for positive identification and access control purposes. For smaller companies, where personnel know each other, no
Access to sensitive areas must be restricted based on job identification system is required. Generally, for a company with
description or assigned duties. Removal of access devices must more than 50 employees, an identification system is required.
take place when the employees separate from the company.
10.2 Visitors, vendors, and service providers must present photo Must
identification upon arrival, and a log must be maintained that
records the details of the visit. All visitors should be escorted. In
addition, all visitors and service providers should be issued
temporary identification. If temporary identification is used, it
must be visibly displayed at all times during the visit.
The registration log must include the following:
• Date of the visit;

• Visitor's name;
• Verification of photo identification (type verified such as license
or national ID card). Frequent, well known visitors such as regular
vendors may forego the photo identification, but must still be
logged in and out of the facility;
• Time of arrival;
• Company point of contact; and
• Time of departure.

Page 38
Must /
Should
10.3 Drivers delivering or receiving cargo must be positively identified Must
before cargo is received or released. Drivers must present
government-issued photo identification to the facility employee
granting access to verify their identity. If presenting a
government-issued photo identification is not feasible, the facility
employee may accept a recognizable form of photo identification
issued by the highway carrier company that employs the driver
picking up the load.
10.4 A cargo pickup log must be kept to register drivers and record the A visitor log may double as a cargo log as long as the extra Must
details of their conveyances when picking up cargo. When drivers information is recorded in it.
arrive to pick up cargo at a facility, a facility employee must
register them in the cargo pickup log. Upon departure, drivers
must be logged out. The cargo log must be kept secured, and
drivers must not be allowed access to it.
The cargo pickup log should have the following items recorded:
• Driver's name;
• Date and time of arrival;
• Employer;
• Truck number;
• Trailer number;
• Time of departure;
• The seal number affixed to the shipment at the time of
departure.

Page 39
Must /
Should
10.7 Prior to arrival, the carrier should notify the facility of the This criterion will help shippers and carriers to avoid fictitious Should
estimated time of arrival for the scheduled pick up, the name of pickups. Fictitious pick-ups are criminal schemes that result in the
the driver, and truck number. Where operationally feasible, theft of cargo by deception that includes truck drivers using fake
CTPAT Members should allow deliveries and pickups by IDs and/or fictitious businesses set up for the purpose of cargo
appointment only. theft.
When a carrier has regular drivers that pick up goods from a

certain facility, a good practice is for the facility to maintain a list
of the drivers with their pictures. Therefore, if it is not feasible to
let the company know which driver is coming, the company will
still be able to verify that the driver is approved to pick up cargo
from the facility.
10.8 Arriving packages and mail should be periodically screened for Examples of such contraband include, but are not limited to, Should
contraband before being admitted. explosives, illegal drugs, and currency.
10.9 Delivery of goods to the consignee or other persons accepting Should

delivery of cargo at the partner’s facility should be limited to a
specific monitored area.
10.10 If security guards are used, work instructions for security guards Though guards may be employed at any facility, they are often Must
must be contained in written policies and procedures. employed at manufacturing sites, seaports, distribution centers,
Management must periodically verify compliance and storage yards for Instruments of International Traffic,
appropriateness with these procedures through audits and policy consolidator, and forwarders operating sites.
reviews.

Page 40
11. Personnel Security – A company’s human resource force is one of its most critical assets, but it may also be one of its weakest
security links. The criteria in this category focus on issues such as employee screening and pre-employment verifications.
Many security breaches are caused by internal conspiracies, which is where one or more employees collude to circumvent security
procedures aimed at allowing an infiltration of the supply chain. Therefore, Members must exercise due diligence to verify that
employees filling sensitive positions are reliable and trustworthy. Sensitive positions include staff working directly with cargo or its
documentation, as well as personnel involved in controlling access to sensitive areas or equipment. Such positions include, but are
not limited to, shipping, receiving, mailroom personnel, drivers, dispatch, security guards, any individuals involved in load
assignments, tracking of conveyances, and/or seal controls.
Must /
Should
11.1 Written processes must be in place to screen prospective CTPAT is aware that labor and privacy laws in certain countries Must
employees and to periodically check current employees. may not allow all of the application information to be verified.
Application information, such as employment history and However, due diligence is expected to verify application
references, must be verified prior to employment, to the extent information when permitted.
possible and allowed under the law.
11.2 In accordance with applicable legal limitations, and the availability Should
of criminal record databases, employee background screenings
should be conducted. Based on the sensitivity of the position,
employee vetting requirements should extend to temporary
workforce and contractors. Once employed, periodic
reinvestigations should be performed based on cause, and/or the
sensitivity of the employee’s position.
Employee background screening should include verification of the

employee’s identity and criminal history that encompass City,
State, Provincial, and Country databases. CTPAT Members and
their business partners should factor in the results of background
checks, as permitted by local statutes, in making hiring decisions.
Background checks are not limited to verification of identity and
criminal records. In areas of greater risk, it may warrant more in-
depth investigations.

Page 41
Must /
Should
11.5 CTPAT Members must have an Employee Code of Conduct that A Code of Conduct helps protect your business and informs Must
includes expectations and defines acceptable behaviors. Penalties employees of expectations. Its purpose is to develop and
and disciplinary procedures must be included in the Code of maintain a standard of conduct that is acceptable to the company.
Conduct. Employees/contractors must acknowledge that they It helps companies develop a professional image and establish a
have read and understood the Code of Conduct by signing it, and strong ethical culture. Even a small company needs to have a
this acknowledgement must be kept in the employee’s file for Code of Conduct; however, it does not need to be elaborate in
documentation. design or contain complex information.

Page 42
12. Education, Training and Awareness – CTPAT’s security criteria are designed to form the basis of a layered security system. If one
layer of security is overcome, another layer should prevent a security breach, or alert a company to a breach. Implementing and
maintaining a layered security program needs the active participation and support of several departments and various personnel.
One of the key aspects to maintaining a security program is training. Educating employees on what the threats are and how their
role is important in protecting the company’s supply chain is a significant aspect to the success and endurance of a supply chain
security program. Moreover, when employees understand why security procedures are in place, they are much more likely to
adhere to them.
Must /
Should
12.1 Members must establish and maintain a security training and Training topics may include protecting access controls, Must
awareness program to recognize and foster awareness of the recognizing internal conspiracies, and reporting procedures for
security vulnerabilities to facilities, conveyances, and cargo at each suspicious activities and security incidents. When possible,
point in the supply chain, which could be exploited by terrorists or specialized training should include a hands-on demonstration. If
contraband smugglers. The training program must be comprehensive a hands-on demonstration is conducted, the instructor should
and cover all of CTPAT’s security requirements. Personnel in allow time for the students to demonstrate the process.
sensitive positions must receive additional specialized training
geared toward the responsibilities that the position holds. For CTPAT purposes, sensitive positions include staff working
directly with import/export cargo or its documentation, as well
One of the key aspects of a security program is training. Employees as personnel involved in controlling access to sensitive areas or
who understand why security measures are in place are more likely equipment. Such positions include, but are not limited to,
to adhere to them. Security training must be provided to employees, shipping, receiving, mailroom personnel, drivers, dispatch,
as required based on their functions and position, on a regular basis, security guards, any individuals involved in load assignments,
and newly hired employees must receive this training as part of their tracking of conveyances, and/or seal controls.
orientation/job skills training.
Members must retain evidence of training such as training logs, sign

in sheets (roster), or electronic training records. Training records
should include the date of the training, names of attendees, and the
topics of the training.

Page 43
Must /
Should
12.2 Drivers and other personnel that conduct security and agricultural Must
inspections of empty conveyances and Instruments of International
Traffic (IIT) must be trained to inspect their conveyances/IIT for both
security and agricultural purposes.
Refresher training must be conducted periodically, as needed after

an incident or security breach, or when there are changes to
company procedures.
Inspection training must include the following topics:

• Signs of hidden compartments;
• Concealed contraband in naturally occurring compartments; and
• Signs of pest contamination.
12.3 Personnel must receive training on situational reporting – the Must

procedures to follow if something is found during a conveyance
inspection or if a security incident takes place while in transit. In
addition, personnel must be instructed in controlling/using seals
during transit, and to look for signs of someone observing the
movement of the conveyance and/or the goods.
Drivers, for instance, must be trained on how to conduct the seal

verification process (VVTT process).
The CTPAT seal verification process is the following:
V – View seal and container locking mechanisms; ensure they are OK;
V – Verify seal number against shipment documents for accuracy;
T – Tug on seal to make sure it is affixed properly; and
T – Twist and turn the bolt seal to make sure its components do not
unscrew or separate from one another.

Page 44
Must /
Should
12.4 CTPAT Members should have measures in place to verify that the Understanding the training and being able to use that training in Should
training provided met all training objectives. one’s position (for sensitive employees) is of paramount
importance. Exams or quizzes, a simulation exercise/drill, or
regular audits of procedures etc. are some of the measures that
the Member may implement to determine the effectiveness of
the training.
12.7 Training must, in accordance with the Member’s business model, be U.S. Customs and Border Protection has collaborated with the Must
provided to applicable personnel on preventing visible pest U.S. Department of Agriculture to develop training on visible
contamination. Training must encompass pest prevention measures, pest contamination. Different training modules have been
regulatory requirements applicable to wood packaging materials developed for the different trade environments: air, sea, and
(WPM), and identification of infested wood. land border (rail and highway carrier). These training modules
will be made available to all Members via the CTPAT Portal.
12.8 As applicable, based on their functions and/or positions, personnel Quality training is important to lessen vulnerability to Must
must be trained on the company's cybersecurity policies and cyberattacks. A robust cybersecurity training program is usually
procedures. This must include the need for employees to protect one that is delivered to applicable personnel in a formal setting
passwords/passphrases and computer access. rather than simply through emails or memos.
12.9 Personnel operating and managing security technology systems must Must
receive operations and maintenance training in their specific areas.
Prior experience with similar systems is acceptable. Self-training via
operational manuals and other methods is acceptable.
12.10 Personnel must be trained on how to report security incidents and Procedures to report security incidents or suspicious activity are Must
suspicious activities. extremely important aspects of a security program. Training on
how to report an incident can be included in the overall security
training. Specialized training modules (based on job duties) may
have more detailed training on reporting procedures, including
specifics on the process, such as, what to report, to whom, how
to report the incident, and what to do after the report is
completed.
Publication Number 0989-0420

Page 45

CTPAT 3PLs MSC March 2020

Uploaded by

Copyright:

Available Formats

CTPAT 3PLs MSC March 2020

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CTPAT 3PLs MSC March 2020

Uploaded by

Copyright:

Available Formats

Minimum Security Criteria – Third Party Logistics Providers (3PLs)

First Focus Area: Corporate Security

A Member may choose to use smaller targeted reviews directed at

For members with high-risk supply chains (determined by their risk

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

To verify adherence to security requirements, importers conduct security assessments of

Determining if a business partner is compliant with the MSC can be accomplished in

CTPAT Minimum Security Criteria – 3PLs| March 2020

•Name and title of the person(s) completing it;

*Signatures may be electronic. If a signature is difficult to obtain/verify, the respondent

Circumstances that may require the self-assessment to be updated more frequently

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

*NIST is a non-regulatory federal agency under the Department of Commerce that

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

4.7 User access must be restricted based on job Must

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

Media used to store backups should preferably be stored at a facility offsite.

Second Focus Area: Transportation Security

CTPAT Minimum Security Criteria – 3PLs| March 2020

Pest contamination is defined as visible forms of animals, insects

CTPAT Minimum Security Criteria – 3PLs| March 2020

Additional inspection requirements for land border crossings via

Inspections of conveyances and IIT must be conducted at

Where feasible, inspections must be conducted upon entering and

CTPAT Minimum Security Criteria – 3PLs| March 2020

These systematic inspections must include 17-point inspections:

1. Fifth wheel area - check natural compartment/skid plate;

CTPAT Minimum Security Criteria – 3PLs| March 2020

5.5 The inspection of all conveyances and empty Instruments of Should

• Container/Trailer/Instruments of International Traffic number;

The completed container/Instruments of International Traffic

5.6 All security inspections should be performed in an area of controlled Should

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

5.29 If a credible (or detected) threat to the security of a shipment or Must

CTPAT Minimum Security Criteria – 3PLs| March 2020

These written procedures must be maintained at the local operating level

Written seal controls must include the following elements:

Controlling Access to Seals:

Inventory, Distribution, & Tracking (Seal Log):

Controlling Seals in Transit:

Seals Broken in Transit:

CTPAT Minimum Security Criteria – 3PLs| March 2020

6.6 If a Member maintains an inventory of seals, company management or a Must

As part of the overall seal audit process, dock supervisors and/or

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

CTPAT Minimum Security Criteria – 3PLs| March 2020

Relevant personnel must be trained on how to identify

Based on risk, CTPAT Members should take into account those

Highway carrier personnel must be trained to review manifests

• Originate from or have unusual destination locations;

CTPAT Minimum Security Criteria – 3PLs| March 2020