FAQ | CTPAT Minimum Security Compliance & The Security Profile

After participating in numerous virtual validations and constantly engaging with key industry and government stakeholders, the following have been the most common questions we have heard.

Are there any minimum requirements that companies are having trouble with?

Many of the new Minimum Security Criteria (MSC) sections are proving to be a challenge for some companies with importers leading the group more than any other entity type. The new MSC sections include Security Vision & Responsibility, Cybersecurity, and Agriculture Security. To demonstrate your company’s commitment to Security Vision & Responsibility, CTPAT knowledge should flow from the top-down. As for Agriculture Security, critical elements need to be incorporated into 7/17-point inspections and business partner vetting procedures. More than ever, MSC sections must be supported by sufficient written evidence of implementation of your company’s processes and procedures.

We've filled out our Security Profile which has been accepted, and we are filling out our questionnaire, what content will be reviewed during our validation?

In most cases, your Supply Chain Security Specialist (SCSS) will provide you with an agenda in advance of your virtual validation indicating which areas are going to be covered. During the validation, your SCSS will verify that the information you have submitted for in your CTPAT security profile has been implemented into the company. To ensure implementation, CBP will ask to see documentation of your company’s processes and procedures. Further, your SCSS may verify relevant logs, company ID, seals, and other relevant evidence along with historical documents during the validation. This is best achieved through screen sharing but can also be done by simply holding up relevant documents to the camera. The most important thing is to make sure that one way or another you are prepared to share relevant documents in a timely fashion during the virtual validation.

Will the virtual validation be done through a review of the security profile? Or will be a real-time session?

A virtual validation is used to ensure that the information you have submitted in your security profile has been implemented into your company. This will be conducted as a real-time review where you will be asked to share evidence of implementation of the information contained in your profile. Check out the FAQ on Virtual Validations.

What are the new MSC requirements that were added?

The new MSC sections include Security Vision & Responsibility, Cybersecurity, and Agriculture Security. It is important to remember that aside from introducing new MSC sections, the original MSC sections have also been significantly updated with a number of criteria being changed from “should” to “must”.

How is CBP taking evidence of implementation into consideration for small companies vs large corporations

When CBP says they are looking for “evidence of implementation”, they are referring to the information you have submitted to your security profile being implemented into you company. While small companies have to comply with the same set of standards as large companies, policies and procedures should be appropriate for the size and nature of business and do not need to be overly lengthy or complex. The program has always taken a flexible approach to the interpretation of the MSC with consideration being given to smaller companies. Evidence of implementation is not required to be needlessly elaborate and can consist of simply sharing existing plans and documents. The most important thing is simply be prepared to share it with your SCSS in a timely fashion.

Can you precisely spell out the difference between the Annual Security Audit and the Validation?

The main difference between the annual security check and the virtual validation is that the virtual validation is used to ensure that the information you have submitted within your security profile is implemented into your company’s procedures and processes. Your SCSS will verify this by asking to see documentation of your company’s processes and procedures.

Have any changes been made to last year’s Minimum Security Questionnaire?

The new MSC were released in January 2020 which have been incorporated into the Security Profile questionnaire. It is important to remember that aside from introducing new MSC sections, the original MSC sections have also been significantly updated with a number of criteria being changed from “should” to “must”.

Will the Security Profile require annual updating? Will it be pre-filled with that we've already entered?

Yes, the Security Profile is required to be updated annually. Any information that has been entered in the Security Profile will still be present when you go to update it. The Security Profile is a “living” document intended to grow with company updates. When updating the security profile leave the information that has already been entered previously and add the updates and distinguish the new updates by entering the date before the new text. This way the profile can serve as a repository for your company’s previous processes.

Are there sample SOP's that we can research when we update or create new responses in our security profile?

We are not aware of externally available SOPs for CTPAT virtual validations or Security Profile responses. The CTPAT program does maintain a publicly available CTPAT Resource Library and Job Aids which contains useful guidance including sample documents. You should always communicate with your SCSS when you are planning to make changes to your security profile.

For the evidence section in the Security Profile, we describe our procedures in another language, does it have to be translated?

Eligible companies in Mexico and Canada as well as supply chain partners of US Importers typically fall into this category of submitting company documents in other languages. It is incumbent on CTPAT members to satisfy the MSC with supporting documentation. When that documentation is in other languages, the company should work with their SCSS to address any language related challenges. In some cases, some key documents or parts of those document may be required to be translated in order to satisfy the review by CBP. In other cases, documents not written in English may cause that particular MSC section in the Security Profile to be rejected.

What kind of companies need to be in compliance with the agriculture criteria?

Agricultural security is mentioned in the MSC for all CTPAT eligible entities. However, the application of agriculture security requirements varies from entity to entity so it is important to review these requirements within your entity specific Security Profile to ensure that you are in compliance.

Will there be any additional guidance or prep communication available in the CTPAT portal?

The CBP CTPAT portal is still used for your company to submit policies, procedures, and documentation within your security profile. However, if you are looking to provide your SCSS with pre-recorded videos, there are file size limitation within the portal. You should use the screen-sharing function during the virtual validation to present your SCSS with pre-recorded videos or photos of key areas or process within your facility.

Our legal and cybersecurity groups are concerned about placing our proprietary SOP's on the Portal. What assurances can you give on the security of the portal so that our control environment is not at risk?

The CTPAT Portal remains a secure platform for data exchange. If there are significant concerns about posting highly sensitive materials, speak to your assigned SCSS to discuss alternative options

If you are concerned about the how the new minimum security criteria might affect your company, CT Strategies offers a New MSC package which ensures that your operations meet the updated MSC specific to your entity type with a security plan that checks all the boxes. CT Strategies also offers a range of CTPAT Courses designed to guide member through the new MSC and other elements of CTPAT membership. 


More Posts

IX BASC World Congress

US Customs and Border Protection and the World BASC Organization  signed a Joint Declaration on May 29, 2021, affirming their shared commitment to strengthening security in the international supply chain.

ALERT Workshop | Creating Effective Engagements with CBP

The Alert Workshop is creating effective engagements with CBP through advanced developments encompassing processes and technologies for Customs and Border Protection.    The Department of Homeland Security Science & Technology Directorate

Webinar Replay | MARAD Centers Of Excellence

The U.S. Department of Transportation’s Maritime Administration (MARAD) Centers of Excellence (CoE) program helps to prepare students for careers in the maritime industry. MARAD understands the importance of inland, coastal

This website uses cookies to ensure you get the best experience on our website.