State of the Program

Building on the Past, Innovating for the Future

June 2018

Presenter’s Name June 17, 2003 2

CTPAT Program: Background

CTPAT is a supply chain security and trade compliance program that aims to secure the flow of goods bound for the United States through a voluntary partnership with the international trade community.

Government-private sector partnership emerging from the 9/11 terrorist attacks; Launched in November 2001 with seven major importers.

First worldwide supply chain security program, and currently 54.1% of all U.S. imports (by value) are CTPAT Certified.

Government-business program that builds cooperative relationships based on shared responsibility (prevention vs. interdiction).

Requires businesses to ensure the integrity of their security practices and verify the security guidelines of their business partners within the supply chain.

CBP Processes:

67,337 truck, rail, and sea containers

$6.3 billion worth of imported goods

CBP Seizes:

7,910 pounds of drugs (3,588kg)

$289,609 in undeclared or illicit currency

$3.8 million worth of products with Intellectual

Property Rights violations

CBP Patrols

329 ports of entry—official entry or crossing points

CTPAT is part of a layered law enforcement strategy

Trade Security

National Targeting

Center

24 Hour Trade Act

Intelligence

Container Security Initiative

NII TechnologyAutomated TargetingSystem

CTPAT

Impetus for Creation Piece of the Puzzle

WCO SAFE Framework CBP Cargo Responsibilities

Four Principles:

1. Advanced Electronic Information

2. Employ a Risk Management Approach to Address Security Threats

3. Use of Non-Intrusive Technology for the Inspection of Cargo

4. Benefits for Safe Traders – Authorized Economic Operator

Two Pillars:

Customs to Customs (Mutual Recognition)

Customs to Private Sector (AEO Programs / CTPAT)

Presenter’s Name June 17, 2003

CTPAT Program: Key Statistics and Members

CTPAT’s membership is cross cutting across a range of entity groups, which strengthens the security of international supply chains and the U.S. Border, and increases trade compliance.

11,400+ Certified Members

Over 30,000 validations conducted

54% of all imports (by value) into the US are CTPAT certified

Validation site visits conducted in 109 countries

300+ Importer Self Assessment (ISA) trade compliance program members

11 Mutual Recognition Arrangements (MRAs)

MSC Entity GroupsThe 11,000+ members comprise of companies across 12 entity groups from throughout the global supply chain.

CTPAT members must meet the Minimum Security Criteria (MSC), which are layered, cross-departmental security procedures and standards.

80 Sea Carriers

60 Marine Port Authority & Terminal

Operators

430 Mexican Long Haul Carriers

1,680Foreign

Manufacturers

10 Rail Carriers

110 Third Party Logistics Providers

(3PLs)

40 Air Carriers

1,980 Highway Carriers

4,150Importers

350Exporters

870Consolidators

850 U.S. Customs Brokers

Presenter’s Name June 17, 2003 4

CTPAT Program: Trusted Trader Strategy

The Trusted Trader Strategy outlines how industry can partner with CBP through the CTPAT program in both CTPAT Security and CTPAT Trade Compliance with increasing benefits for all parties.

in CTPAT

risk importers and

Increasing

benefits for

CBP and

traders

CTPAT, Trade Compliance, PGAs

and MRA and AEOs

Trusted traders receive facilitated

benefits globally

CTPAT, Trade Compliance and PGAs

Trusted traders receive benefits at

CTPAT

Traders are members ofCBP’s voluntary supply

chain security programSecurity

Partnership

GlobalReach

CTPAT, Trade Compliance

Traders are ISA compliant and meet CTPAT security requirementsCompliance

Non-participant

But consistently low

exporters

partner government agencies

Moves toward whole of government approach to supply chain security via PGA engagement

Integrates the CTPAT and ISA programs into a consolidated program that includes both supply chain security and trade compliance-AEO standard

Supports a scalable program, integrated with PGAs and aligned with leading AEO programs

Presenter’s Name June 17, 2003 5

CTPAT Trade Compliance: Trusted Trader Strategy

CTPAT developed a Trusted Trader Framework Strategy with the COAC to acknowledge the significant commitment of partnership between the U.S. government and trade, in global trade compliance and security.

Demonstrates highest level of commitment between the trade and regulatory government partners to security, compliance, and partnership within the global supply chain

Develops a program that is scalable, attainable for all size traders, and provides trading benefits and incentives

Reduced number of CBP examinations

Front of line inspections

Shorter wait times at the border

Assignment of a Supply Chain Security Specialist (SCSS) to the company

Access to FAST Lanes at land borders

CTPAT web-based Portal system and a library of training materials

Eligibility for other U.S. Government pilot programs

CTPAT security membership provides a baseline of engagement

Trusted Trader Pilot Program is working to transform the Importer Self Assessment (ISA) Program into the new Trade Compliance Program to provide importers and exporters an integrated partnership program for security and compliance

Framework Overview

Benefits & Incentives

Objectives and Pilot

Presenter’s Name June 17, 2003 6

CTPAT Trade Compliance: Trusted Trader Strategy

CTPAT is implementing the Trusted Trader Strategy to integrate ISA into the CTPAT program, and evolve its focus to cover both security and trade compliance.

Work with pilot participants to identify and document 30+ benefits in an interactive catalog, prioritize the development of 8 benefits, and measure the impact on participating importers.

Evaluate Benefits &

Requirements

Prepare for integration of ISA program into CTPAT Trade Compliance, and inform, train, and prep internal and external stakeholders for phased roll-out.

Prepare for Transition

Advance efforts with PGAs to promote a whole of government approach to supply chain security and trade compliance.

Partner with PGAs

Initiative Objectives & Outcomes

Prioritize and evaluate impact of incentives with pilot participants

Operationalize program and transition 330+ ISA members to Trade Compliance portion of CTPAT

CTPAT Trade Compliance Portal

Phased Rollout: Beg. October 2018

Phase I: June 2014 – June 2016

Validated pilot incentives for inclusion in initial offering

7 Pilot Participants:

Worked closely with pilot participants to test additional incentives and benefits and engaged with PGAs

Phase II: June 2016 – September 2018

ISA is a voluntary approach to trade compliance where CBP partners allow their eligible importers to assume the responsibility of managing their own compliance through self-assessment

There are currently 300+ members who utilize ISA

Comprises

25%of US Import Value

Pilot TimelineISA

Presenter’s Name June 17, 2003 7

CTPAT Security: Application Process

CTPAT has established a rigorous application process for vetting candidates to the program in order to ensure security and compliance measures are met and followed.

Long-Term

Expectations

Applicants must apply online via the CTPAT web portal

Eligibility requirements must be met before applicant’s company information is inputted

Each applicant must complete a security profile

Companies are assigned to a CTPAT field office for initial vetting, company review and security profile certification

CTPAT has to either approve or reject within 90 days

If the security profile is approved, CTPAT must conduct on on-site validation within one year

CTPAT must ensure applicant complies with the program’s security criteria

Utilize verification process to develop a strong working relationship with the applicant

Eligibility Certification Validation Verification

Validation of reported supply chain security and alignment to guidelines

Performed within 1 year from certification for all CTPAT participants

Every 1-2 years continue to review forms, sign-in sheets and checklists

Failure to show procedures are being followed can jeopardize future re-validation

Expect to see improved procedures the longer participants are a member

More stringent on requirements than original validation

Re-validation occurs every 3-4 years A re-verification report will be written and

participants have 90 days to respond by updating their actions in the web portal

Participants are required to assess the level of risk business partners bring into the supply chain, which can be based on the recommended Five Step Risk Assessment Process

Periodic

Re-Validation

Initial Validation

Process

CTPAT Validations & Verification

CTPAT Application Process

Presenter’s Name June 17, 2003 8

CTPAT Security: Top Security Issues and Benefits

CTPAT defines the supply chain as beginning at point of origin – manufacturer, supplier, vendor – and ending at point of distribution. The MSC throughout the supply chain can be grouped by the following buckets:

This map above demonstrates potential locations where cargo could be compromised and also shows potential validation sites.

Risk assessment of international supply chain Practice vs. policy Screening business partners (customers,

vendors/suppliers, and service providers) Follow-up on CTPAT status with business partners Employee training/awareness in supply chain security Audit/self policing, checks & balance systems Reporting system to notify company officers, CBP, and

other law enforcement agencies of anomalies (escalation matrix)

Cargo inspection/monitoring methods Periodic background checks Role of company CTPAT representatives

Reduced customs inspections Established point of contact in CBP (SCSSs) through

dedicated internet Portal access Use of Free and Secure Trade (FAST) Access to CBP/CTPAT training seminars and best

practices catalog Front of the line treatment for exams Business continuity considerations Access to other CTPAT members through internal

web portal system Penalty mitigation assistance

Top Security Issues CTPAT Benefits

Corporate Security

TransportationSecurity

People & Physical Security

Risk Assessment Procedural Security Personnel Security

Business PartnerConveyance and IIT

Security Physical Access

Controls

Cybersecurity Agricultural Security Physical Security

Security Vision and Responsibility

Seal SecuritySecurity Training and

Threat Awareness

Presenter’s Name June 17, 2003 9

CTPAT Security: Best Practices Framework

The framework used by CTPAT to demonstrate a best practice focuses on five components which, when used together, create a systematic approach to implementing best practices.

Senior Management Support

Inspires innovation and continuous improvement, and provides adequate resources

Innovative Business, Process,

& Technology

Increases automation, adaptability,

and efficiency

Documented Process

Ensures consistency and continuity via

written policies

Systems of Checks, Balances,and Accountability

Supports reliability via recurring tests and

internal/external audits

Evidence of Implementation

Verifies security via SCSS

observation and documentation

Best Practices Framework

Presenter’s Name June 17, 2003 10

CTPAT Security: Strengthening the MSC

CTPAT’s first major revision of the MSC since the program’s inception modernized and strengthened requirements in order to more effectively combat evolving supply chain security threats.

1 Changing Trade Landscape

As trade volume and complexity has increased dramatically since CTPAT’s inception over 15 years ago, threats against the global supply chain have continually evolved.

2 Terrorism and Criminal Activity

The targeting of global supply chains and an increase in terrorism activity underscores the need for CTPAT members to take increased measures to secure their supply chains.

4 Legal Mandate

The SAFE Port Act 2006 mandates that the MSC be reviewed “at least once a year” to update requirements as necessary in partnership with the trade community.

3 Reauthorization Bill

H.R. 3551, the CTPAT Reauthorization bill currently in Congress, will bring increased attention to the program and requires more frequent revisions of the MSC with full public transparency.

Presenter’s Name June 17, 2003 11

CTPAT Security: MSC Refinement and Restructure

Following multiple webinars, in-person reviews, and collaboration with the working groups, CTPAT has strengthened the MSC to enhance understanding and organization of the requirements.

Established 3 focus areas, inclusive of three new criteria categories focused on Cybersecurity, Security Vision and Responsibility, and Agricultural Security

Clarified language to explicitly organize requirements into "Must" and "Should“ delineations (i.e. hard vs. soft) requirements across applicable entity groups based on risk

New Focus Areas

and Criteria

Categories

Must vs. Should

Requirements

Mitigation of

Modern Threats

Provided guidance regarding how to combat Terrorism Financing and Money Laundering, addressing a major threat in supply chain security

The process to update the MSC laid the groundwork for the modernization of requirements in order to combat today’s threats in supply chain security

Presenter’s Name June 17, 2003 12

CTPAT Security: MSC Revision Summary

The following focus areas and criteria categories represent a holistic overview of the revised MSC requirements.

Focus Areas Criteria Categories Description

Corporate Security

Security Vision and Responsibility (New)

Promote a security vision, integrate security throughout the organization, establish an audit process, importance and role of the CTPAT POC

Risk Assessment Complete a comprehensive risk assessment based on a recognized methodology and in line with the MSC.

Business Partner Requirements

Select, screen, and monitor business partner compliance with MSC, to include trade based money laundering

Cybersecurity (New)Written cyber security policies and procedures; protection of IT systems with software and hardware; remote access; personal devices

TransportationSecurity

Conveyance and IIT Security

Conduct thorough inspections for both security and visible agricultural contamination; driver verification; tracking of conveyances; random searches;

Seal SecurityHigh security seal policy; containers not suitable for sealing; mandated use of the VVTT seal verification process; management audits of seals

Procedural SecurityDocument processes relevant to transportation, handling, and storage of cargo.

Agricultural Security (New)

Introduces requirements that protect the supply chain from contaminants and pests and the proper use of wood packaging materials.

People & Physical Security

Physical Access ControlsOutlines requirements to prevent, detect, or deter unauthorized personnel from gaining access to facilities. Expands on the use of security technology.

Physical SecurityRequire the positive identification of all employees, visitors, and vendors at all points of entry.

Personnel SecurityComplete screening, pre-employment verification, background checks, and comply with U.S. immigration laws.

Security Training, Threat, and Awareness

Requires training on security for all employees; specialized training for employees in sensitive positions; determine if training provided was effective

Presenter’s Name June 17, 2003 13

CTPAT Security: Implementation Timeline

Based on guidance from the Trade and COAC, CTPAT is proposing the MSC to be implemented under a phased approach throughout FY 2019.

Phase 1 Phase 2 Phase 3 Phase 4

1. Cybersecurity4. Security Training, Threat,

and Awareness7. Security, Vision, and

Responsibility10. Agricultural Security

2. Conveyance and IIT Security

5. Business Partner Requirements

8. Physical Security 12. Personnel Security

3. Seal Security 6. Risk Assessment 9. Physical Access Security 13. Procedural Security

Notional Phased Implementation By Criteria Category

The notional phased implementation timeline for criteria categories was determined via an assessment of security impact and level of effort with the six industry working groups.

Security ImpactSecurity impact was assessed for each criteria category by requirement as a function of its ability to address vulnerabilities in the supply chain and to complement existing legislative requirements or regulations.

Level of EffortLevel of effort was assessed for each criteria category by requirement as a measure of the cost, time, and reasonableness of compliance for CTPAT members.

Level

of

Eff

ort

Low

Med

ium

Hig

h

Security Impact

Low Medium High

13

2

98

4

7

4

106

12

11

12

13 5

Prioritization Methodology

Factors Considered for Prioritization

Size of bubble indicates number of requirements by criteria category

Presenter’s Name June 17, 2003

Global Reach: MRAs and SAFE Framework Pillars

CTPAT’s partnerships with international trade communities and authorities strengthens its role as an integral part of securing the global supply chain.

Commitment to MRAs link various international industry partnership programs together creating a unified and sustainable end-to-end security posture that facilitates safe and efficient global trade.

Support of organizations such as the World Customs Organization (WCO), the Asia-Pacific Economic Cooperation (APEC), and private sector organizations working to improve the security and integrity requirements of their membership.

International Strategy

Mexico

Canada

European Union

Japan

Jordan

New Zealand

South KoreaIsrael

Dominican Republic

Taiwan

Singapore

11 Mutual Recognition

Arrangements:

Presenter’s Name June 17, 2003 15

Global Reach: MRA Process

There are pre-requisites and a standardized process for implementing MRAs, which require time and effort to achieve but offer the benefit of stronger international security.

MRA Process

The Foreign Customs Administration must meet all four pre-requisites. The FCA must have:

Mutual recognition (MR) means the security requirements/standards of the industry partnership program, as well as its verification procedures, are the same or compatible with those of the potential MR partner.

Mutual recognition is a long term goal

Customs, AEO Programs, and the Trade Community must realize the time, effort and resources that goes into achieving MR.

MRAs MRA Pre-Requisites

A methodology in place to review and validate members

A security component integrated in the strategy

An operational program in place

A Customs Mutual Assistance Agreement (CMAA) in place with the U.S.

Signing of a joint work

plan

Side-by-side comparison of

program requirements

Validation on

observations

in both countries

Negotiation of the MRA

text

Formal signing of the MRA

Execution Maintenance

Presenter’s Name June 17, 2003 16

CTPAT Security and Trade Compliance: Roadmap

CTPAT SECURITY:

CTPAT Trade Compliance:*Importers only

Synthesize proposed MSC and work with industry to assess impact

Review and refine MSC with COAC and industry working groups

Implement program benefits with pilot participants and measure performance

Begin multi-year phased implementation of MSC

2019201820172014

2016

TODAY

2017 2018 20192016

Publish FRN and launch Trusted Trader pilot

Solidify and test incentives in Pilot Phase II

Launch CTPAT Trade Compliance and transition ISA members on a phased basis

Integrated CTPAT Security & Compliance

program

Enhance Portal, quantify cost and benefits, and prepare for implementation

Advance Trade Compliance portion of Portal, work with PGAs on Mutual Recognition, and prepare for implementation