Page 1

CONTAINS Support material for C-TPAT MANUAL.

1


C-TPAT Version 11/15/17 Copyright Notice Unless a copyright is indicated, information on the U.S. Customs and Border Protection Web site is in the public domain and may be reproduced, published or otherwise used without the permission of the CBP. We request only that the CBP be cited as the source of the information and that any photo credits or bylines be similarly credited to the photographer, author, or CBP, as appropriate. If a copyright is indicated on a photo, graphic, or any other material, permission to copy these materials must be obtained from the original source.

Copyright Š 2006, 2017 Clement Key

Compliance Series All rights reserved.

YOU NEED A MANUAL. DEVELOP OR PURCHASE www.exportimportcompliance.com

Your partners in the supply chain must meet standards as you do. As a IMPORTER you must check to see that they are as serious about security as you a C-TPAT participant are. Set up a self-verification program and a program to check your business partners.

Information purposes only. Recognizing that many complicated factors may be involved in customs issues, an importer may wish to obtain a ruling under Customs Regulations, 19 C.F.R. Part 177, or obtain advice from an expert(such as a licensed Customs Broker, attorney or consultant) who specializes in Customs matters. Reliance solely on the general information in this may not be considered reasonable care. cmkey

2


Table of Contents TOC C-TPAT INTRODUCTION – Historical Background 14 EUROPE – Authorized Economic Operator (AEO) C-TPAT Picture 15 Manual Elements Common Focus Points Container/Trailer Greatest Risk Security Recommendations 16 IMPORTERS 16 Procedural Security: Physical Security: Access Controls: Personnel Security: Education and Training Awareness: Manifest Procedures: Conveyance Security: CUSTOMS BROKER C-TPAT 17 Business Partner Requirement C-TPAT - European Equivalent (AEO) info connection 17 MRA & CMAA Countries listed 8 (inserted within broker C-TPAT info 18 Container & Trailer Security 19 Container & Trailer Seals Physical Access Controls

see pages

Challenging and Removing Unauthorized Persons 20 Procedural Security Physical Security 21 see pages Information Technology Security Security Training & Threat Awareness Summary of CTPAT benefits GAO 22 Manufacturers 23

Physical Security Personnel Security: Education and Training Awareness: WAREHOUSES 23 Physical Security: Procedural Security: Personnel Security: Education and Training Awareness: 24

AIR CARRIERS 24 Procedural Security:

Personnel Security: Physical Security: Conveyance Security

Sea Carriers 24 Access Controls: Procedural Security: Manifest Procedures 25 Personnel Security Education and Training Awareness 25 Physical Security

3


C-TPAT Security Criteria 25 Sea Carriers (see pg 477 risk) Business Partner Requirements Security procedures Business Partner Requirements Security procedures Container Security 26 ·Container Seals Container Storage Physical Access Controls ·Boarding and Disembarking of Vessels ·Employees Visitors / Vendors / Service Providers Challenging and Removing Unauthorized Persons Personnel Security 27 ·Pre-Employment Verification ·Background checks / investigations ·Personnel Termination Procedures ·Crewmen Control Deserter/Absconder Risk ·Deserter/Absconder Notifications Procedural Security ·Passenger and Crew BAPLIEs Cargo 28 Security Training and Awareness Physical Security Fencing Gates and Gate Houses Parking Building Structure Locking Devices and Key Controls Lighting Alarms Systems & Video Surveillance Cameras Information Technology Security ·Password Protection Accountability 29 Security Assessment, Response and Improvement· LAND CARRIERS 29 (see pg 477 for loss rate) 29 Conveyance Security Physical Security: Access Controls Procedural Security: Manifest Procedures: Personnel Security Education and Training Awareness C-TPAT Highway Carrier Security Criteria (03/13/2006) 29 Business Partner Requirements 30 Security Procedures Conveyance Security 30 Tractors Trailers 31 Trailer Security Container Security Trailer Seals 31 Less-than Truck Load (LTL) 32 Physical Access Controls Employees

4

TOC4


Visitors/Vendors/Service Providers Personnel Security Procedural Security 32 Documentation Processing 33 Document Review Cargo Physical Security Fencing Gates and Gate Houses Parking Building Structure Locking Devices and Key Controls Lighting Security Training and Threat Awareness 33 Information & Technology Security 34 Accountability FAST Transponder Controls Security Criteria Implementation Plan 34 Highway Carriers For New Highway Carriers Wishing To Join C-TPAT: For Existing C-TPAT Member Highway Carriers: Proposed Implementation Plan Phase 1 34 Phase 2 35 Phase 3 Certifications Air Freight Consolidators/ Ocean Transportation Intermediaries, and NVOCCs 35 Personnel Security Education and Training Awareness Supply Chain Security Profile Questionnaire 35 Supply Chain Security Profile Questionnaire Importers 36 Security Program: Personnel Security Service Provider Requirements Supply Chain Security Profile Questionnaire Brokers Air Freight Consolidators Ocean Transportation Intermediaries/ NVOCCs

From CBP WEBSITE Applying for C-TPAT

36

Historical Information 37 C-TPAT Partner Application for Importers - Instructions Importer for C-TPAT Application Qualifications (previous background, now done online) Application Instructions: Step 1 Business Partner Requirements

Security Procedures Point of Origin 37 Container Security 38 Container Inspection Container Storage

Physical Access Controls Employees Visitors Controls Deliveries (including mail) Challenging and Removing Unauthorized Persons Personnel Security 38

5

TOC5


Personnel Termination Procedures 38 Procedural Security Documentation Processing 38 Manifesting Procedures Manifesting Procedures 39 Shipping & Receiving Cargo Discrepancies Security Training and Threat Awareness

TOC6

Physical Security Fencing Gates and Gate Houses Parking Building Structure

Locking Devices and Key Controls Lighting Information Technology Security - Password Protection Information Technology Security - Accountability Step 2. Submission of your application Step 3 Step 4. 39

Follow Current website instructions

40

1- Foreign Factory PLANT 41 FAQ 3/25/05 Supplier oriented info - Background info Q&A Security Procedures 42 Point of Origin Participation / Certification in Foreign Customs Administrations Supply Chain Security Programs Other internal criteria for selection Container Security Container Inspection Container Seals

43

Container Inspection Container Storage Physical Access Controls Employees Visitors Controls Deliveries (including mail) Challenging and Removing Unauthorized Persons Personnel Security Pre-Employment Verification Background checks / investigations Personnel Termination Procedures Procedural Security 43 Documentation Processing 44 Shipping & Receiving Cargo Discrepancies Security Training and Threat Awareness

6


Physical Security 44 Fencing Gates and Gate Houses Parking Building Structure Locking Devices and Key Controls Lighting Alarms Systems & Video Surveillance Cameras

44

Information Technology Security - Password Protection 45 Information Technology Security – Accountability TD 72-56 gives direction for security; Supplier Facility physical security 2- Plant to Port Tighten Freight Forwarding - Supplier/Vendor 46 TRUCK - Pre-carriage & On-carriage

3 - Foreign Port 4 – Carrier 5 – U.S.Port 6 – Port to Warehouse 7 – Final Destination----all should be secure and C-TPAT Standard T. D. 72-56 39 47 PHYSICAL SECURITY STANDARDS BUILDINGS FENCING GATES GATE HOUSES PARKING LIGHTING LOCKS, LOCKING DEVICES, AND KEYS HIGH RISK CARGO PROCEDURAL SECURITY STANDARDS Personnel Screening SECURITY PERSONNEL COMMUNICATIONS IDENTIFICATION SYSTEM

INDEPENDENT CONTRACTORS CARGO QUANTITY CONTROLS DELIVERY PROCEDURES CONTAINERIZED SHIPMENTS & SEALS SECURITY EDUCATION 47 Specific Standards (TD72-56) Develop PLAN ACME as Importer

47 47

48-52 53

Procedural Security: Physical Security: Access Controls Personnel Security: Education and Training Awareness

Manifest Procedures Documentary Control

7

TOC7


Cargo Handling Conveyance Security: Container Security:

53

Developing a plan to begin the security procedure for your company. 1. Action Plan 2. Corporate Policy Statement 3. Memorandum of Understanding (MOU) a. MOU - Internal Departments b. MOU Business Partners 4. Confidential Questionnaire 5. U.S. & Overseas C-TPAT Site Procedures 6. C-TPAT Improvement Plan Template (refer to 9) 7. Supply Chain IMPORT/EXPORT Organization 8. Employee C-TPAT Training 9. Updates/Enhancement - Additions to Plan Continuous Improvement 10. C-TPAT Checklist 11. Internal Audits

54

TOC8

1. Action Plan (STEP ONE) 55 ACTION PLAN Step 1 1. A clear policy statement 2. MOU Internal 3. MOU External - Business Partners 4. Questionnaire

5. U.S. and Overseas C-TPAT Site Procedures 6. Improvement Position 7. Import/Export Supply Chain Organization

56

8. Training on C-TPAT Awareness 9. Updates/Enhancements

10. C-TPAT Checklist 11. Internal Audit (Outside too) 2 ACME C-TPAT Policy Statement 57 3 A Agreement to Voluntarily Participate Customs-Trade Partnership Against Terrorism ACME INTERNAL MOU Inform Employees 58 For Distribution to Employees Security What is C-TPAT

Participation in C-TPAT is available to the following: Benefits of Participation: Reason - To be successful, employees must buy into program 3 B ACME VENDOR MOU 59 Minimum-Security Criteria for C-TPAT Foreign Manufacturers in English (10/01/2007) 61 Business Partner Requirement Security procedures Point of Origin Participation/Certification in a Foreign Customs Administration Supply Chain Security Program Security Procedures 61 Container and Trailer Security 62 Container Inspection Trailer Inspection Container and Trailer Seals Container and Trailer Storage

8


Physical Access Controls 62 Employees Visitors Deliveries (including mail) 63 Challenging and Removing Unauthorized Persons

TOC9

Personnel Security Pre-Employment Verification Background Checks / Investigations Personnel Termination Procedures Procedural Security Documentation Processing Manifesting Procedures Shipping and Receiving Cargo Discrepancies Physical Security Fencing Gates and Gate Houses Parking Building Structure Locking Devices and Key Controls Lighting 63 Alarms Systems and Video Surveillance Cameras 64

Information Technology Security Password Protection Accountability Security Training and Threat Awareness C-TPAT Application Instructions for Foreign Manufacturers **(also see page 18) Step 1. Prepare a C-TPAT Supply Chain Security Profile. C-TPAT Security Guidelines for Foreign Manufacturers (not exhaustive, a start point) Conveyance Security 64 Conveyance Inspection Procedures Conveyance Tracking and Monitoring Procedures Business Partner Requirements 65 Security Procedures

Point of Origin Other internal criteria for selection

Container Security Container Inspection

Container Seals Container Storage 65 Physical Access Controls Employees Visitors Controls

66

Deliveries (including mail) 58 Challenging and Removing Unauthorized Persons Personnel Security Pre-Employment Verification Personnel Termination Procedures Documentation Processing Manifesting Procedures Shipping & Receiving Cargo Discrepancies Physical Security Fencing 66

Gates and Gate Houses 67 Parking Building Structure Locking Devices and Key Controls Lighting Information Technology Security

9


Password Protection 67 Accountability Step 2. Submission of your application Step 3. After entering your online application Step 4. CBP Review Process 67

4 ACME 68 Business Partner Security Questionnaire

TOC10

Documentation Processing: 69 Personnel Security: Education and Training Awareness:

Threat Awareness Documentation Processing: Manifest Procedures:

Agreement to Voluntarily Participate Customs-Trade Partnership Against Terrorism MOU 70 ACME EXECUTIVE SECURITY PROFILE SUMMARY EXAMPLE 71 Physical Security Container Shipments & Seals Personnel Security 72 ACME Service Provider Requirements - Product suppliers, Carriers, Forwarders 72 5 ACME C-TPAT SITE PROCEDURES ACME SITE PLAN 1234 any street anytown, NC 27101 Physical Security Buildings

73

73

74

FENCING Gate Parking LIGHTING LOCKS, LOCKING DEVICES, AND KEYS PROCEDURAL SECURITY STANDARDS Personnel Screening CARGO QUANTITY CONTROLS 74 DELIVERY PROCEDURES 75

CONTAINERIZED SHIPMENTS & SEALS 7 Supply chain summary IMPORT/EXPORT SUPPLY CHAIN ACME Supply Chain Organization (Summarize how your supply chain is organized.) 76 Cover the complete process order placement through delivery. VENDOR PRE-CARRIAGE MOVEMENT OCEAN/AIR - MAIN CARRIAGE ON-CARRIAGE (inland) 20XX ACME Supplier Security Acknowledgement 77 8 ACME TRAINING 79 9 Updates/changes 80 UPDATES & ENHANCEMENTS - Additions to Plans 10 ACME IT SECURITY POINTS 81 User Responsibilities Protecting Information Wherever It Is Located

10


E-MAIL POLICY 82 Discarding Information Reporting of Security Breaches or Suspicious Activity ACME IT INTERNAL AUDIT PLAN 11 ACME 83 C-TPAT - Checklist (EXAMPLE) Update, Internal Audit 10+2"

84

8/21/13 Penalty 1. Manufacturer name and address 85 2. Seller name and address 3. Container stuffing location 4. Consolidator name and address 5. Buyer name and address 6. Ship to name and address 7. Importer of record number 8. Consignee number 9. Country of origin of the goods Vessel Stow Plan Container Status Messages Vessel Stow Plan information consists of:

85

Annex A: Proposed Data Definitions 86 Manufacturer/Supplier Name & Address Seller Name/ Seller Address Buyer Name/Buyer Address Ship To Name and Address

Container Stuffing Location 87 Consolidator Name and Address (if applicable) Importer (of Record Number) Consignee (Number) Country of Origin Commodity 6-Digit HTS Current Required Manifest Data Security Filing Data (10 + 2) 88 Amendment(s) published November 25, 2008, in 73 FR 71779 § 4.7d Container status messages. Time of transmission 89 Contents of report Capitalize on 10 + 2 90 10 + 2 FORM 91 10 + 2 FORM 92

ISF problems…address 93 Seal Procedures 94 1. U.S. Importers–Point of Sealing 2. Manufacturers–Point of Sealing 3. Exporters – Point of Sealing 4. U.S. Importers – Point of Receipt

11

TOC11


5. Consolidators 6. Consolidators receiving from U.S. exporters - Point of Receipt 94 7. Importers 95 8. Cross-border highway carriers 9. Domestic highway carriers 10. Domestic highway carriers RECEIVING EXAMINATION:

TOC12

IMPORTANCE of THIS PART 96 TD 72-56 deals with smuggling. It applies to anti-terrorism C-TPAT. Follow the procedures here to RECEIVING – Seal should be intact at receipt TRAILER Seals

Container Number on Rear Door 97 Container Number Interpretation 98

Basic guidelines for receiving all shipments. 99 1. Designate a person 2. Designate a formal receiving area. 3. Accurate carton count 4. Check for damage & weights

5. Sign the freight bill 6. Filing a claim for overages, shortages, visible and concealed damages. 7. Notify Accounts Payable 100

Seal Affixing Process: 101-102 Seal Inspection… 102 Seal Verification and Inspection Process: 103 Container Inspection Form 104 7-Point Container Inspection 105 7-Point Container Inspection 106 Outside Doors 7-Point Container Inspection 107 Inside Doors Right/Left Sides 108 Front Wall 109 Front Wall 110 Ceiling/Roof 111 FLOOR 112 Floor 113 Container Inspection 114 17 Point Trailer/Container Inspection 115 Compliance Manual Points 116 Risk Assessment 117 APPENDIX I `121 5 Step ILLUSTRATED 147 by CBP.gov

12


1. Whether the company has performed a meaningful risk analysis. RISK greatest risk is in pre and on carriage land carriers 112 2. The existence of a formal written compliance program. WRITTEN MANUAL 3. Whether appropriate senior organizational officials are responsible for overseeing the compliance program. OFFICER has clout to get program in place & operating 4. Whether adequate training is provided to employees. TRAINING (internal & external) 5. Whether the company adequately screens its customers/(suppliers-import) and transactions. Checks/screen 6. Whether the company meets recordkeeping requirements. Records 7. The existence and operation of an internal system for reporting violations. Reporting 8. The existence and result of internal/external reviews or audits. Reviews & changes 9. Whether remedial activity has been taken in response to violations. Action

13


C-TPAT INTRODUCTION – Historical Background TOC FOLLOWING 9/11, in a message 4/15/05 former Commissioner Bonner touched on issues currently related to CTPAT. C-TPAT is a layer. It is a part of a much larger strategy, part of CBP's philosophy of a smart and extended border security strategy designed to protect the global supply chain, our country, our economy-and ultimately, others countries and the global economy. Most of you are familiar with the four core initiatives upon which our strategy is built. They are: 1. Requiring advance electronic information on all cargo shipments coming to the United States, moving by land air, and sea, so that we know what is coming to our shores long before it arrives. That's the 24-Hour and Trade Act rules. 2. Analyzing that information-that is, evaluating every container for terrorist risk before it is loaded on board vessels for U.S. seaports. We do that through automated risk management, through our Automated Targeting System housed in CBP's National Targeting Center. And every container deemed a potential risk-100 percent-are given a security inspection at the port of arrival in the United States-or before arrival through the Container Security Initiative-or CSI. 3. Under CSI, we work with our host nation partners to inspect containers identified as high risk before they are loaded on ships and bound for the U.S.; and 4. We have partnered with the private sector to better secure the global supply chain, in exchange for faster processing of goods at U.S. ports of arrival. That, of course, is C-TPAT. C-TPAT is the largest, and I believe, the most successful government-private sector partnership to arise out of 9/11. But at this point in our partnership-at the 3-year juncture, we face a new challenge-and that is complacency. Together, we've accomplished a great deal. That's true. But a certain danger lies in that success, in thinking that we've run the race and crossed the finish line. That we're done. Thinking: my company is already in the fast lane. What else do we need to do? Well, let me tell you: We must continue to work to close the gaps that global terrorists might seek to exploit. We must not permit them to use the primary systems of global trade as a weapon against us. We must continue to raise the bar toward better security practices that reduce the vulnerabilities of our global trading and transportation systems. Because, ladies and gentlemen, the reasons that led to C-TPAT, and CSI, and risk targeting, and 24-Hour Rule HAVE NOT GONE AWAY. We must not forget why C-TPAT was created in the first place. It was created as a result of 9/11, but it was created because there was-and still is-a continuing, real threat of terrorist attack. That threat still exists. Al Qaeda has vowed to strike us again-even harder than 9/11. Our enemy is patient. And, we know they are single-mindedly focused on hurting America and the West, on damaging not only the American economy, but the global economy. That's the reality. C-TPAT reached another milestone. The number of private sector companies that have joined C-TPAT, that have pledged to meet C-TPAT security criteria went over 9,000 last week. 9,083 to be exact. That's over 5,000 importers-and 2,200 carriers-1,400 brokers, and nearly 400 foreign manufacturers. In other words, C-TPAT has grown from 7 partners in November 2001, when it started, to over 9,000 today. That's an average of 2,000 to 3,000 new members applying each year. EUROPE Pre-arrival/pre-departure declarations. Traders will be required to provide customs authorities with advance information on goods prior to import to or export from the EU as of July 2009. The mandatory declarations, in combination with computerized risk management systems that allow real-time, risk-related information exchange between Member States, will accelerate the release of low-risk consignments, enabling a focus on high-risk shipments. 10+2 Authorized Economic Operator (AEO). Reliable traders stand to benefit from easier, streamlined trading processes thanks to the Authorized Economic Operator program, which was effective January 1, 2008. Member States may grant AEO status to any economic operator that meets common criteria relating to the operator's security systems, financial solvency, and compliance record.

14


Elements of compliance manuals: 1. Whether the company has performed a meaningful risk analysis. 2. The existence of a formal written compliance program. 3. Whether appropriate senior organizational officials are responsible for overseeing the export compliance program. 4. Whether adequate training is provided to employees. 5. Whether the company adequately screens its customers and transactions. 6. Whether the company meets record-keeping requirements. 7. The existence and operation of an internal system for reporting export violations. 8. The existence and result of internal/external reviews or audits. 9. Whether remedial activity has been taken in response to export violations. TOC C-TPAT and other compliance requires manuals and support materials to make effort work with success. Importers, Brokers, Manufacturers, Air & Sea Carriers, Forwarders including NVOCC C-TPAT contain common elements: Procedural Security Physical Security Access Controls Personnel Security Education and Training Awareness Manifest Procedures Conveyance Security IT Security The content of this document provides information to support and develop a secure supply chain. The shipping container and delivery vehicle can be used to cause harm. From point of origin to receipt, steps must be taken to strengthen and secure the process. This may be an area that needs intense vigilance. Containers/trailers in the yard (unattended). Invest in technology. In the supply chain trailer yard attention remains unchanged. Trailer yards are critical intersection between the warehouse and transportation network. About 500 million trailer shipments per year in the United States. Across 250000 plant and warehouses. Trailer yard is blind spot because majority handled manually.. Trailer assets (containers) are tracked heavily on road but not in yards. Lack of technology use results in: Delays to and from warehouse Lack of visibility shuttling between facilities Gate congestion Demurrage or detention charges Inability to monitor for safety and compliance Asset used monitoring 80% on road and 20% in yard or when stationary. There is blind spot in container/trailer yard. You loose visibility when stationary. Most effective method is use of passive RFID tag- tag fleet or in/out gate. Use of Cloud, Internet, Drones, Mobile devices; employing GPS, RFID, Cameras and Sensors provides better visibility. Drones can track yards locating assets, tracking use, supplementing with pictures/videos. Information is supplied to yard drivers on asset location. Need real time data to maintain security on these assets.

Security Recommendations

15


Back TOC3 Contains a list of suggestions for establishing, improving, or amending, security procedures along the entire supply chain. Each set of recommendations applies to a specific segment of the import chain such as a carrier, broker, importer, or warehouse and is meant to serve as only a guide and not as an established standard. As the C-TPAT evolves, the advice may be adjusted to further reflect input by the trade community. Any changes will be updated on this web site (U.S. Customs Service) accordingly.

IMPORTERS Develop and implement a sound plan to enhance security procedures throughout your supply chain. Where an importer does not control a facility, conveyance or process subject to these recommendations, the importer agrees to make every reasonable effort to secure compliance by the responsible party. The following are general recommendations that should be followed on a case-by-case basis depending on the company's size and structure and may not be applicable to all. Procedural Security: Procedures should be in place to protect against un-manifested material being introduced into the supply chain. Security controls should include the supervised introduction/removal of cargo, the proper marking, weighing, counting and documenting of cargo/cargo equipment verified against manifest documents, the detecting/reporting of shortages/ overages, and procedures for verifying seals on containers, trailers, and railcars. The movement of incoming/outgoing goods should be monitored. Random, unannounced security assessments of areas in your company's control within the supply chain should be conducted. Procedures for notifying Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected, or suspected, by the company should also be in place. Refer to TDb72-56 Physical Security: All buildings and rail yards should be constructed of materials, which resist unlawful entry and protect against outside intrusion. Physical security should include perimeter fences, locking devices on external and internal doors, windows, gates and fences, adequate lighting inside and outside the facility, and the segregation and marking of international, domestic, high-value, and dangerous goods cargo within the warehouse by a safe, caged or otherwise fenced-in area. Access Controls: Unauthorized access to facilities and conveyances should be prohibited. Controls should include positive identification all employees, visitors, and vendors. Procedures should also include challenging unauthorized/ unidentified persons. Personnel Security: Companies should conduct employment screening and interviewing of prospective employees to include periodic background checks and application verifications. Education and Training Awareness: A security awareness program should be provided to employees including the recognition of internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. These programs should offer incentives for active employee participation in security controls. Manifest Procedures: Companies should ensure that manifests are complete, legible, accurate, and submitted in a timely manner to Customs. Conveyance Security: Conveyance integrity should be maintained to protect against the introduction of unauthorized personnel and material. Security should include the physical search of all readily accessible areas, the securing of internal/external compartments and panels, and procedures for reporting cases in which unauthorized personnel, un-manifested materials, or signs of tampering, are discovered.

16


CUSTOMS BROKER C-TPAT

Back TOC3

U.S. Customs Brokers must conduct a comprehensive assessment of their security practices based upon the following C-TPAT minimum-security criteria. Recognizing that Customs Brokers normally do not play a significant role in the physical aspects of stuffing, loading, transporting and distributing merchandise, the broker does play a decisive role in the transmission of key trade data and as a liaison between U.S. Customs and Border Protection (CBP) and other key entities in the supply chain. In this capacity, the brokers key role for C-TPAT is to educate, corroborate, and encourage that members within supply chains further the supply chain security tenets of C-TPAT.(Broker clients) These minimum-security criteria are fundamentally designed to be the building blocks for C-TPAT members to institute effective security practices designed to optimize supply chain performance to mitigate the possibility that terrorists could exploit a supply chain. Strong supply chain security measures also reduce the risk of loss, theft, and contraband smuggling that could potentially introduce dangerous elements into the global supply chain. C-TPAT recognizes the complexity of international supply chains and security practices, and endorses the application and implementation of security measures based upon risk. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through, to point of distribution and recognizes the diverse business models that C-TPAT members employ. Therefore, the program allows for flexibility and the customization of security plans based on the members business model. Appropriate security measures, as listed throughout this document, must be implemented and maintained throughout the Brokers business model, based on risk. Business Partner Requirement (need to update) Unless otherwise expressly indicated, for purposes of implementing the minimum standards prescribed in this section, the term “business partner” will include all third parties within the supply chain with whom the Customs Broker voluntarily, and on its own initiative engages in the performance of its agency obligations for importer clients (but does not include those clients). Brokers must have written and verifiable processes for the screening of new business partners, beyond financial soundness issues, to include security indicators. · Written procedures must exist to address the specific factors or practices as determined by CBP as sufficient to trigger additional scrutiny of the import transaction as informed by U.S. Customs and Border Protection (CBP). CBP will work in partnership with the brokers to identify specific information regarding what factors, practices or risks are relevant. · For business partners eligible for C-TPAT certification, the Customs Broker must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are, or are not C-TPAT certified. Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign Customs Administration should be required to indicate their status of participation to the broker. To the extent such information can be obtained, brokers will maintain secure provider lists of C-TPAT certified (or equivalent) service providers in all relevant categories. C-TPAT - European Equivalent European companies can apply for a AEO certificate ( Authorized Economic Operator) from the EU Commission. This signifies that they and their supply chain partners are operating in a customs-controlled financially responsible and physically secure environment. This went live in January 2008. There are three areas. Customs Simplification, requiring compliance with financial and customs regulations; Security & Safety, covers facility & cargo transportation security requirements; Full AEO combines elements of both. To achieve the last status, a company must demonstrate, among other things, a record of compliance with customs requirements, proven financial solvency and appropriate security and safety standards. The preferred status is the drawing card (benefits) over the additional costs to attain that certification. Customs Simplification = Importer Self Assessment (U.S.) Security & Safety = C-TPAT (U.S.) AEO = both MRA & CMAA In June 1967, the Customs Cooperation Council (CCC), known since 1994 as the World Customs Organization (WCO), adopted a model bilateral convention on mutual administrative assistance for countries to implement as part of a national customs policy. U.S. Customs and Border Protection has used this model as a basis for negotiating Customs Mutual Assistance Agreements (CMAAs) with other foreign administrations since joining the CCC in 1970. Domestic and foreign courts recognize each agreement as a legal basis for wide ranging cooperation.

17


Such a legal framework is vital because of explosive growth in the volume and complexity of international trade. Great demands are being placed on customs administrations around the world. With government resources not able to keep pace with this growing trade, customs administrations rely on mutual assistance as a powerful investigative tool. The agreements allow for the exchange of information, intelligence, and documents that will ultimately assist countries in the prevention and investigation of customs offenses. The agreements are particularly helpful for U.S. AttachĂŠ offices, as each agreement is tailored to the capacities and national policy of an individual country's customs administration. Following are countries with whom the United States has Customs Mutual Assistance Agreements, as of September 2016: Back TOC3

AFRICA Algeria Gabon Ghana Kenya Mauritius Morocco Nigeria Senegal South Africa ASIA Australia China Hong Kong India Indonesia Japan Korea Malaysia Maldives Mongolia New Zealand Philippines Singapore American Institute in Taiwan (AIT) - Taipei Economic and Cultural Representative Office (TECRO) Agreement Regarding Mutual Assistance EUROPE Austria Azerbaijan Belarus Belgium Bulgaria Cyprus Czech Republic Denmark European Community Finland France Germany Greece Hungary Ireland Italy Latvia Lithuania Malta Montenegro Netherlands Norway

18


Poland Portugal Romania Russian Federation Serbia Slovakia Spain Sweden Turkey Ukraine United Kingdom

Middle East Bahrain Israel Jordan Kazakhstan Pakistan Western Hemisphere Argentina Brazil Canada Chile Colombia Costa Rica Dominican Republic Ecuador Honduras Mexico Panama Paraguay Peru Trinidad & Tobago Uruguay Venezuela

Check current list Back TOC3 For client-importers, brokers must ensure that C-TPAT security criteria is provided by making educational opportunities available through seminars, through consultative services, dissemination of text materials, and/or through providing assistance to clients in obtaining such materials on the CBP website or elsewhere, when requested. The brokers must develop and document a process for handling security related client-importer inquiries. Brokers should encourage client-importers to join the C-TPAT program.

Container & Trailer Security Customs Brokers must convey to their business partner importers, whether a C-TPAT member or not, concerning the criticality of having security procedures in place at the point of stuffing, procedures to inspect, properly seal and maintain the integrity of the shipping containers and trailers. Customs Brokers should also convey to their business partners, that the seven-point inspection process for empty containers prior to the loading the cargo, as well as the seventeen-point inspection process for all trailers/tractors, should be followed and can be found on the C-TPAT Secure Communications Portal, under Document Exchange. Container & Trailer Seals The sealing of trailers and containers, to include continuous seal integrity, are crucial elements of a secure supply chain, and the broker should convey to their business partners that seals used to secure loaded containers and trailers bound for the U.S. must meet or exceed the current PAS ISO 17712 standards for high security seals. ¡ Remind all client-importers that all loaded U.S.-bound containers and trailers must have a PAS ISO 17712 highsecurity seal affixed. ¡ When necessary, the broker should also inform their business partners that they must institute procedures for recognizing and reporting compromised seals to CBP or the appropriate foreign authority. Physical Access Controls Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees and visitors at all points of entry.

¡

Employees

For all brokers, procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. In addition, for broker facilities at which there is in excess of 50 employees, a security identification system must

19


be in place for positive identification and access control purposes, under which company management or security personnel will maintain and adequately control the issuance and return of employee photo identification badges, or equivalent control.

· Visitors

Back TOC3

For documentation purposes, unknown visiting persons should be required to present photo identification upon arrival and should be escorted while on the broker's premises. The broker should maintain a logbook or electronic diary of all unknown visiting persons, recording such data as visitor name, purpose of visit and confirmation of identity. In addition, for the broker category of facilities in excess of 50 employees, all visitors/vendors should be provided temporary identification badges upon arrival, to be visibly displayed at all times while on the brokers premises.

· Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized and/or unidentified persons.

·

Deliveries (including mail)

Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival of all first time/unknown vendors or vendor representatives. At times of heightened alert involving package and mail delivery, these items should be screened before being disseminated.

· Personnel Security Written and verifiable processes must be in place to screen prospective employees and to periodically check current employees. · Pre-Employment Verification Application information, such as employment history and references must be verified prior to employment.

·

Background checks / investigations

Background checks and investigations should be conducted for prospective employees. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employees position.

· Personnel Termination Procedures Customs Brokers must have procedures in place to remove identification, facility, and system access for terminated employees. Procedural Security Security measures must be in place to ensure the integrity of any data or documents relevant to security of processes, transportation, handling, and storage of cargo in the supply chain. · Customs Brokers should notify CBP and/or other law enforcement agencies, as specified by CBP for these purposes, whenever quantity, and unit of measure (i.e. boxes, cartons, etc.) of the cargo being cleared. · Review of documentation for completeness and clarity and contacting the business partner or importer/exporter, as necessary, to obtain corrected documentation or information. · To the extent such information comes to the brokers attention, alerting the importer/exporter of its obligation to notify CBP and/or any other appropriate law enforcement agency of any errors and/or shortages and overages of merchandise that create a security risk in the supply chain, and providing assistance that is consistent with its for hire services in making such notification and correction of data as may be required or requested by the importer/exporter.

· Advanced Submission of Data C-TPAT importers who are currently NOT filing entry prior to the arrival of their cargo in the port of arrival are not receiving their full C-TPAT benefits, especially reduced examinations. To fully realize the reduced cargo examinations afforded to certified and validated C-TPAT importers, entry must be made to CBP as early in the importation process as possible, and at a minimum, of 24 hours prior to the cargo arriving to the first port of entry within the United States. The reason this is necessary is that C-TPAT benefits are aligned with a C-TPAT members' importer of record number. The importer of record number only becomes known when entry is filed; importer of record numbers are not identified on manifest information. To receive full benefits, the entry should be filed prior to arrival of the cargo. This applies only to cargo imported via ocean transport (sea containers), and not to cargo arriving via other modes of transport · Cargo Discrepancies All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or CBP and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities anomalies are detected or suspected- as appropriate. The broker will insure that the client-importer is aware of the following: · The discrepancy or anomaly must be fully investigated. · CBP and/or other appropriate law enforcement agencies, as appropriate, should be notified of such discrepancy or anomaly. · Consistent with its for hire services, the broker can assist in the reporting of the anomaly, and will make appropriate modifications in the transmission of entry data.

·

Shipping & Receiving

Arriving cargo should be reconciled against information on the cargo manifest. The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before the cargo is received or released. Procedures should also be established to track the timely movement of incoming goods.

20


Physical Security Back TOC3 Cargo handling and storage facilities, as well as those facilities used to make entry of international cargo, must have physical barriers and deterrents that guard against unauthorized access. Brokers should incorporate the following C-TPAT physical security criteria throughout their supply chains as applicable. (Note: C-TPAT is cognizant of the diverse business models that Brokers employ and takes into consideration that the physical security measures outlined in this document may not correspond to the business model of some C-TPAT brokers.) · Fencing Perimeter fencing should enclose the areas around cargo handling and storage facilities. When required by CBP, interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be regularly inspected for integrity and damage. · Gates and Gate Houses Security gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. · Parking Where substantially comparable alternative parking is available, private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas. · Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. · Lighting Adequate lighting must be provided inside and outside the facility including the following areas:

entrances and exits, cargo handling and storage areas, fence lines and parking areas. · Alarms Systems & Video Surveillance Cameras When reasonably and specifically required by CBP, alarm systems and video surveillance cameras must be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas. · Physical Security Cargo handling and storage facilities, as well as those facilities used to make entry of the international cargo, must have physical barriers and deterrents that guard against unauthorized access. · Locking Devices and Key Controls All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Office buildings must have after hour access limited. Information Technology Security Measures must be in place to safeguard computer access and information. A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. · Password Protection ( Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training. · System and Data Protection Anti-virus and anti-spy ware should be installed and kept current in Customs Broker computer systems susceptible to infiltration. Security Training & Threat Awareness As a liaison between CBP and trade community, the broker should create opportunities to educate the importing community on C-TPAT policy, and those areas in which the broker has relevant expertise, which might include security procedures, best practices, access controls, documentation fraud, information security, internal conspiracies, and technologies that further the goal of a secure global supply chain. These interactions should focus on employees working in shipping, information technology, receiving and mailroom processing. · A security awareness program should also include notification being provided to CBP and other law enforcement agencies whenever anomalies or illegal activities related to security are detected or suspected. see for your training internal application

www.ruraltraining.org/training/online (you will have to register and get password)

21


Back TOC3

22


MANUFACTURERS C-TPAT PROCESS Back TOC3 Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case by case basis depending on the company's size and structure and may not be applicable to all. The company should have a written security procedure plan in place that addresses the following: Physical Security: All buildings should be constructed of materials, which resist unlawful entry and protect against outside intrusion. Physical security should include: * Adequate locking devices for external and internal doors, windows, gates, and fences. * Segregation and marking of international, domestic, high-value, and dangerous goods cargo within the warehouse by a safe, caged, or otherwise fenced-in area. * Adequate lighting provided inside and outside the facility to include parking areas. * Separate parking area for private vehicles separate from the shipping, loading dock, and cargo areas. * Having internal/external communications systems in place to contact internal security personnel or local law enforcement police. Access Controls: Unauthorized access to the shipping, loading dock and cargo areas should be prohibited. Controls should include: * The positive identification of all employees, visitors and vendors. * Procedures for challenging unauthorized/ unidentified persons. Procedural Security: Measures for the handling of incoming and outgoing goods should include the protection against the introduction, exchange, or loss of any legal or illegal material. Security controls should include: (see page 698 etc.) * Having a designated security officer to supervise the introduction/removal of cargo. see 708 * Properly marked, weighed, counted, and documented products. * Procedures for verifying seals on containers, trailers, and railcars.

* Procedures for detecting and reporting shortages and overages. * Procedures for tracking the timely movement of incoming and outgoing goods. * Proper storage of empty and full containers to prevent unauthorized access. * Procedures to notify Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected or suspected by the company. Personnel Security: Companies should conduct employment screening and interviewing of prospective employees to include periodic background checks and application verifications. Education and Training Awareness: A security awareness program should be provided to employees including recognizing internal conspiracies, maintaining product integrity, and determining and addressing unauthorized access. These programs should encourage active employee participation in security controls.

WAREHOUSES Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company's size and structure and may not be applicable to all. Warehouses as defined in this guideline are facilities that are used to store and stage both Customs bonded and non-bonded cargo. The company should have a written security procedure plan in place addressing the following: Physical Security: All buildings should be constructed of materials, which resist unlawful entry and protect against outside intrusion. Physical security should include: * Adequate locking devices for external and internal doors, windows, gates and fences. * Adequate lighting provided inside and outside the facility to include parking areas. • Segregation and marking of international, domestic, high-value, and dangerous goods cargo within the warehouse by a safe, caged, or otherwise fenced-in area. * Separate parking area for private vehicles separate from the shipping, loading dock, and cargo areas. • Having internal/external communications systems in place to contact internal security personnel or local law enforcement police. Access Controls: Unauthorized access to facilities should be prohibited. Controls should include: * The positive identification of all employees, visitors, and vendors. * Procedures for challenging unauthorized/ unidentified persons. Procedural Security: Procedures should be in place to protect against unmanifested material being introduced into the warehouse. Security controls should include: * Having a designated security officer to supervise the introduction/removal of cargo.

•

Properly marked, weighed, counted, and documented cargo/cargo equipment verified

against manifest documents. * Procedures for verifying seal on containers, trailers, and railcars. * Procedures for detecting and reporting shortages and overages. * Procedures to notify Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected or suspected by the company. * Proper storage of empty and full containers to prevent unauthorized access.

23


Personnel Security: Companies should conduct employment screening and interviewing of prospective employees to include periodic background checks and application verifications. Education and Training Awareness: A security awareness program should be provided to employees including recognizing internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. These programs should encourage active employee participation in security controls. Back TOC3

AIR CARRIERS Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company's size and structure and may not be applicable to all. Conveyance Security: Aircraft integrity should be maintained to protect against the introduction of unauthorized personnel and material. Conveyance security procedures should include the physical search of all readily accessible areas, securing all internal/external compartments and panels, and reporting cases in which un-manifested materials, or signs of tampering, are discovered. Access Controls: Unauthorized access to the aircraft should be prohibited. Controls should include the positive identification of all employees, visitors and vendors as well as procedures for challenging unauthorized/unidentified persons. Procedural Security: Procedures should be in place to protect against un-manifested material being introduced aboard the aircraft. Security controls should include complete, accurate and advanced lists of international passengers, crews, and cargo, as well as a positive baggage match identification system providing for the constant security of all baggage. All cargo/cargo equipment should be properly marked, weighed, counted, and documented under the supervision of a designated security officer. There should be procedures for recording, reporting, and/or investigating shortages and overages, and procedures to notify Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected or suspected by the carrier. Manifest Procedures: Companies should ensure that manifests are complete, legible, accurate, and submitted in a timely manner to Customs. Personnel Security: Employment screening, application verifications, the interviewing of prospective employees and periodic background checks should be conducted. Education and Training Awareness: A security awareness program should be provided to aboard the aircraft. Security controls should include complete, accurate and advanced lists of international passengers, crews, and cargo, as well as a positive baggage match identification system providing for the constant security of all baggage. All cargo/cargo equipment should be properly marked, weighed, counted, and documented under the supervision of a designated security officer. There should be procedures for recording, reporting, and/or investigating shortages and overages and procedures to notify Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected or suspected by the carrier. Manifest Procedures: Companies should ensure that manifests are complete, legible, accurate, and submitted in a timely manner to Customs. Personnel Security: Employment screening, application verifications, the interviewing of prospective employees and periodic background checks should be conducted. Education and Training Awareness: A security awareness program should be provided to employees including recognizing

internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. These programs should encourage active employee participation in security controls. Physical Security: Carrier's buildings, warehouses, and on & off ramp facilities should be constructed of materials which resist unlawful entry and protect against outside intrusion. Physical security should include adequate locking devices for external and internal doors, windows, gates and fences. Perimeter fencing should also be provided, as well as adequate lighting inside and outside the facility; including parking areas. There should also be segregation and marking of international, domestic, high-value, and dangerous goods cargo within the warehouse by means of a safe, cage, or otherwise fenced-in area. Sea Carriers

Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company's size and structure and may not be applicable to all. Conveyance Security: Vessel integrity should be maintained to protect against the introduction of unauthorized personnel and material. Conveyance security should include the physical search of all readily accessible areas, the securing all internal/external compartments and panels as appropriate, and procedures for reporting cases in which un-manifested materials, or signs of tampering, are discovered. Access Controls: Unauthorized access to the vessel should be prohibited. Controls should include the positive identification of all employees, visitors, and vendors. Procedures for challenging unauthorized/unidentified persons should be in place. Procedural Security: Procedures should be in place to protect against un-manifested material being introduced aboard the vessel. Security procedures should provide for complete, accurate and advanced lists of crews and passengers. Cargo should be loaded and discharged in a secure manner under supervision of a designated security representative and shortages/overages should be reported appropriately. There should also be procedures for

24


notifying Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected, or suspected, by the company. Manifest Procedures: Manifests should be complete, legible, accurate and submitted in a timely manner pursuant to Customs regulations. Personnel Security: Employment screening, application verifications, the interviewing of prospective employees and periodic background checks should be conducted. Education and Training Awareness: A security awareness program should be provided to employees including recognizing internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. These programs should encourage active employee participation in security controls. Physical Security: Carrier's buildings should be constructed of materials, which resist unlawful entry and protect against outside intrusion. Physical security should include adequate perimeter fencing, lighting inside and outside the facility, and locking devices on external and internal doors, windows, gates, and fences. C-TPAT Security Criteria Back TOC3 Sea Carriers Sea carriers must conduct a comprehensive assessment of their security practices based upon the following C-TPAT minimum-security criteria. Where a sea carrier does not control a specific element of the cargo transportation service it has contracted to provide, such as marine terminal operator or a time chartered vessel with whom it has contracted, the sea carrier must work with these business partners to seek to ensure that pertinent security measures are in place and adhered to. The sea carrier is responsible for exercising prudent oversight for all cargo loaded on board its vessel, pursuant to applicable law and regulations and the terms of this program. C-TPAT recognizes the complexity of international supply chains and security practices, and endorses the application and implementation of security measures based upon risk. Therefore, the program allows for flexibility and the customization of security plans based on the members business model. Security measures, as listed throughout this document, must be implemented and maintained as appropriate to the carriers business model and risk understanding. CBPs C-TPAT validation process shall include a review of the carriers assessment and program. C-TPAT recognizes that sea carriers are already subject to defined security mandates created under the International Ship and Port Security Code (ISPS) and the Maritime Transportation Security Act (MTSA). It is not the intention of C-TPAT to duplicate these vessel and facility security requirements, rather, C-TPAT seeks to build upon the ISPS and MTSA foundation and require additional security measures and practices which enhance the overall security throughout the international supply chain. ISPS and MTSA compliance are a prerequisite for C-TPAT sea carrier membership, and only vessels in compliance with the applicable ISPS code requirements may be utilized by C-TPAT members. Marine terminals operated by CTPAT members must also comply with ISPS code requirements. The Physical Access Controls and Physical Security provisions of these criteria are satisfied for ISPS regulated vessels and port facilities by those vessels or facilities compliance with the ISPS Code and Coast Guard regulations. Business Partner Requirements Sea carriers must have written and verifiable procedures for the screening of carriers agents and service providers contracted to provide transportation services for the carrier. Sea carriers must also have screening procedures for new customers, beyond financial soundness issues to include indicators of whether the customer appears to be a legitimate business and/or posses a security risk. Sea carriers shall also have procedures to review their customers requests that could affect the safety of the vessel or the cargo or otherwise raise significant security questions, including unusual customer demands, such as specific stowage placement aboard the vessel (beyond a request for below deck or on deck stowage). Security procedures Sea carriers must have written or web-based procedures for screening new customers to whom they issue bills of lading, which identify specific factors or practices, the presence of which would trigger additional scrutiny by the sea carrier, up to and including a detailed physical inspection of the exterior of the suspect customers container prior to loading onto the vessel. These procedures may also include a referral to CBP or other competent authorities for further review. CBP will work in partnership with the sea carriers to identify specific information regarding what factors, practices or risks are relevant. Sea carriers should ensure that contract vessel services providers commit to C-TPAT security recommendations. Periodic reviews of the security commitments of the service providers should be conducted.

25


Container Security Back TOC4 For all containers in the sea carriers custody, container integrity must be maintained to protect against the introduction of unauthorized material and/or persons. Sea carriers must have procedures in place to maintain the integrity of the shipping containers while in their custody. A high security seal must be affixed to all loaded containers bound for the U.S. All seals used or distributed by the sea carrier must meet or exceed the current PAS ISO 17712 standards for high security seals. Sea carriers and/or their marine terminal operators must have processes in place to comply with seal verification rules and seal anomaly reporting requirements once promulgated and mandated by the U.S. government. Container Inspection The requirement to inspect all containers prior to stuffing (to include the reliability of the locking mechanisms of the doors) is placed upon the importers through the C-TPAT Minimum Security Criteria for Importers dated March 25, 2005. Sea carriers must visually inspect all U.S.-bound empty containers, to include the interior of the container, at the foreign port of lading Container Seals Written procedures must stipulate how seals in the sea carriers possession are to be controlled. Procedures should also exist for recognizing and reporting compromised seals and/or containers to US Customs and Border Protection or the appropriate foreign authority consistent with the seal anomaly reporting requirements once promulgated and mandated by the U.S. government. Container Storage The sea carrier must store containers in their custody in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting detected, unauthorized entry into containers or container storage areas to appropriate local law enforcement officials. Physical Access Controls The sea carrier shall establish access controls to prevent unauthorized entry to its vessels and cargo facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, service providers, government officials and vendors at all restricted access points of entry. Shore employees and service providers should only have access to those areas of the vessel where they have legitimate business. Vessel and facility access controls are governed by the International Ship and Port Security Code and MTSA. The Physical Access Control provisions of these criteria are satisfied for ISPS regulated vessels and port facilities by those vessels or facilities compliance with the ISPS Code and MTSA regulations. 路Boarding and Disembarking of Vessels Consistent with the vessels ISPS security plan, all crew, employees, vendors and visitors may be subject to a search when boarding or disembarking vessels. A vessel visitor log must be maintained and a temporary visitor pass must be issued as required by the vessels security plan. All crewmembers, employees, vendors and visitors, including government officials, must display proper identification, as required by the applicable ISPS/MTSA security plan. 路Employees An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. 路Visitors / Vendors / Service Providers Visitors, vendors, government officials, and service providers must present photo identification for documentation purposes upon arrival at carriers vessels or cargo facilities, and a visitor log must be maintained. Measures described by the approved ISPS/MTSA security plan addressing the escort of visitors and service providers, including, when appropriate, the use of temporary identification will be followed. 路Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized/unidentified persons.

26


Personnel Security Back TOC4 In compliance with applicable laws and regulations for that location, written and verifiable processes must be in place to screen prospective employees and to periodically check current employees. ·Pre-Employment Verification Application information, such as employment history and references must be verified prior to employment. ·Background checks / investigations Depending on the sensitivity of the position, background checks and investigations shall be conducted for prospective employees as appropriate and as required by foreign, federal, state and local regulations. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employees position. ·Personnel Termination Procedures Companies must have procedures in place to remove identification, facility, and system access for terminated employees. ·Crewmen Control Deserter/Absconder Risk CBP will work with the U.S. Coast Guard and sea carriers to identify specific factors which may indicate when a crewman poses a potential risk of desertion/absconding. When such factors are identified and provided to the carriers, the carrier shall provide this information to its vessel masters and to the vessels under charter to the carrier, and such vessels shall establish procedures to address the potential risk of desertion/absconding. Added security measures appropriate to the risk present should be employed upon arrival into the U.S. port/territories. ·Deserter/Absconder Notifications Vessel masters must account for all crewmen prior to the vessels departure from a U.S. port. If the vessel master discovers that a crewman has deserted or absconded, the vessel master must report this finding by the most practical means to CBP immediately upon discovery and prior to the vessels departure. Procedural Security Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo. Consistent with the carriers ISPS Code security plan, procedures must be in place to prevent unauthorized personnel from gaining access to the vessel. In those geographic areas where risk assessments warrant checking containers for human concealment in containers, such procedures should be designed to address the particular, identified risk at the load port or the particular port facility. CBP will inform the sea carriers when it is aware of a high risk of human concealment or stowaways at particular ports or geographic regions. Documented procedures must also include pre-departure vessel security sweeps for stowaways at the foreign load port, and during normal watch activity while en route to the United States as warranted by risk conditions at the foreign load port. ·Passenger and Crew Sea carriers must ensure compliance with the U.S. Coast Guard Notice of Arrival and Departure requirements so that accurate, timely and advanced transmission of data associated with international passengers and crew is provided to the U.S. government and CBP. · Bill of Lading / Manifesting Procedures Procedures must be in place to ensure that the information in the carriers cargo manifest accurately reflects the information provided to the carrier by the shipper or its agent, and is filed with CBP in a timely manner. Documentation control must include safeguarding computer access and information. Bill of lading information filed with CBP should show the first foreign port (place) where the sea carrier takes possession of the cargo destined for the United States. Baplies (EDIFACT message in shipping industry advising stowage positions on vessel) At the request of CBP, sea carriers will provide a requested BAPLIE and/or stowage plan, in a format readily available. Such requests will be made on a voyage specific basis when CBP requires additional voyage information and will be honored by the sea carrier in a timely manner. CBP recognizes that these are not regulated documents and that the data included may not always match the manifest filing. ·

27


Cargo Customs and/or other appropriate law enforcement agencies must be notified if illegal or highly suspicious activities are detected - as appropriate. Back TOC4 Security Training and Awareness A security awareness program should be established and maintained by the carrier to recognize and foster awareness of security vulnerabilities to vessels and maritime cargo. Employees must be made aware of the procedures the sea carrier has in place to report a security concern or incident. Additionally, specific training should be offered to assist employees in maintaining vessel and cargo integrity, recognizing internal conspiracies, and protecting access controls. Physical Security Carriers shall establish written and verifiable procedures to prevent unauthorized personnel from gaining access to its vessels, including concealment in containers, and to prevent tampering with cargo conveyances while they are in the carriers custody. Such measures are covered by a vessels and a port facilities ISPS security plan. Physical Security provisions of these criteria are satisfied for ISPS regulated vessels and port facilities by those vessels or facilities compliance with the ISPS Code and MTSA regulations. Non-ISPS Code regulated cargo handling and storage facilities and container yards operated by the carrier, in domestic and foreign locations, must have physical barriers and deterrents that guard against unauthorized access. Sea carriers should incorporate the following CTPAT physical security criteria as applicable. Fencing Perimeter fencing should enclose the areas around cargo handling and storage facilities, container yards, and terminals. All fencing must be regularly inspected for integrity and damage. Gates and Gate Houses Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored and secured when not in use. Parking Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas, and vessels. Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. Locking Devices and Key Controls All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Lighting Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas. While at port, the pier and waterside of the vessel must be adequately illuminated. ¡Lighting At those locations determined appropriate by the carriers risk assessment, alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to vessels, cargo handling and storage areas. Alarms Systems & Video Surveillance Cameras At those locations determined appropriate by the carriers risk assessment, alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to vessels, cargo handling and storage areas. Information Technology Security ¡Password Protection Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training.

28


Accountability Back TOC4 A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. Security Assessment, Response and Improvement Carriers and CBP have a mutual interest in security assessments and improvements, and recognize that specific, implemented security procedures may be found in the future to have weaknesses or be subject to circumvention. When a security shortcoming or security incident is identified, the Carrier and CBP officials will meet in an effort to ascertain what led to the breakdown and to formulate mutually agreed remedial measures. If CBP determines that the security incident raises substantial concerns or a security weakness requires substantial remediation, CBP headquarters officials will meet with the carriers senior management to discuss such concerns and to identify appropriate remedial measures to be taken. While CBP has the authority to suspend or remove a sea carrier from the C-TPAT program for substantial noncompliance with the security criteria of the program, such authority is exercised only in the most serious circumstances. LAND CARRIERS Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company's size and structure and may not be applicable to all. Conveyance Security: Integrity should be maintained to protect against the introduction of unauthorized personnel and material. Conveyance security procedures should include the physical search of all readily accessible areas, securing all internal/external compartments and panels, and procedures for reporting cases in which un-manifested materials, or signs of tampering, are discovered. Physical Security: All carrier buildings and rail yards should be constructed of materials, which resist unlawful entry and protect against outside intrusion. Physical security should include adequate locking devices on external and internal doors, windows, gates and fences. Perimeter fencing should be addressed, as well as adequate lighting inside and outside the facility, to include the parking areas. There should be segregation and marking of international, domestic, high-value, and dangerous goods cargo within the warehouse by a safe, caged or otherwise fenced-in area. Access Controls: Unauthorized access to facilities and conveyances should be prohibited. Controls should include the positive identification of all employees, visitors, and vendors as well as procedures for challenging authorized/unidentified persons. Procedural Security: Procedures should be in place to protect against un-manifested material being introduced aboard the conveyance. Security controls should include the proper marking, weighing, counting, and documenting of cargo/ cargo equipment under the supervision of a designated security representative. Procedures should be in place for verifying seals on containers, trailers, and railcars, and a system for detecting and reporting shortages and overages. The timely movement of incoming and outgoing goods should be tracked and there should be procedures for notifying Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected or suspected by the company. Manifest Procedures: Companies should ensure that manifests are complete, legible, accurate, and submitted in a timely manner to Customs. Personnel Security: Companies should conduct employment screening and interviewing of prospective employees to include periodic background checks and application verifications. Education and Training Awareness: A security awareness program should be provided to employees including recognizing internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. These programs should encourage active employee participation in security controls.

C-TPAT Highway Carrier Security Criteria (03/13/2006) The supply chain for highway carriers for C-TPAT purposes is defined from point of origin from the yard or where the tractors and trailers are stored, through pickup at the manufacturer/ supplier/vendor, through to the point of distribution – and recognizes the diverse business models C-TPAT members employ. These minimum security criteria are fundamentally designed to be the building blocks for highway carriers to institute effective security practices designed to optimize supply chain performance to mitigate the risk of loss, theft, and contraband smuggling that could potentially introduce dangerous elements into the global supply chain. On a quarterly basis, or as circumstances dictate such as during periods of heightened alert, security breach or incident, Highway carriers should routinely assess their degree of vulnerability to risk and should prescribe security

29


measures to strengthen or adjust their security posture to prevent security breaches and internal conspiracies. The determination and scope of criminal elements targeting world commerce through internal conspiracies requires companies, and in particular, highway carriers to elevate their security practices, especially if the highway carrier has the exclusive benefit of enrollment in the Free and Secure Trade (FAST) program. Back TOC4 C-TPAT recognizes the complexity of international supply chains and security practices, and endorses the application and implementation of security measures based upon risk*. Therefore, the program allows for flexibility and the customization of security plans based on the member’s business model. Appropriate security measures, as listed throughout this document, must be implemented and maintained. Business Partner Requirements Highway carriers must have written and verifiable processes for the screening of business partners, including carrier’s agents, sub-contracted highway carriers, and service providers, as well as screening procedures for new customers, beyond financial soundness issues to include security indicators, such as business references and professional associations. Security Procedures · Written procedures must exist for screening business partners, which identify specific factors or practices, the presence of which would trigger additional scrutiny by the highway carrier. · For those business partners eligible for C-TPAT certification (importers, ports, terminals, brokers, consolidators, etc.) the highway carrier must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified. Non-C-TPAT business partners may be subject to additional scrutiny by the highway carrier. · Highway carriers should ensure that contract service providers commit to C-TPAT security recommendations through contractual agreements. For U.S. bound shipments, C-TPAT highway carriers that subcontract transportation services to other highway carriers, must use other C-TPAT approved highway carriers or carriers under direct control of the certified C-TPAT carrier through a written contract. · Likewise, current or prospective business partners who have obtained a certification in a supply chain security program being administered by a foreign Customs Administration should be required to indicate their status of participation to the highway carrier. · As highway carriers have the ultimate responsibility for all cargo loaded aboard their trailer or conveyance, they must communicate the importance of supply chain security and maintaining chain of custody as fundamental aspects to any company security policy. Conveyance Security Conveyance (tractor and trailer) integrity procedures must be maintained to protect against the introduction of unauthorized personnel and material. Conveyance Inspection Procedures · Using a checklist, drivers should be trained to inspect their conveyances for natural or hidden compartments. Training in conveyance searches should be adopted as part of the company’s on-the-job training program. · Conveyance inspections must be systematic and should be completed upon entering and departing from the truck yard and at the last point of loading prior to reaching the U.S. border. · To counter internal conspiracies, supervisory personnel or a security manager, held accountable to senior management for security, should search the conveyance after the driver has conducted a search. These searches should be random, documented, based on risk, and should be conducted at the truck yard and after the truck has been loaded and en route to the U.S. border. · Written procedures must exist which identify specific factors or practices, which may deem a shipment from a certain shipper of greater risk. · The following systematic practices should be considered when conducting training on conveyances. Highway carriers must visually inspect all empty trailers, to include the interior of the trailer, at the truck yard and at the point of loading, if possible. The following inspection process is recommended for all trailers and tractors: Tractors: · Bumper/tires/rims · Doors/tool compartments · Battery box · Air breather · Fuel tanks · Interior cab compartments/sleeper · Faring/roof

30


Trailers: Back TOC4 · Fifth wheel area - check natural compartment/skid plate · Exterior - front/sides · Rear - bumper/doors · Front wall · Left side · Right side · Floor · Ceiling/Roof · Inside/outside doors · Outside/Undercarriage Trailer Security · For all trailers in the highway carrier’s custody, trailer integrity must be maintained, to protect against the introduction of unauthorized material and/or persons. Highway carriers must have procedures in place to maintain the integrity of their trailers at all times. · It is recognized that even though a carrier may not “exercise control” over the loading of trailers and the contents of the cargo, highway carriers must be vigilant to help ensure that the merchandise is legitimate and that there is no loading of contraband at the loading dock/manufacturing facility. The highway carrier must ensure that while in transit to the border, no loading of contraband has occurred, even in regards to unforeseen vehicle stops**. · Trailers must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into trailers, tractors or storage areas. · The carrier must notify U.S. Customs and Border Protection of any structural changes, such as a hidden compartment, discovered in trailers, tractors or other rolling-stock equipment that crosses the border. Notification should be made immediately to CBP, and in advance of the conveyance crossing the border. Notifications can be telephonically made to CBP’s Anti-Terrorism Contraband Enforcement Team (A-TCET) at the port. Container Security · When transporting a container or trailer for a C-TPAT importer, a high security seal that meets or exceed the current PAS ISO 17712 standards for high security seals must be utilized. Conveyance Tracking and Monitoring Procedures · Highway Carriers must ensure that conveyance and trailer integrity is maintained while the conveyance is en route transporting cargo to the U.S. border by utilizing a tracking and monitoring activity log or equivalent technology. If driver logs are utilized, they must reflect that trailer integrity was verified. · Predetermined routes should be identified, and procedures should consist of random route checks along with documenting and verifying the length of time between the loading point/trailer pickup, the U.S. border, and the delivery destinations, during peak and non-peak times. Drivers should notify the dispatcher of any route delays due to weather, traffic and/or rerouting. · Highway Carrier management must perform a documented, periodic, and unannounced verification process to ensure the logs are maintained and conveyance tracking and monitoring procedures are being followed and enforced. · During Department of Transportation Inspections (DOT) or other physical inspections on the conveyance as required by state, local or federal law, drivers must report and document any anomalies or unusual structural modifications found on the conveyance. In addition, Highway Carrier management should perform a documented, periodic, and unannounced verification process to ensure the logs are maintained and conveyance tracking and monitoring procedures are being followed and enforced. Trailer Seals · The sealing of trailers, to include continuous seal integrity, are crucial elements of a secure supply chain, and remains a critical part of a carrier’s commitment to C-TPAT. A high security seal must be affixed to all loaded trailers bound for the U.S. All seals must meet or exceed the current PAS ISO 17712 standards for high security seals. · Based on risk, a high security barrier bolt seal may be applied to the door handle and/or a cable seal must be applied to the two vertical bars on the trailer doors. · Clearly defined written procedures must stipulate how seals in the highway carrier’s possession are to be controlled during transit. These written procedures should be briefed to all drivers and there should be a mechanism to ensure that these procedures are understood and are being followed. These procedures must include: · Verifying that the seal is intact, and if it exhibits evidence of tampering along the route. · Properly documenting the original and second seal numbers. · Verify that the seal number and location of the seal is the same as stated by the shipper on the shipping documents.

31


· If the seal is removed in-transit to the border, even by government officials, a second seal must be placed on the trailer, and the seal change must be documented. · The driver must immediately notify the dispatcher that the seal was broken, by whom; and the number of the second seal that is placed on the trailer. · The carrier must make immediate notification to the shipper, the customs broker and/or the importer of the placement of the second seal. Less-than Truck Load (LTL) Back TOC4 · LTL carriers must use a high security padlock or similarly appropriate locking device when picking up local freight in an international LTL environment. LTL carriers must ensure strict controls to limit the access to keys or combinations that can open these padlocks. · After the freight from the pickup and delivery run is sorted, consolidated and loaded onto a line haul carrier destined to the cross the border into the U.S., the trailer must be sealed with a high security seal which meets or exceeds the current PAS ISO 17712 standard for high security seals. · In LTL or Pickup and Delivery (P&D) operations that do not use consolidation hubs to sort or consolidate freight prior to crossing the U.S. border, the importer and/or highway carrier must use ISO 17712 high security seals for the trailer at each stop, and to cross the border. · Written procedures must be established to record the change in seals, as well as stipulate how the seals are controlled and distributed, and how discrepancies are noted and reported. These written procedures should be maintained at the terminal/local level. · In the LTL and non-LTL environment, procedures should also exist for recognizing and reporting compromised seals and/or trailers to U.S. Customs and Border Protection or the appropriate foreign authority. Physical Access Controls Access controls prevent unauthorized entry to trucks, trailers and facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, service providers, and vendors at all points of entry. Employees and service providers should only have access to those areas of a facility where they have legitimate business. Employees An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. Visitors/Vendors/Service Providers Visitors, vendors, and service providers must present photo identification for documentation purposes upon arrival, and a log must be maintained. All visitors and service providers should visibly display temporary identification. · Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized/unidentified persons. Personnel Security Written and verifiable processes must be in place to screen prospective employees and to periodically check current employees. · Pre-Employment Verification Application information, such as employment history and references must be verified prior to employment. · Background Checks/Investigations Consistent with foreign, federal, state, and local regulations, background checks and investigations should be conducted for prospective employees. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employee’s position. · Personnel Termination Procedures Companies must have procedures in place to remove identification, facility, and system access for terminated employees. Procedural Security Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain. Procedures must be in place to prevent, detect, or deter unmanifested material and unauthorized personnel from gaining access to the conveyance including concealment in trailers. Security procedures should be implemented that restricts access to the conveyance and prevents the lading of contraband while en-route from facilities in international locations to the United States.

32


Procedures must be in place to record and immediately report all anomalies regarding truck drivers to U.S. Customs and Border Protection. If local, federal, or state laws and union rules permit, conducting random screening of truck driver luggage and personal effects should occur. · Documentation Processing Back TOC5 Procedures must be in place to ensure that all information used in the clearance of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information. Measures, such as using a locked filing cabinet, should also be taken to secure the storage of unused forms, including manifests, to prevent unauthorized use of such documentation · Document Review Personnel should be trained to review manifests and other documents in order to identify or recognize suspicious cargo shipments that: · Originate from or are destined to unusual locations · Paid by cash or a certified check · Have unusual routing methods · Exhibit unusual shipping/receiving practices · Provide vague, generalized or poor information · All instances of a suspicious cargo shipment should be reported immediately to the nearest U.S. Customs and Border Protection port-of-entry. · Bill of Lading/Manifesting Procedures Bill of lading information filed with CBP should show the first foreign location/facility where the highway carrier takes possession of the cargo destined for the United States. Additionally, to help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information received from business partners is reported accurately and timely. · Cargo Cargo must be properly marked and manifested to include accurate weight and piece count. Customs and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities are detected - as appropriate. Physical Security Procedures must be in place to prevent, detect, or deter un-manifested material and unauthorized personnel from gaining access to conveyance, including concealment in trailers. Cargo handling and storage facilities, trailer yards, etc., must have physical barriers and deterrents that guard against unauthorized access. Highway carriers should incorporate the following C-TPAT physical security criteria throughout their supply chains as applicable. · Fencing Perimeter fencing should enclose the entire truck yard or terminal, especially areas where tractors, trailers and other rolling stock are parked or stored. All fencing must be regularly inspected for integrity and damage. · Gates and Gate Houses Gates through which all vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. · Parking Private passenger vehicles must be prohibited from parking in close proximity to parking and storage areas for tractors, trailers and other rolling stock that crosses the international border. · Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. · Locking Devices and Key Controls All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys, to include the locks and keys for tractors. When parked in the yard, doors to tractors should be locked and the windows should be closed to prevent unauthorized access. · Lighting Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, parking or storage areas for tractors, trailers, rolling stock, and fences. · Alarms Systems & Video Surveillance Cameras Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to vessels, cargo handling and storage areas, based on risk. Security Training and Threat Awareness A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by drug smugglers and terrorists at each point in the supply chain. Employees must be made aware of the procedures the highway carrier has in place to address a situation and how to report it.

33


Additionally, specific training should be offered to assist employees in maintaining trailer and tractor integrity, recognizing internal conspiracies, and protecting access controls. These programs should offer incentives for active employee participation. Information & Technology Security Back TOC5 · Password Protection Measures should be taken to protect electronic assets, including advising employees of the need to protect passwords and computer access. Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training. · Accountability A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. · FAST Transponder Controls Transponders or any technology provided to the highway carrier by U.S. Customs and Border Protection to utilize the Free and Secure Trade (FAST) program must be protected against misuse, compromise, theft, tampering, altering or duplication***. C-TPAT highway carriers must have documented procedures in place to manage the ordering, issuance, activation, and deactivation of FAST transponders. C-TPAT highway carriers are prohibited from requesting FAST transponders for any highway carrier company that is not owned & controlled by the C-TPAT approved highway carrier. C-TPAT highway carriers are also prohibited from requesting FAST transponders for any owner-operator not under written contract to provide exclusive transportation services for the C-TPAT highway carrier. *Truck Carriers shall have a documented and verifiable process for determining risk throughout their supply chains based on their business model (i.e., volume, country of origin, routing, C-TPAT membership, potential terrorist threat via open source information, having inadequate security, past security incidents, etc.). **C-TPAT recognizes the unique situation of the cross-border cartage industry in the Laredo, Texas corridor and encourages and endorses carriers to work within the supply chain to make a reasonable effort to ensure the integrity of trailers, especially during the cross-border segment. ***Any misuse of FAST technology, to include loaning FAST transponders to external carriers will result in suspension or removal from the FAST Program. FAST is a benefit based on trust and confidence. Security Criteria Implementation Plan Highway Carriers (03/13/2006) Since October 2004, CBP and the trade community have work collaboratively to develop minimumsecurity criteria for highway carriers already enrolled in the C-TPAT program, or wishing to join the voluntary, incentive-based supply chain security program. These new minimum-security criteria help solidify membership expectations, and more clearly define and establish the baseline level of security measures, which must be employed by member highway carriers. The highway carrier minimum-security criteria is effective as of March 13, 2006. For New Highway Carriers Wishing To Join C-TPAT: Highway Carriers wishing to join the C-TPAT program on or after March 13, 2006, will need to meet or exceed the security criteria before they will be ‘certified’ and eligible for benefits. Applications for new membership will only be accepted electronically, via the C-TPAT web-based online application for highway carriers (with the submission of a completed, comprehensive security-profile that is required at time of application.) For Existing C-TPAT Member Highway Carriers: For highway carriers who are already a member of the C-TPAT program, having completed and received the memorandum of agreement signed by CBP, a gradual, phased implementation approach will be followed which provides existing members more time to address the security measures outlined in the criteria. The components outlined in the security criteria document have been segmented into three distinct phases, each with their own timeline. Proposed Implementation Plan Phase 1 – Hardening of the Physical Supply Chain: Under the first phase, existing member highway carriers will have 60 days from the March 13, 2006 effective date to address the following three security areas: · Conveyance Security (seals, trailer security, etc) · Physical Access Controls (employees, visitors, etc) · Physical Security (fencing, lighting, parking, etc.)

34


Phase 2: Phase two will address more internal and/or procedural elements. Specifically, under phase two, current members will have 120 days from the March 13, 2006 effective date to ensure compliance with the following criteria: · Personnel Security (background checks, employee hiring, etc.), · Procedural Security (documentation, manifesting procedures, etc.) · Security Training and Threat Awareness · Less-Than Truck Load (LTL) · Information Technology Security (passwords, FAST, etc.) Phase 3: Back TOC5 Phase three will address the remaining and more cumbersome requirement of leveraging security throughout the business partners. Specifically, under phase three highway carriers will have 180 days from the March 13, 2006 effective date to ensure compliance to the following: · Business Partner Requirements Certifications Existing C-TPAT member highway carriers will not be required to provide a written certification that the security criteria have been met, nor will previously submitted and accepted security profiles need to be resubmitted. It will be understood that highway carriers must meet or exceed these baseline security criteria by the end of each implementation phase. CBP will continue to use validations to gauge whether or not highway carriers have adopted these security criteria. Those highway carriers found to be deficient may have benefits suspended, or removed from the program entirely. Highway carriers failing to meet security criteria as evidenced through a validation, or from a resulting seizure due to compromised supply chain security, will be have their Free and Secure Trade (FAST) program benefits immediately suspended until notification from the C-TPAT office. To assist in the implementation of these security criteria, a Frequently Asked Questions (FAQ’s) document has been provided, and the trade is encouraged to submit questions to the C-TPAT Industry Partnership email address at Industry.Partnership@dhs.gov. In closing, as a voluntary, incentive based supply chain security program, the new C-TPAT security criteria for highway carriers are risk based, flexible, and designed to help CBP achieve its twin goals of security and facilitation. CBP will continue to work with members who demonstrate a commitment towards strengthening their entire supply chain and benefits will be provided accordingly. Air Freight Consolidators/ Ocean Transportation Intermediaries, and NVOCC Develop and implement a sound plan to enhance security procedures. These are general recommendations that should be followed on a case-by-case basis depending on the company's size and structure and may not be applicable to all. Procedural Security: Companies should notify Customs and other law enforcement agencies whenever anomalies or illegal activities related to security issues are detected or suspected. Documentation Processing: Consolidators should make their best efforts to ensure that all information provided by the importer/exporter, freight forwarder, etc., and used in the clearing of merchandise/cargo, is legible and protected against the exchange, loss or introduction of erroneous information. Documentation controls should include, where applicable, procedures for: * Maintaining the accuracy of information received, including the shipper and consignee name and address, first and second notify parties, description, weight, quantity, and unit of measure (i.e. boxes, cartons, etc.) of the cargo being cleared. * Recording, reporting, and/or investigating shortages and overages of merchandise/cargo. * Tracking the movement of incoming and outgoing cargo. * Safeguarding computer access and information. * Companies should participate in the Automated Manifested System (AMS) and all data submissions should be complete, legible, accurate and submitted in a timely manner pursuant to Customs regulations.

Personnel Security: Consistent with federal, state, and local regulations and statutes, companies should establish an internal process to screen prospective employees, and verify applications. Such an internal process could include background checks and other tests depending on the particular employee function involved. Education and Training Awareness: A security awareness program should include notification being provided to Customs and other law enforcement agencies whenever anomalies or illegal activities related to security are detected or suspected. These programs should provide: * Recognition for active employee participation in security controls. * Training in documentation fraud and computer security controls. Supply Chain Security Profile Questionnaire - provides a recommended format for reporting to Customs a company’s self assessment of its security measures. Included in the questionnaire are minimal elements that a company is expected to address as a part of the C-TPAT application process. These elements include physical, personnel, and informational security programs and procedures employed by the company and an indication of existing security weaknesses. The questionnaire also requests information on the security procedures used when

35


selecting international service providers and the steps taken to ensure that those companies employ adequate safeguards against terrorist activity. Supply Chain Security Profile Questionnaire TOC5 Importers 1) Provide an executive summary outlining the process elements of the security procedures you currently have in place. Your submission must include the importer of record number(s) which are covered by the security processes you describe. At minimum, address the following elements:

Security Program: 1.Facilities security. 2.Theft prevention. 3.Shipping and receiving controls. 4.Information security controls – integrity of automated systems. 5.Internal controls – process established for reporting and correcting problems.

Personnel Security: 1.Pre-employment screening & periodic background reviews. 2.Employee training on security awareness and procedures.

3.Internal codes of conduct. 4.Internal controls – process established for reporting and managing problems related to personnel security. Service Provider Requirements Product suppliers, Carriers, Forwarders: 1.Written standards for service providers’ physical plant security. 2.Quality controls on production processes to ensure system integrity. 3.Financial assessment process to determine service provider’s fiscal soundness and ability to deliver goods and services within contract parameters. 4.Internal controls for the selection of service providers. 5.Profiles of Tier 1 suppliers (i.e. those entities receiving and packing a finished commodity, for transportation to the final destination) maintained and available for review. 6.Indicate if your service providers participate in Customs Industry Partnership Programs: the Customs-Trade Partnership Against Terrorism (C-TPAT), the Carrier Initiative Program (CIP), the Super Carrier Initiative Program (SCIP), the Business Anti-Smuggling Coalition (BASC). 2.) Indicate that the specific detailed procedures noted above are available to Customs in a verifiable format at an identified location. Include an assessment of your security processes, as well as information on what changes you envision making to correct identified weaknesses. Note: Identifying perceived weaknesses will not necessarily prohibit participation in C-TPAT. Customs is committed to working with you to identify effective corrections and adjustments to your processes that will result in a more secure supply chain operation. We have specific programs in place that can assist your company in meeting this objective. Our Carrier Initiative Program Coordinators can provide expert advice on establishing security programs throughout your supply chain. Program information will be provided upon request. Supply Chain Security Profile Questionnaire Brokers Air Freight Consolidators Ocean Transportation Intermediaries/ NVOCC 1.Provide an executive summary outlining the process elements of the security procedures you currently have in place and which are relevant to your operation/ function. At minimum, address the following elements: Security Program: 1.Facilities security. 2.Theft prevention. 3.Shipping and receiving controls. 4.Information security controls - integrity of automated systems. 5.Internal controls - process established for reporting and correcting problems. Personnel Security: 1.Pre-employment screening & periodic background reviews.

2.Employee training on security awareness upon request. From CBP WEBSITE Applying for C-TPAT The application process for the C-TPAT program is done online. A company representative will fill out the application on a secure website called the C-TPAT Portal. There are two components to the application process: the Company Profile and the Security Profile. The company profile section of the application will ask for information such as addresses, contact information. Once the company profile is complete and the “Submit” button is clicked, an account is created in the C-TPAT Portal. When this

36


account has been created, the company representative will then enter information into the Security Profile. The Security Profile section of the website contains questions of a more detailed nature that their Supply Chain Security Specialist (SCSS) who reviews your profile will use to determine your company’s ability to meet C-TPAT minimum security requirements. Once the security profile is reviewed and accepted, your company will be accepted into the C-TPAT program and will start receiving some of the benefits. At this time, the SCSS assigned to your account will contact you in order to set up a site visit to observe security practices at your location(s). When the SCSS reviews your company’s operations and has found them to meet CTPAT requirements, your company will become validated as a Tier II company, and will begin receiving the full benefits of the C-TPAT Program.

Historical Information C-TPAT Partner Application for Importers – Instructions Importer for C-TPAT Application Qualifications (previous background, now done online)

Back TOC5

1. Active U.S.Importer or Non-Resident Canadian Importer into the United States. 2. Have an business office staffed in the United States or Canada. 3. Have active U.S. importer of record ID(s) in either of the following formats: · U.S. Social Security Number · U.S. Internal Revenue Service assigned ID(s) · CBP assigned Importer ID 4. Possess a valid continuous import bond registered with CBP. 5. Have a designated company officer that will be the primary cargo security officer responsible for C-TPAT. 6. Commit to maintaining CBP C-TPAT supply chain security criteria as outlined in the C-TPAT importer agreement.

7. Create and provide CBP with a C-TPAT supply chain security profile, which identifies how the importer will meet, maintain, and enhance internal policy to meet the C-TPAT importer security criteria. Application Instructions: Step 1. Prepare a C-TPAT Supply Chain Security Profile Importers are required to complete and submit to CBP a Supply Chain Security Profile that addresses each item in the C-TPAT Security Criteria for Importers. The security profile should summarize the importers commitment to ensuring adherence to the following C-TPAT security criteria for importers: C-TPAT Security Criteria for Importers Importers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security criteria. Where an importer out sources or contracts elements of their supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the importer must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/ supplier/vendor) through to point of distribution and recognizes the diverse business models C-TPAT members employ. C-TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based upon risk analysis. Therefore, the program allows for flexibility and the customization of security plans based on the members business model. Appropriate security measures, as listed throughout this document, must be implemented and maintained throughout the importers supply chains, based on risk. Business Partner Requirements Importers must have written and verifiable processes for the selection of business partners

including manufacturers, product suppliers and vendors. Security Procedures For those business partners eligible for C-TPAT certification (carriers, U.S. ports, terminals, brokers, consolidators, etc.) the importer must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified. For those business partners not eligible for C-TPAT certification, importers must require business partners to demonstrate that they are meeting C-TPAT security criteria via written/electronic confirmation (e.g., contractual obligations via a letter from a senior business partner officer attesting to compliance; a written statement from the business partner demonstrating their compliance with C-TPAT security criteria or an equivalent WCO accredited security program administered by a foreign customs authority; or by providing a completed importer security questionnaire).Based upon a documented risk assessment process, non-C-TPAT eligible business partners must be subject to verification of compliance with C-TPAT security criteria by the importer. Point of Origin Importers must ensure business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin. Periodic reviews of business partners processes and facilities should be conducted based on risk, and should maintain the security standards required by the importer. Participation / Certification in Foreign Customs Administrations Supply Chain Security Programs Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign Customs administration should be required to indicate their status of participation to the importer.

37


Other internal criteria for selection Internal requirements, such as financial soundness, Capability of meeting contractual security requirements, and the ability to identify and correct security deficiencies as needed, should be addressed by the importer. Internal requirements should be assessed against a risk-based process as determined by an internal management team. Container Security Back TOC6 Container integrity must be maintained to protect against the introduction of unauthorized material and/or persons. At point of stuffing, procedures must be in place to properly seal and maintain the integrity of the shipping containers. A high security seal must be affixed to all loaded containers bound for the United States. All seals must meet or exceed the current PAS ISO 17712 standards for high security seals. Container Inspection Procedures must be in place to verify the physical integrity of the container structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. A 7-point inspection process is recommended for all containers: · Front wall · Left side · Right side · Floor · Ceiling/Roof · Inside/outside doors · Outside/Undercarriage Container Seals Written procedures must stipulate how seals are to be controlled and affixed to loaded containers - to include procedures for recognizing and reporting compromised seals and/or containers to U.S. Customs and Border Protection or the appropriate foreign authority. Only designated employees should distribute container seals for integrity purposes. Container Storage Containers must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas.

Physical Access Controls Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry. Employees An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. Visitors Controls Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification. Deliveries (including mail) Proper vendor identification (ID) and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated. Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized/unidentified persons. Personnel Security Processes must be in place to screen prospective employees and to periodically check current employees. Pre-Employment Verification Application information, such as employment history and references must be verified prior to employment. Background checks / investigations Consistent with foreign, federal, state, and local regulations, background checks and investigations should be conducted for prospective employees.

Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employees position. Personnel Termination Procedures Companies must have procedures in place to remove identification, facility, and system access for terminated employees. Procedural Security Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain. Documentation Processing Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information. Manifesting Procedures To help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information received from business partners is reported accurately and timely.

38


Shipping & Receiving Back TOC6 Arriving cargo should be reconciled against information on the cargo manifest. The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Departing cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released. Cargo Discrepancies All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. CBP and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities are detected, as appropriate. Security Training and Threat Awareness A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address a situation and how to report it. Additional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mail. Additionally, specific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies, and protecting access controls. These programs should offer incentives for active employee participation. Physical Security Cargo handling and storage facilities in domestic and foreign locations must have physical barriers and deterrents that guard against unauthorized access. Importers should incorporate the following C-TPAT physical security criteria throughout their

supply chains as applicable. Fencing Perimeter fencing should enclose the areas around cargo handling and storage facilities. Interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be regularly inspected for integrity and damage. Gates and Gate Houses Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. Parking Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas. Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair.

Locking Devices and Key Controls All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Lighting Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas. Alarms Systems & Video Surveillance Cameras Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas.

Information Technology Security - Password Protection Automated systems must use individually assigned accounts that require a periodic change of password. Information technology (IT) security policies, procedures and standards must be in place and provided to employees in the form of training. Information Technology Security - Accountability A system must be in place to identify the abuse of information technology (IT) including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. Step 2. Submission of your application Submit your C-TPAT application and other required supplemental information via the C-TPAT Online Application submission process, located at the application web link provided. ( C-TPAT Online Application ) Step 3. After entering your online application Applicants will be directed to upload your Supply Chain Security Profile. The only acceptable file formats are limited to: .doc, .rtf, .pdf, and .txt files. IMPORTANT: You must be ready to UPLOAD your Supply Chain Security Profile IMMEDIATELY upon completion of the online application. Step 4. Upon receipt CBP will review the importers completed Supply Chain Security Profile. After CBP completes the profile review, the importer will receive feedback on their Supply Chain Security within 60 days.

39


Back TOC6

Be aware this is old background info current may differ pages 37 to 40…AGAIN THIS IS BACKGROUND INFO Follow Current website instructions

40


1- Foreign Factory PLANT FAQ 3/25/05 Supplier oriented info

- Background info

Back TOC6

Q: 8. Some security standards such as background checks are not permitted in certain foreign countries. Are these suppliers therefore not permitted to export to the United States? A: Processes must be in place to screen prospective employees and to periodically check current employees, consistent with foreign, federal, state, and local regulations. If prohibited by law from conducting a criminal or financial background check or investigation, some types of applicant information such as employment history, employment references, etc., can still be verified as part of the screening process. Members should be certain to document what level or checks have been initiated, as well as document limitations imposed by foreign law.

Q: 9. Do the physical security standards apply to the supplier as well as the importer? A: As outlined in the business partner requirements, appropriate security measures, as listed throughout the C-TPAT Security Criteria document, must be implemented and maintained throughout the importer's supply chains, based on risk. Foreign suppliers, manufacturers, cargo handling and storage facilities in foreign locations must have physical barriers and deterrents that guard against unauthorized access. Q: 13. C-TPAT participation for importers appears to be an all or nothing situation. That is - either an importer guarantee every shipment to them is secure or they lose their C-TPAT membership. What is the means for an importer to exclude from their C-TPAT program shipments from suppliers who refuse or are incapable addressing supply chain security issues? A: While C-TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based upon risk analysis, C-TPAT membership does entails a commitment to strengthen entire supply chains and adopt appropriate security measures based on risk. C-TPAT importers are not expected to guarantee that every shipment is secure, but rather, importers must demonstrate an ongoing commitment towards strengthening their supply chains. Q: 14. Will an importer lose their C-TPAT membership when a supplier who refuses to cooperate is the only supplier in the world for a critical good, material or piece of machinery or equipment? (e.g. supplier holds the only patent, supplier has the only manufacturing capability, supplier has the only manufacturing capacity, supplier is the only cost competitive source) A: C-TPAT members must make every effort to leverage their business relationships to enhance the security of the supply chain from point of stuffing, through the CBP clearance process. Membership entails a demonstrated commitment towards meeting this goal, yet the program recognizes the difficulties involved in securing all aspects of the importer's entire international supply chains. If the importer continues to demonstrate this commitment, membership will be retained. Q: 28. Point of Origin section states that "Importers must ensure business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin." How far back into the supply chain must a certified C-TPAT importer go to ensure and maintain proper security standards assuming that risks are equal? A: Importers must conduct a comprehensive assessment of their international supply chains. Where an importer outsources or contracts elements of their supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the importer must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin manufacturer / supplier / vendor) through to point of distribution - and recognizes the diverse business models C-TPAT members employ. Q: 36. Will the C-TPAT program distinguish between compliant and non-compliant suppliers? How? Will shipments from nonconforming suppliers be treated differently by CBP? How would CBP know which suppliers are conforming and which are not?

41


A: See answer to question #7 above. Q: 37. When compliant suppliers' cargo is mixed with non-compliant suppliers' cargo in a consolidated load, what is the consequence? A: CBP employs a risk management approach in screening and targeting import and export shipment. Shipments from non-C-TPAT certified members, or those from unknown or less established entities receive higher scrutiny from CBP. If C-TPAT member cargo is imported in the same container as high risk cargo imported by another party, and an examination of the higher risk cargo is necessary, the entire shipment will be examined. Q: 38. When compliant suppliers' cargo is mixed with non-compliant suppliers' cargo in a consolidated load, what is the consequence?/ A: CBP employs a risk management approach in screening and targeting import and export shipment. Shipments from non-C-TPAT certified members, or those from unknown or less established entities receive higher scrutiny from CBP. If C-TPAT member cargo is imported in the same container as high risk cargo imported by another party, and an examination of the higher risk cargo is necessary, the entire shipment will be examined. Q: 39. Does a compliant consolidator "cleanse" noncompliant suppliers? A: Not necessarily, though the supply chain is made more secure by this activity. This activity would not necessarily ensure that the cargo itself is not containing contraband or other items which may be a threat or terrorist weapon. Importers must still advance supply chain security enhancements throughout their business partners. One secure piece of the supply chain does not "cleanse" other, less secure components.

Security Procedures Back TOC6 For those business partners eligible for C-TPAT certification (carriers, U.S. ports, terminals, brokers, consolidators, etc.) the importer must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified. For those business partners not eligible for C-TPAT certification, importers must require business partners to demonstrate that they are meeting C-TPAT security criteria via written/electronic confirmation (e.g., contractual obligations via a letter from a senior business partner officer attesting to compliance; a written statement from the business partner demonstrating their compliance with C-TPAT security criteria or an equivalent WCO accredited security program administered by a foreign customs authority; or by providing a completed importer security questionnaire).Based upon a documented risk assessment process, non-C-TPAT eligible business partners must be subject to verification of compliance with C-TPAT security criteria by the importer.

Point of Origin Importers must ensure business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin. Periodic reviews of business partners' processes and facilities should be conducted based on risk, and should maintain the security standards required by the importer. Participation / Certification in Foreign Customs Administrations Supply Chain Security Programs Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign Customs administration should be required to indicate their status of participation to the importer. Other internal criteria for selection Internal requirements, such as financial soundness, capability of meeting contractual security requirements, and the ability to identify and correct security deficiencies as needed, should be addressed by the importer. Internal requirements should be assessed against a risk-based process as determined by an internal management team. Container Security Container integrity must be maintained to protect against the introduction of unauthorized material and/or persons. At point of stuffing, procedures must be in place to properly seal and maintain the integrity of the shipping containers. A high security seal must be affixed to all loaded containers bound for the United States. All seals must meet or exceed the current PAS ISO 17712 standards for high security seals. Container Inspection Procedures must be in place to verify the physical integrity of the container structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. A 7-point inspection process is recommended for all containers: * Front wall

42


* Left side * Right side * Floor * Ceiling/Roof * Inside/outside doors * Outside/Undercarriage

TOC6

Container Seals Written procedures must stipulate how seals are to be controlled and affixed to loaded containers - to include procedures for recognizing and reporting compromised seals and/or containers to U.S. Customs and Border Protection or the appropriate foreign authority. Only designated employees should distribute container seals for integrity purposes. Container Storage Containers must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas. Physical Access Controls Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry. Employees An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. Visitors Controls Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification. Deliveries (including mail) Proper vendor identification (ID) and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated. Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized/unidentified persons. Personnel Security Processes must be in place to screen prospective employees and to periodically check current employees. Pre-Employment Verification Application information, such as employment history and references must be verified prior to employment. Background checks / investigations Consistent with foreign, federal, state, and local regulations, background checks and investigations should be conducted for prospective employees. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employee's position. Personnel Termination Procedures Companies must have procedures in place to remove identification, facility, and system access for terminated employees. Procedural Security Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain.

43


Documentation Processing Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information. Manifesting Procedures To help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information TOC6 received from business partners is reported accurately and timely. Shipping & Receiving Arriving cargo should be reconciled against information on the cargo manifest. The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Departing cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released. Cargo Discrepancies All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. CBP and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities are detected, as appropriate. Security Training and Threat Awareness A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address a situation and how to report it. Additional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mail. Additionally, specific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies, and protecting access controls. These programs should offer incentives for active employee participation. Physical Security Cargo handling and storage facilities in domestic and foreign locations must have physical barriers and deterrents that guard against unauthorized access. Importers should incorporate the following C-TPAT physical security criteria throughout their supply chains as applicable. Fencing Perimeter fencing should enclose the areas around cargo handling and storage facilities. Interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be regularly inspected for integrity and damage. Gates and Gate Houses Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. Parking Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas. Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. Locking Devices and Key Controls All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Lighting Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas. Alarms Systems & Video Surveillance Cameras Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas.

44


Information Technology Security - Password Protection Back TOC7 Automated systems must use individually assigned accounts that require a periodic change of password. Information technology (IT) security policies, procedures and standards must be in place and provided to employees in the form of training. Information Technology Security - Accountability A system must be in place to identify the abuse of information technology (IT) including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. TD 72-56 gives direction for security; importer and supplier, as well as other vendors in process. SUPPLIER Security check for personnel Be aware of country legal requirements. Facility physical security Access to loading/packing/shipping should be controlled. Facility where freight originates must be secured by fencing and appropriate locks (gates, windows). Strengthen the security; do not settle for a mediocre effort. Electronic security devices to record personnel movements. Visual readers installed at gates can record truck and driver particulars. Comparison of driver photo to records is a step that should be implemented. Surveillance systems - closed circuit TV and motion sensitive lighting can be utilized. Good lighting is a requirement.

Seals that are difficult to re-secure after breaking should be used and a system requiring monitoring of seal in movement should be implemented. Use of eseals on a random basis if not regularly might be a counter device. DO NOT FOLLOW A PATTERN BUT DEVIATE TO AVOID COMPLACENCY. Take steps to secure loose cargo. Securely stack, tag or spray with marks to show unauthorized tampering. Containers should be stored to make it difficult to remove cargo (door to door). Place high value goods container on top of stack (hard to get to). Expensive cargo - requires more defense from theft. Security audit should be performed at least twice a year (one unannounced). Security is not static and must change to avoid false sense and to devise updates defense to new approaches.

What you should do is devise a sound program regarding the suppliers security and not follow a template method. Be innovative and adapt sound principles to defeat attempts to steal or penetrate security for any reason. Compose steps and address the requirements in your plan. It is imperative to update and to self audit.

2- Plant to Port

License: PDpdpublic domain Title: K Line container on the road in Belgium Size: 500 x 375 pixels (33416 bytes) Taken by: Klever from Wikimedia Commons Topic: K Line [W][FB][DBp] Found at: http://commons.wikimedia.org/wiki/File:Volvo_FH12-Simons_(B)-2005.jpg

45


Tighten Freight Forwarding - Supplier/Vendor Back TOC7 Strict controls on access to facility. Restrict through gate and establish procedures to challenge drivers by photograph ID requirements. The amount of time waiting should be reduced. Things happen when planning and process allow too much idle time. Organization is a requirement. Loading/unloading should be supervised. Stipulate dock control. Do not let an outsider dictate your operation. Until a job is complete do not allow another truck to position and driver or others have time to amble. Do not leave goods on dock for any time period. All employees and others should be parked outside the grounds with access controlled. Empty containers should be stored separate from merchandise. Import, export, and domestic cargo should be separate. A check of trash containers should be a routine security item. A requirement should be that personnel check for forgotten cartons on receipt. (couriers, others) Delivering personnel should be restricted to allow for necessities but not free to their own movement. Upgrade security during lunch and breaks...do not leave unattended areas/cargo. A check of exiting vehicles should be made at least randomly (all personnel and visitors). Allow for undercover security personnel to audit procedures to improve system. Set up an anonymous tip line with reward. Policies should state offenders will be dealt with firmly (dismissal and prosecution). TRUCK - Pre-carriage & On-carriage Security contract part of movement SVI Number (Status Verification Interface)

(see page 31) Vary Departure Time - schedules confidential Avoid use of flat top trucks Avoid overnight stops If number of trucks - convoy Security escort occasionally Electronic vehicle tracking (if only as audit)

Motor Freight -Truck and Terminal Marine 8%

85% +

Rail 4% Air 2% Where would you want to concentrate efforts? Truck pre- and on-carriage legs of movement need intense coverage.

3 - Foreign Port 4 – Carrier 5 – U.S.Port 6 – Port to Warehouse 7 – Final Destination----all should be secure and C-TPAT Standard

46


T. D. 72-56 Department of the Treasury- Office of the Secretary Standards for security of international cargo

Back TOC7

There are published below for information of the public recommended physical and procedural standards for the security of imported merchandise for export. Dated: February 4, 1972 (254) Eugene Rossides, Assistant Secretary of the Treasury (published in the Federal Register February 16, 1972 (37 F.R. 3455)

While published in 2/72, the Treasury Decision can form a basis for development of your security plan. It will provide guidance (standard) to security concerns that you must address. PHYSICAL SECURITY STANDARDS 48 BUILDINGS FENCING GATES GATE HOUSES 49 PARKING LIGHTING LOCKS, LOCKING DEVICES, AND KEYS HIGH RISK CARGO 49 PROCEDURAL SECURITY STANDARDS 50 SECURITY PERSONNEL COMMUNICATIONS IDENTIFICATION SYSTEM INDEPENDENT CONTRACTORS 51 CARGO QUANTITY CONTROLS DELIVERY PROCEDURES Containerized Shipments & Seals SECURITY EDUCATION 52

47


Standards for Cargo Security – then 1972, APPLICABLE with your updates today PHYSICAL SECURITY STANDARDS

Back TOC7

All cargo handling and storage facilities should provide a physical barrier against unauthorized access to cargo. Usually this will require a covered structure with walls, and apertures which can be securely closed and locked. In addition, fencing may be needed: 1. To prevent unauthorized persons and vehicles from entering cargo storage and handling areas. 2. As sole protection for open storage of bulk cargo or large articles which cannot be easily pilfered or removed without mechanical handling equipment or which have their own inherent security (containers). BUILDINGS General Standard All buildings used to house cargo and associated support buildings should be constructed of materials, which resist unlawful entry. The integrity of the structure must be maintained by periodic inspection and repair. Security protection should be provided for all doors and windows. Recommended Specifications 1. Equip all exterior doors and windows with locks. 2. Protect all windows through which entry can be made from ground level by safety glass, wire mesh or bars. 3. Similarly safeguard all glassed-in areas where shipping documents are processed. 4. Construct all delivery and receiving doors of steel or other material that will prevent or deter unlawful entry and keep them closed and locked when not in use.

5. Where fencing is impractical or guards insufficient equip the building with an intrusion detection or alarm system. 6. Inspections must insure particularly that there are no avenues for surreptitious entry through floors, roofs, or adjacent buildings. FENCING General Standard Where cargo security is dependent upon fencing, it should enclose an area around cargo and support buildings sufficient to provide maneuvering space for pick-up and delivery vehicles and should be set off a sufficient distance on all sides from the building or exterior stored cargo. The fence line must be inspected regularly for integrity and any damage promptly repaired. Recommended Specifications 1. Install chain link type fencing with at least nine gauge, two-inch mesh and at least 8 feet high (not including a barbed wire extension). If the level on which the fence is constructed is lower than the area outside the fence line, increase the height of the fence to provide an effective 8-foot fence at all points. 2. Top the fence with a 2-foot barbed wire extension, consisting of 3 strands of barbed wire, properly spaced and angled outward. 3. Place fence posts on the inside of the fence and secure them in a cement foundation at least 2 feet deep. 4. Ensure that objects or persons cannot pass beneath the fencing by providing: a. Cement aprons not less than 6 inches thick, or b. Frame piping, or c. U-shaped stakes driven approximately 2 feet into the ground. 5. Avoid any condition which compromises the fence line. Prohibit the placing of containers, dunnage, cargo, vehicles, or any other item that my facilitate unlawful entry adjacent to the fence line. 6. Where necessary, install bumpers or fence guards to prevent damage by vehicles.

GATES General Standard The number of gates in fences should be the minimum necessary for access. All fence gates should be at least as substantial as the fence. Gates through which vehicles or personnel enter or exit should be manned or under observation by management or security personnel. Recommended Specifications 1. Equip gates with a deadlocking bolt or a substantially equivalent lock which does not require use of a chain. All hardware connecting the lock to the gate should be strong enough to withstand constant use and attempts to defeat the locking device. 2. Construct swing-type gates that they may be secured to the ground when closed. 3. Separate gates for personnel and vehicle traffic are desirable.

48


GATE HOUSES General Standard Operators of facilities handling a substantial volume of cargo should maintain a manned gate house at all vehicle entrances and exits during business hours. Recommended Specifications 1. Set the gate house back from the gate so that vehicles can be stopped and examined on terminal property. 2. Equip the gate house with a telephone or other communication system. 3. Clear the are around the gate house of any encumbrances that restrict the guard's line of vision. 4. Post prominently on the exterior of all gate house signs advising drivers and visitors of the conditions of entry. Included in conditions of entry a notice that all vehicles and personnel entering the area are subject to search. PARKING General Standard Private passenger vehicles should be prohibited from parking in cargo areas or immediately adjacent to cargo storage buildings. Access to employee parking areas should be subject to security controls. Recommended Specifications 1. Locate parking areas outside of fenced operational areas, or at least a substantial distance from cargo handling and storage areas or buildings and support buildings. 2. Require employees exiting to the parking area from the cargo area to pass through an area under the supervision of management or security personnel. Require employees desiring to return to their private vehicles during hours of employment to notify management and/or security personnel. 3. Allow parking in employee parking areas by permit only. Maintain a record of each issued permit, listing the vehicle registration number, model, color and year. The permit should consist of a number decal, tag, sticker, or sign placed in a uniform location on the vehicle. 4. Issue to vendors and other visitors temporary parking permits which allow parking in a designated area under security controls. LIGHTING General Standard Adequate lighting should be provided for the following areas: 1. Entrances, exits and around gate houses. 2. Cargo areas, including container, trailer, aircraft and rail-car holding areas. 3. Along fence lines and string pieces. 4. Parking areas. Recommended Specifications 1. The Society of Illuminating Engineers recommends the following light intensities measured at ground level: a. Vehicle & pedestrian areas-----2.0 foot candles b. Vital structures & other sensitive areas 2.0 foot c. Unattended outdoor parking areas 1.0 foot cndl 2. Illuminate all vehicles & pedestrian gates, perimeter fence lines, and other outer areas with mercury vapor, sodium vapor, power quartz lamps or substantially similar high intensity lighting, employing a minimum of 400 watts per fixture. Locate lights 30 feet above ground level and properly spaced to provide the appropriate light intensity for the area to be illuminated. 3. Establish a system of planned maintenance. 4. Protect lighting subject to vandalism by wire screening or other substantially equivalent means. LOCKS, LOCKING DEVICES, AND KEYS General Standard Locks or locking devices used on buildings, gates and equipment should be so constructed as to provide positive protection against unauthorized entry. The issuance of all locks and keys should be controlled by management or security personnel. Recommended Specifications 1. Use only locks having (a) multiple pin tumblers, (b) dead locking bolts, (c) interchangeable cores, and (d) serial numbers. 2. To facilitate detection of unauthorized locks, use only locks of standard manufacture displaying the owner's company name. 3. Number all keys and obtain a signature from the recipient when issued. Maintain a control file for all keys. restrict the distribution of master keys to persons whose responsibilities require them to have one. 4. Safeguard all un-issued or duplicate keys. 5. Remove and secure keys from cargo handling equipment and vehicles when not in actual use. HIGH RISK CARGO General Standard Adequate space capable of being locked, sealed, or otherwise secured for storage of high-value cargo and packages which have been broken prior to or during the course of unloading must be provided at each cargo handling building. When such cargo must be transported, a substantial distance from the point of unloading to the special security area, vehicles capable of being locked

or otherwise secured must be used.* (standards are required by Customs Regulations (19 CFR 4.30 ). Recommended Specifications 1. Construct special security rooms, cribs or vaults so as to resist forcible entry on all sides and from underneath and overhead.

49


2. Locate such special security areas, where possible, so that management and/or security personnel may keep them under continuous observation. Otherwise, install an alarm system or provide for inspection at frequent intervals. 3. Release merchandise from such an area only in the presence of authorized supervisors and/or security personnel. 4. Log all movements of merchandise in or out of a special security area, showing date, time, condition of cargo upon receipt, name of truck-man and company making pick-up and registration number of equipment used. PROCEDURAL SECURITY STANDARDS Personnel Screening General Standard Operators of cargo handling facilities should conduct employment screening of prospective employees.* ((Customs Regulations already require international carriers, proprietors of bonded warehouses, and customhouse brokers to submit employee lists upon request from the District Director of Customs. Such lists must contain the name, address, social security number, and date and place of birth of each employee and be kept up to date (Custom Regulations, 19 CFR 4.30(m), 19.3 and 111.28 see above p 2119)). Recommended Specifications 1.Require all personnel, including maintenance and clerical personnel, who will have access to cargo areas to submit a detailed employment application which contains a photograph of the applicant and lists his residences and prior employment for the preceding 10 years. 2. Screen all such employment applicants for: (a) verification of address and prior employment (b) credit record and. (c) if possible, criminal record. SECURITY PERSONNEL General Standard Operators of cargo handling facilities should employ a Security Officer or assign a particular officer of the firm to be responsible for security. All operators handling a substantial volume of international cargo should provide guards to protect the cargo. Recommended Specifications 1. Employ the number of guards required to provide adequate security for the size of each facility and the volume of cargo handled. Alarm systems, closed circuit television and other security devices may reduce the number of guards needed. 2. Train all company employee guard forces or insure that contract guard forces are trained in: (a) Methods of patrolling terminals & warehouses (b) Use of firearms and other equipment that may be furnished. (c) Report writing, log and record keeping. (d) Identification of security problems and specific trouble areas. 3. Equip guard forces with uniforms, which are complete, distinctive and authoritative in appearance. 4. Provide firearms, vehicles, communications systems, and other equipment deemed necessary for the successful performance of the guard function. 5. Insist on physical fitness as a prime consideration in selecting a guard force. Require guards to undergo self-defense training similar to that of police agencies. Require a physical examination at least once a year. 6. Furnish each guard a manual covering operating procedures and standards of conduct, and a clear statement of what management expects of him.

COMMUNICATIONS General Standards Adequate and reliable communications between elements of the terminal security force and from the security force to local police should be provided. Recommended Specifications 1. Provide security personnel with a telephone at fixed posts or two-way radio, intercom or other type of equipment providing voice communication capability within the company. 2. Arrange assured means (telephone, radio, or special alarm line) for summoning assistance from local police forces. IDENTIFICATION SYSTEM General Standard All operators of facilities handling a substantial volume of cargo should employ an identification card system to identify personnel authorized to enter the cargo and document processing areas. Recommended Specifications 1. Include on the I.D. card: (a) physical description or, preferably, photograph of the holder (b) name and address (c) social security number, (d) date of birth, (e) employer's Customs license number, if any, (f) signature of holder, and ( g) reasonable expiration date. 2. Laminate all cards to prevent alterations and assign each card a control number. 3. Recover I.D. cards from terminated employees.

50


4. Require each employee to display his I.D. card to gain access to the facility, to cargo areas within the facility, and to areas where shipping documents are processed. Preferably, the I. D. card should be displayed so that it is visible at all times that the employee is within the facility.

INDEPENDENT CONTRACTORS General Standard The background and corporate structure of independent contractors providing janitorial services, refuse disposal, or other services should be verified. Access by independent contractors to the facility should be under security controls. Recommended Specifications 1. Periodically examine independent contractor vehicles which are parked in or near cargo areas. 2. Permit independent contractor employees to enter only those areas necessary for their particular work; permit them access to cargo and areas where shipping documents are located only under supervision of security and/or management personnel. 3. Require independent contractors to display identification similar to that required by the facility for its own employees. CARGO QUANTITY CONTROLS General Standard Cargo should be tallied at time of delivery to the consignee or his agent. In the event of any discrepancies at time of delivery. a U.S. Customs (CBP)Form 5931 or a duplicate copy of the amended cargo manifest must be completed and submitted to Customs by the carrier or his agent.* *(All international carriers are required by Customs regulation to make discrepancy reports [19 CFR 4.12(b), 6.7(b). 158, 18.2(b), 18.6(b), (c), 123.9]). Recommended Specifications 1. To facilitate accurate delivery of cargo, terminal operators should maintain and continuously up-date a location chart or list of all cargo received. 2. Segregate imported cargo, cargo for export, and domestic cargo. 3. Carriers should arrange procedures with each terminal operator to insure that all overages and shortages are reported to Customs. DELIVERY PROCEDURES General Standards Gate passes should be issued to truck-men and other onward carriers to control and identify those authorized to enter the facility. Verification of the identity and authority of the carrier requesting delivery of cargo should be made prior to the cargo's release. Recommended Specifications 1. Require truck-men to submit proper personal identification (such as a driver's license or Customs I.D. card) and a vehicle registration certificate before issuing a gate pass and being permitted to enter the facility; require them to surrender the gate pass before leaving the facility. 2. Seal containers and trailers and note the seal number on the gate pass before delivery is effected. Verify the seal number when the gate pass is surrendered at the gate. 3. Require the company name of all onward carriers to be clearly shown on all equipment. Do not accept temporary placards or cardboard signs as proper identification of equipment. Require carriers using leased equipment to submit the lease agreement for inspection and note the leasing company's name on the delivery order. 4. Release cargo only to the carrier specified in the delivery order unless a release authorizing delivery to another carrier, signed by the original carrier, is presented and verified. Accept only original copies of the delivery or pick-up orders. 5. personnel processing pre-lodged delivery or pick-up orders should verify the identity of the truck-man and the trucking company before releasing the pick-up order. Limit access to areas where such documentation is processed or held to authorized personnel and rigorously safeguard all shipping documents from theft or unauthorized observation. 6. Conduct delivery and receiving operations at separate docks or doors, if feasible. 7. Tally salvage and accumulated unclaimed cargo at the time of delivery and have management representatives snd/or security personnel verify that only properly released items are included. If a terminal has truck scales, weigh the vehicle used

to remove bulk salvage cargo (bales & drums) when empty and loaded. CONTAINERIZED SHIPMENTS & SEALS General Standard All containers, trailers, rail cars and air cargo lockers entering or leaving a facility should be sealed. Mounted and high value containerized shipments should receive special security attention. Recommended Specifications 1. Inspect seals whenever a sealed containerized shipment enters or leaves a facility. If the seals are not intact or there is evidence of tampering or the seal numbers are incorrect, notify security and/or management personnel and tally the cargo.

51


2. Seal unsealed containerized shipments at the point of entry to the facility and note the seal number on the shipping documents. Seal all containerized shipments leaving the facility and note the seal number on the shipping documents.

3. Release seals to as few persons as possible. Require all persons handling seals to maintain strict control of the seals assigned and store them in a secure place. 4. Maintain a seal distribution log which indicates to whom seals have been released. 5. Where possible, secure containers by butting or "marrying" their door ends against each other. However, do not butt them against a perimeter fence or building wall if that will compromise the protection provided by the fence or building wall. In stacking containers, place those containing high value merchandise on top. 6. Locate high value merchandise in mounted containers or trailers in a special security holding area where it can be observed by management and/or security personnel. 7. When containers are mounted on frames, secure the fifth-wheel by a pin-lock, which meet the minimum standards for locks and is constructed to withstand normal abuse from equipment. Hold designated management and/or security personnel responsible for storage and control of pin-locks. 8. restrict access to special security holding areas and permit the release of containers or trailers from such areas only in the presence of management representatives and/or security personnel. 9. Log movements of containers in or out of a special security holding area, showing: date, time, seal number, name of truck-man and company making pick-up, and registration number of equipment used. SECURITY EDUCATION General Standards Management should institute a security awareness program for all personnel. Recommended Specifications 1. conduct a program of periodic security seminars for all employees involved in cargo handling and documentation processing, stressing the importance of: (a) Maintaining legible & accurate cargo tallies, (b) Processing only legible documents, (c) Writing only in ink or ball point pen, (d) Completing all information required for shipping documents, (e) Obtaining clearly written signatures (f) Safeguarding the confidentiality of shipping and entry documents, and (g) Maintaining good cargo security generally. 2. Include in the security awareness program posters, stickers, payroll stuffers, monetary incentives, and properly worded reward signs.

52


Develop PLAN Illustration of Plan Development ACME as Importer

Back TOC8

Develop and implement a sound plan to enhance security procedures throughout your supply chain. Where an importer does not control a facility, conveyance or process subject to these recommendations, the importer agrees to make every reasonable effort to secure compliance by the responsible party. New business partner requirements involve verifiable processes to select manufacturers, product suppliers, and/or vendors, carriers, terminal operators, brokers, and consolidators. ACME is to ensure that the pertinent security measures are in place and adhered to by the business partners, and are documented in a security profile or report in the C-PAT profile submission for these suppliers. Business partners must provide a report, which outlines their current securing procedures to identify potential weaknesses and to verify that the standards are being met. Service providers are to indicate participation in C-TPAT for the Carrier Initiative Program (CIP), Super Carrier Initiative Program (SCIP), and the Business Anti-Smuggling Coalition (Basic). Through the Internet-based Status Verification Interface (SVI) in the C-TPAT section, C-TPAT members can confirm whether or not concerned parties are C-TPAT participants. Procedural Security: Procedures should be in place to protect against unmanifested material being introduced into the supply chain. Security controls should include the supervised introduction/removal of cargo, the proper marking, weighing, counting and documenting of cargo/cargo equipment verified against manifest documents, the detecting/reporting of shortages/overages, and procedures for verifying seals on containers, trailers, and railcars. The movement of incoming/outgoing goods should be monitored. Random, unannounced security assessments of areas in your company's control within the supply chain should be conducted. Procedures for notifying Customs and other law enforcement agencies in cases where anomalies or illegal activities are detected, or suspected, by the company should also be in place. (Procedural security includes the preparation of documents that are complete, legible, accurate; and protected against the change, loss or introduction of erroneous information.) Physical Security: All buildings should be constructed of materials, which resist unlawful entry and protect against outside intrusion. Physical security should include perimeter fences, locking devices on external and internal doors, windows, gates and fences, adequate lighting inside and outside the facility, and the segregation and marking of international, domestic, high-value, and dangerous goods cargo within the warehouse by a safe, caged or otherwise fenced-in area. (Physical access controls must prevent unauthorized entry and access to facilities, and are to require positive identification of all employees, visitors, and vendors at points of entry for employees, visitors, and deliveries; challenging and removing unauthorized persons; and securing physical access.) Access Controls: Unauthorized access to facilities and conveyances should be prohibited. Controls should include positive identification all employees, visitors, and vendors. Procedures should also include challenging unauthorized/unidentified persons. Personnel Security: Companies should conduct employment screening and interviewing of prospective employees to include periodic background checks and application verifications. (Personnel security requirements include screening of perspective employees to verify pre-employment, background investigations, and personnel termination procedures.) Education and Training Awareness: A security awareness program should be provided to employees including the recognition of internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. These

programs should offer incentives for active employee participation in security controls. Manifest Procedures: Companies should ensure that manifests are complete, legible, accurate, and submitted in a timely manner to Customs. Documentary Controls Procedural security includes the preparation of documents that are complete, legible, accurate; and protected against the change, loss or introduction of erroneous information.

Cargo Handling: The shipping and receiving of cargo should be reconciled against advanced information on the cargo manifest, and departing cargo should be verified against purchase or delivery orders. All cargo discrepancies must be resolved or investigated. Mail and package deliveries Conveyance Security: Conveyance integrity should be maintained to protect against the introduction of unauthorized personnel and material. Security should include the physical search of all readily accessible areas, the securing of internal/external compartments and panels, and procedures for reporting cases in which unauthorized personnel, un-manifested materials, or signs of tampering, are discovered. Container Security: As to container security, importers must require that procedures be in place at the time of container stuffing and sealing to maintain the integrity of the cargo, including a high security mechanical seal affixed to the loaded container. All seals must meet or exceed current PAS ISO 17712 standards for high-security mechanical seals. Procedures must also be in place to verify the physical integrity of the container prior to sealing. Seal changes must be recorded, reported and updated in a timely manner, in addition to the container being checked at each delivery point. Containers must be stored in secure areas.

53


Developing a plan to begin the security procedure for your company. Back TOC8 1. Action Plan 55 2. Corporate Policy Statement 3. Memorandum of Understanding (MOU) a. MOU - Internal Departments b. MOU Business Partners 4. Confidential Questionnaire 5. U.S. & Overseas C-TPAT Site Procedures 6. C-TPAT Improvement Plan Template (refer to 9) 7. Supply Chain IMPORT/EXPORT Organization 8. Employee C-TPAT Training 9. Updates/Enhancement - Additions to Plan Continuous Improvement 10. C-TPAT Checklist 11. Internal Audits

54


1. Action Plan (STEP ONE) Back TOC8 ACME Corporation’s “Action Plan” is directed to prevent the introduction of persons or material(s) harmful to the United States. The action is being implemented through our Security Plan, which is part of our Customs Import Compliance Manual. An existing Security Plan is in effect due to the nature of our commodities or loss prevention. These plans represent the foundation upon which we build. A. The Action Plan addresses and contains the following elements: Corporate Policy Statement Memorandum of Understanding between Company Departments Memorandum of Understanding between Company and Business Partners Vendors Confidential Questionnaires C-TPAT Site Procedures, Domestic and Foreign C-TPAT Improvement Plan Template Organization of IMPORT/EXPORT Supply Chain Employee C-TPAT Training Security Awareness C-TPAT Checklist Updates/Enhancement Module Additions to Plan Internal Audit B. Modify the existing Security Plan to include C-TPAT compliant issues 1. Add physical security requirements 2. Personnel security modify procedures to comply with C-TPAT 3. Modify access procedures to control unauthorized personnel 4. Modify IT security for C-TPAT requirement 5. Include Education and Training Security Awareness to plan a. provide each facility with means to train and document when accomplished 6. Provide Security procedures for domestic and international conveyance

7. Include Manifest Procedures to provide document security C. Adjust Security Plan as knowledge of enhancements are known D. Institute an Internal Audit Plan that includes C-TPAT Program ACTION PLAN Step 1 1. A clear policy statement must be completed and signed by Officer(s). Step 2 This document will set the tone and give force to the program. See page 58 as to what is suggested as requirements for a bona-fide compliance manual. Initial Action 2. MOU Internal Step 3a There are many departments within the company that have a role in the import/export function. Each involved department manager should sign a MOU that sets out the fundamentals and respective responsibilities. Specific Responsibilities:: Define the department roles Transportation - Verify the security of transporting from stuffing to arrival at receiving Purchasing - Specify documents integrity and control Assign to each department

Possible Departments involved: Import/Export, Security, logistics/transportation, purchasing, manufacturing, shipping/receiving, warehousing, personnel/human resources, information technology, legal, finance, others - Follows corporate policy 3. MOU External - Business Partners Step 3b Those entities that are external must sign a MOU and provide documentation to support their commitment. A signed document places a "legal" responsibility on the partner. It also serves as a direct link to their control, an understanding, oversight and audit or verification ability. Action in coordination with point 2 and 4 4. Questionnaire Step 4 All of the identified parties in 3 should complete a detailed questionnaire within a specified time period (30 days or so). The questions are thorough and expand beyond the minimum required by Customs. They are also prepared to be verifiable.

Include a statement that they are subject to random verification/audit. 5. U.S. and Overseas C-TPAT Site Procedures

55

Action with point 3


Step 5 Specific procedures should be documented by a formal plan. Incorporate existing company procedures. Areas that specifically should be addressed are: Back TOC8 Facilities Security, Personnel, Product, Control - from stuffing, storage, pick-up, pre-carriage, main carriage and on carriage, receiving, verification. Security in domestic storage and distribution. Action with points 3 and 4 6. Improvement Position covered in Step 9 Time allows for development and changes. New information and requirements become appropriate. Provision for incorporation of these should be made in the "Plan". Changing trends, flexibility, knowledge of new methods require adaptation. Provide a log record of improvements and date. 7. Import/Export Supply Chain Organization Step 7 Guidance on import and export procedures needs to be incorporated into plans that show the organization of the process. Security requires control of the process. also see page 463 Import Compliance Manual, Export Compliance Manual, delegation of responsibilities and control of the movement from loading through delivery should be recorded and a method of internal review stressed. Action after point 5 and time line of 30 days continuing 8. Training on C-TPAT Awareness Step 8 Introductory training to all concerned (documented). A method of updating with current and possible anticipated actions (documented). Within 30 days of Step 1 9. Updates/Enhancements Step 9 Provide an appendix with a record of updates, improvements, changes. This illustrates that the plan is living. Action 30 to 60 days after point 1

10. C-TPAT Checklist Step 10 Develop a check list of starting with the elements in this Action Plan. Within each area assign specific points to verify. Provide for the auditor to initial and date. It might be advisable to audit the auditor. An incentive to perform these duties well should be provided. Action 30 to 60 days after point 1 11. Internal Audit (Outside too) Step 11 Action 30 to 60 days after point 1 Bold Type is suggested time line

56


2 ACME C-TPAT Policy Statement

Back TOC8

ACME recognizes our important role in increasing the overall security level in global sourcing. We are committed to working with our customers, business partners and the U. S. Customs Service to ensure we are conducting operations at the highest security standards. To support U.S. Customs' mission of improving supply chain security and protecting the global trade network from terrorism, we, as a C-TPAT participant, have established and enhanced policies to improve supply chain security practices in the areas of procedural security, physical security, personnel security, education and training, access controls, manifest procedures, and conveyance security. (Refer to the Federal Guidelines where it indicates to be effective that high level (officers) must support and monitor)

Signed ----Officer

(1)

Date

(1) This means that Officers & Directors have decided to commit - advisable to record that meeting as a matter of record. (2) Control environment. Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. An effective internal control environment* sets the tone of the organization, influencing the control consciousness of its people; * is the foundation for all other components of internal control; * describes "organizational culture"; * includes a commitment to hire, train, and retain qualified staff; and * encompasses both technical competence and ethical commitment. Management support sets the tone. A clear statement of support is essential. (Federal Guidelines) 3 A Agreement to Voluntarily Participate Customs-Trade Partnership Against Terrorism ACME INTERNAL MOU (Memorandum of Understanding) This Agreement is made between concerned department partners. This Agreement is intended to enhance the joint efforts of ACME to develop a more secure border environment by focusing on the physical security of the production, transportation, and importation elements of the supply chain process. Customs and ACME recognize the need to address these security issues in order to maintain an efficient and compliant import process. Each DEPARTMENT agrees to develop and implement, within a framework consistent with the attached recommendations/guidelines, a verifiable, documented program to enhance security procedures which fall under its area of responsibility. The listed recommendations/guidelines reflect the mutual understanding of the Business partner and what constitutes the basic elements of supply chain security. See requirements Departments Transportation __________________ Name

Date

Purchasing

__________________ Name

Date

Accounting

__________________ Name

Date

OTHER Attachment

TD 72-56

Profile Security Elements

57


Inform Employees Back TOC8 For Distribution to Employees ACME has chosen to participate in the Customs-Trade partnership Against Terrorism (C-TPAT) Security Since the attacks of September 11, 2001 Customs and Border Protection (CBP) has realized that a new level of security at U.S. borders is required to protect. CBP recognizes that the only way to provide the highest level of security is to work with the ultimate owners of the supply chain, including: importers carriers, customs brokers, freight forwarders, warehouse operators, manufacturers, ports and terminals. What is C-TPAT C-TPAT is a joint government-business initiative designed to build cooperative relationships that strengthen supply chain and border security. The ultimate goal of C-TPAT is to create a more secure and efficient supply chain through partnerships with the

trade community. CBP has taken the lead in developing new procedures to improve security and efficiency, at both U.S. borders and abroad, with programs like C-TPAT. With the lead of CBP, the World Customs Organization (WCO) has adopted a similar security strategy. The WCO represents 161 countries, accounting for 97% of world trade. Many of the goals of the WCO reflect CBP's initiatives in container security and C-TPAT.

For participation in C-TPAT, CBP requires the following: * Conduct a comprehensive self-assessment of supply chain security using C-TPAT guidelines * Submit a completed Supply Chain Security Profile * Develop and implement an enhanced security program following C-TPAT guidelines •

Documentation of security procedures

Participation in C-TPAT is available to the following: Importers Carriers Brokers Manufacturers/Suppliers Warehouse Operators Ports and terminal operators Overseas manufacturers Air Freight Consolidators/Ocean Transportation

Intermediaries, and NVOCCs

Benefits of Participation: Reduced number of inspections Ability to participate in the FAST program with Canada and Mexico Monthly payments of duties An assigned account manager from CBP Invited to attend CBP's C-TPAT seminars Being an active participant with CBP in cargo security programs Ability to participate in other CBP programs such as the Importer Self Assessment,

which can potentially take you out of the Focused Assessment pool for audits

Distributed to employees Signed ________________

Date __________ Date___________

Reason - To be successful, employees must buy into program.

58


3B

ACME VENDOR MOU

This Agreement is made between concerned buyer and foreign seller business partners. This Agreement is intended to enhance the joint efforts of ACME to develop a more secure border environment by focusing on the physical security of the production, transportation, and importation elements of the supply chain process. Customs and the ACME recognize the need to address these security issues in order to maintain an efficient and compliant import process. Back TOC8 ________Each foreign business partner agrees to develop and implement, within a framework consistent with the attached recommendations/ guidelines, a verifiable, documented program to enhance security procedures which fall under its area of responsibility. ________________ Name, Title ________ Date

_____________ Name, Title __________ Date

The listed recommendations/guidelines reflect the mutual understanding of the foreign business partner and what constitutes the basic elements of supply chain security. To sellers/shippers Date______________ ACME , Inc. TO: International Suppliers shipping products to the United States ACME , Inc is pursuing membership in the U. S. Customs Trade Partnership Against Terrorism ("C-TPAT"). C-TPAT is a U. S. government-business initiative launched to strengthen supply chain security. As part of the process, ACME must assess its own security practices as well as communicate Customs C-TPAT security recommendations to international business partners to encourage review and enhancement of their security processes as needed. What we need from you: If your company exports to ACME in the U.S., refer this letter to the security representative most knowledgeable about shipments to ACME. Encourage him/her to review the attached U. S. Customs supply chain security recommendations. Ask your security representative to complete and return the attached ACME Supply Chain Security Acknowledgement by date to Attn xxxxx by fax (xxx) xxx-xxxx or by email. The person completing the ACME Security Acknowledgement should be told that U. S. Customs could request an on-site visit to your facility to verify security procedures. Accessibility to written security procedures and evidence of periodic review of internal controls to ensure compliance will be beneficial. Adherence to

C-TPAT security recommendations will help strengthen security for all supply chain members. Questions about CTPAT may be directed to me at (336) 861-0075 or by email to. Further information about C-TPAT is available at the U.S. Customs website http://www.cbp.gov. I appreciate your cooperation in this important security initiative. Sincerely, Xxxxxxxxx 2007 ACME Supply Chain Security Acknowledgement Read the attached C-TPAT security recommendations from U. S. Customs. Then describe your company's security procedures related to exports to ACME in the U.S. by checking ( ) the appropriate space below. Select ( ) the category that best describes your business with ACME entities in the U. S. Manufacturer ( ) Warehouse Operator ( ) Freight Forwarder ( ) Customer returning U.S. originating products, packing materials, etc. ( ) Other, specify type ( )

59


Have you read the attached U.S. Customs security recommendations and compared them to your security program to identify changes, if needed? Yes ( ) No ( ) Comments Does your company have written security procedures at non-U.S. facilities doing business with ACME and conduct periodic reviews of internal controls to ensure security compliance? Yes ( ) No ( ) Comments Has your company been accepted by U.S. Customs as a certified member of C-TPAT, the Business Anti-Smuggling Coalition (BASC) or other internationally-recognized security initiatives? Yes, C-TPAT Yes, BASC Yes, specify other No ( ) Comments Have you developed and communicated a process to report shipment losses or abnormalities, whether suspected or confirmed, to ACME local management?

Yes ( ) No ( ) Comments Identify the individual to whom questions about security of ACME shipments may be directed: Contact Name & Title Phone Company Name Email Address Fax (insert Company Name) _____________________________ acknowledges ACME'S emphasis on supply chain security and recognizes the expectation that business partners share that commitment. I understand that ACME may refer

security inquiries from U. S. Customs to me. NAME: _______________________________ TITLE________________________________ SIGNATURE: __________________________ DATE _______________________________ Your security responsibilities extend from your site to the source. The idea is that the originating supplier has control of the item that is loaded and sees that the carrier is secure pre-carriage leg to the international movement. Secure from origination to delivery. It is your responsibility as the party causing the importation/exportation. This means that you can not rely on paper alone but it is a start. Once there is evidence that the supplier has a security plan, it is incumbant that a audit be performed (verification). This should reduce theft risk also...thus there is pay back.

60


Minimum-Security Criteria for C-TPAT Foreign Manufacturers in English (10/01/2007) Back TOC8 These minimum security criteria are fundamentally designed to be the building blocks for foreign manufacturers to institute effective security practices designed to optimize supply chain performance to mitigate the risk of loss, theft, and contraband smuggling that could potentially introduce terrorists and implements of terrorism into the global supply chain. The determination and scope of criminal elements targeting world commerce through internal conspiracies requires companies, and in particular, foreign manufacturers to elevate their security practices. At a minimum, on a yearly basis, or as circumstances dictate such as during periods of heightened alert, security breach or incident, foreign manufacturers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security criteria. Where a foreign manufacturer out-sources or contracts elements of their supply chain, such as another foreign facility, warehouse, or other elements, the foreign manufacturer must work with these business partners to ensure that pertinent security measures are in place and are adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through to point of distribution and recognizes the diverse business models C-TPAT members employ. C-TPAT recognizes the complexity of international supply chains and security practices, and endorses the application and implementation of security measures based upon risk1. Therefore, the program allows for flexibility and the customization of security plans based on the members business model. Appropriate security measures, as listed throughout this document, must be implemented and maintained throughout the Foreign manufacturers supply chains - based on risk2. BUSINESS PARTNER REQUIREMENT CONTAINER & TRAILER SECURITY PHYSICAL ACCESS CONTROLS PERSONNEL SECURITY PROCEDURAL SECURITY PHYSICAL SECURITY INFORMATION TECH SECURITY SECURITY TRAINING & THREAT AWARENESS

Business Partner Requirement Foreign manufacturers must have written and verifiable processes for the selection of business partners including, carriers, other manufacturers, product suppliers and vendors (parts and raw material suppliers, etc). Security procedures For those business partners eligible for C-TPAT certification (carriers, importers, ports, terminals, brokers, consolidators, etc.) the foreign manufacturer must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified. For those business partners not eligible for C-TPAT certification, the foreign manufacturer must require that their business partners to demonstrate that they are meeting C-TPAT security criteria via written/electronic confirmation (e.g., contractual obligations; via a letter from a senior business partner officer attesting to compliance; a written statement from the business partner demonstrating their compliance with C-TPAT security criteria or an equivalent World Customs Organization (WCO) accredited security program administered by a foreign customs authority; or, by providing a completed foreign manufacturer security questionnaire). Based upon a documented risk assessment process, non-C-TPAT eligible business partners must be subject to verification of compliance with C-TPAT security criteria by the foreign manufacturer. Point of Origin Foreign manufacturers must ensure that business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin, assembly or manufacturing. Periodic reviews of business partners processes and facilities should be conducted based on risk, and should maintain the security standards required by the foreign manufacturer. Participation/Certification in a Foreign Customs Administration Supply Chain Security Program Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign Customs Administration should be required to indicate their status of participation to the foreign manufacturer. Security Procedures On U.S. bound shipments, foreign manufacturers should monitor that C-TPAT carriers that subcontract

61


transportation services to other carriers use other C-TPAT approved carriers, or non-C-TPAT carriers that are meeting the C-TPAT security criteria as outlined in the business partner requirements. As the foreign manufacturer is responsible for loading trailers and containers, they should work with the carrier to provide reassurance that there are effective security procedures and controls implemented at the point-of-stuffing.

Container and Trailer Security

Back TOC9 Container and trailer integrity must be maintained to protect against the introduction of unauthorized material and/or persons. At the point-of-stuffing, procedures must be in place to properly seal and maintain the integrity of the shipping containers and trailers. A high security seal must be affixed to all loaded containers and trailers bound for the U.S. All seals must meet or exceed the current PAS ISO 17712 standard for high security seals. In those geographic areas where risk assessments warrant checking containers or trailers for human concealment or smuggling, such procedures should be designed to address this risk at the manufacturing facility or point-of-stuffing. Container Inspection Procedures must be in place to verify the physical integrity of the container structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. A seven-point inspection process is recommended for all containers: · Front wall Left side · · Right side · Floor · Ceiling/Roof · Inside/outside doors · Outside/Undercarriage Trailer Inspection Procedures must be in place to verify the physical integrity of the trailer structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. The following five-point inspection process is recommended for all trailers: · Fifth wheel area - check natural compartment/skid plate Exterior - front/sides · · Rear - bumper/doors · Front wall · Left side Container and Trailer Seals The sealing of trailers and containers, to include continuous seal integrity, are crucial elements of a secure supply chain, and remains a critical part of a foreign manufacturers commitment to C-TPAT. The foreign manufacturer must affix a high security seal to all loaded trailers and containers bound for the U.S. All seals must meet or exceed the current PAS ISO 17712 standards for high security seals. Written procedures must stipulate how seals are to be controlled and affixed to loaded containers and trailers, to include procedures for recognizing and reporting compromised seals and/or containers/trailers to US Customs and Border Protection or the appropriate foreign authority. Only designated employees should distribute seals for integrity purposes. Container and Trailer Storage Containers and trailers under foreign manufacturer control or located in a facility of the foreign manufacturer must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers/trailers or container/trailer storage areas.

Physical Access Controls Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees, visitors, and vendors at all points of entry. Employees An employee identification system must be in place for positive identification and access control purposes. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. Visitors Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and should visibly display temporary identification.

62


Deliveries (including mail) Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated. Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized/unidentified persons. Personnel Security Back TOC9 Processes must be in place to screen prospective employees and to periodically check current employees. Pre-Employment Verification Application information, such as employment history and references must be verified prior to employment. Background Checks / Investigations Consistent with foreign regulations, background checks and investigations should be conducted for prospective employees. Once employed, periodic checks and reinvestigations should be performed based on cause, and/or the sensitivity of the employees position. Personnel Termination Procedures Companies must have procedures in place to remove identification, facility, and system access for terminated employees.

Procedural Security Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling, and storage of cargo in the supply chain. Documentation Processing Procedures must be in place to ensure that all information used in the clearing of merchandise/cargo, is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information. Manifesting Procedures To help ensure the integrity of cargo, procedures must be in place to ensure that information received from business partners is reported accurately and timely. Shipping and Receiving Departing cargo being shipped should be reconciled against information on the cargo manifest. The cargo should be accurately described, and the weights, labels, marks and piece count indicated and verified. Departing cargo should be verified against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released. Procedures should also be established to track the timely movement of incoming and outgoing goods. Cargo Discrepancies All shortages, overages, and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. Customs and/or other appropriate law enforcement agencies must be notified if anomalies, illegal or suspicious activities are detected - as appropriate.

Physical Security Cargo handling and storage facilities in international locations must have physical barriers and deterrents that guard against unauthorized access. Foreign manufacturer should incorporate the following C-TPAT physical security criteria throughout their supply chains as applicable. Fencing Perimeter fencing should enclose the areas around cargo handling and storage facilities. Interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be regularly inspected for integrity and damage. Gates and Gate Houses Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. Parking Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas. Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. Locking Devices and Key Controls All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Lighting Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas.

63


Alarms Systems and Video Surveillance Cameras Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas. Information Technology Security Password Protection Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training. Accountability A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. Security Training and Threat Awareness Back TOC9 A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists and contraband smugglers at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address a situation and how to report it. Additional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mail. Additionally, specific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies, and protecting access controls. These programs should offer incentives for active employee participation. 1 Foreign manufacturers shall have a documented and verifiable process for determining risk throughout their supply chains based on their business model (i.e., volume, country of origin, routing, C-TPAT membership, potential terrorist threat via open source information, having inadequate security, past security incidents, etc.). 2 Foreign manufacturer shall have a documented and verifiable process for determining risk throughout their supply chains based on their business model (i.e., volume, country of origin, routing, potential terrorist threat via open source information, etc.)

C-TPAT Application Instructions for Foreign Manufacturers **(also see page 18) Step 1. Prepare a C-TPAT Supply Chain Security Profile. Manufacturers are required to submit to CBP a Supply Chain Security profile that addresses each item in the C-TPAT Security Guidelines for Manufacturers. The Security Profile should summarize the Manufacturer's ability to adhere to the below listed C-TPAT Security Guidelines for Manufacturers. Failure to provide a comprehensive security profile will delay further processing of the company's C-TPAT application. C-TPAT Security Guidelines for Foreign Manufacturers (not exhaustive, a start point) Manufacturers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security guidelines. Where a Manufacturer out sources or contracts elements of their supply chain, such as a transportation, conveyance, warehouse, broker, consolidator or other elements, the Manufacturer must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through to point of distribution and recognizes the diverse business models C-TPAT members employ. C-TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based upon risk analysis. Therefore, the program allows for flexibility and the customization of security plans based on the member's business model. As listed throughout this document, appropriate security measures, based on risk must, be implemented and maintained throughout the Manufacturer's supply chains. Conveyance Security Conveyance integrity procedures must be maintained to protect against the introduction of unauthorized personnel and material. Conveyance Inspection Procedures The Manufacturers must ensure Carriers have conveyance inspection security procedures that include a physical search of all readily accessible conveyance areas, securing all internal/external compartments, panels and reporting cases in which unmanifested materials or signs of tampering are discovered. Conveyance inspections must be documented utilizing a checklist completed by the driver prior to departure from the last point of loading prior to reaching the U.S. border. Management Verification Process The Manufacturer's management shall ensure that Carriers have conveyance inspection procedures that include performing periodic unannounced random conveyance inspections for the Carrier's conveyances en route to the U.S. border. The management conveyance inspection verification process must be documented and records maintained for at least 180 days. Conveyance Tracking and Monitoring Procedures C-TPAT Manufacturers shall verify Carriers have conveyance tracking and monitoring procedures

64


that include electronic means for tracking driver movement and activity while transporting cargo en route to the U.S. border. Conveyance tracking and monitoring must be documented utilizing an activity log. Manufacturers must verify that Carrier management performs a documented, periodic, and unannounced verification process to ensure conveyance tracking and monitoring procedures are being followed. Business Partner Requirements Manufacturers must have written and verifiable processes for the screening and selection of business partners including customers, contractors, and vendors. Ensure that contracted service provider companies who provide security, transportation, and cargo handling services commit to C-TPAT Security Guidelines. Periodically review the performance of the service providers to detect weakness or potential weaknesses in security. Security Procedures Back TOC9 For those business partners eligible for C-TPAT certification (carriers, U.S. ports, terminals, importers, brokers, consolidators, etc.) the Manufacturer must have documentation (e.g., C-TPAT certificate, SVI number, etc.) to determine if these business partners are C-TPAT certified. For those business partners not eligible for C-TPAT certification, Manufacturers must require their business partners to demonstrate that they are meeting C-TPAT security guidelines via written/electronic confirmation (e.g., contractual obligations; via a letter from a senior business partner officer attesting to compliance; a written statement from the business partner demonstrating their compliance with C-TPAT security guidelines or an equivalent World Customs Organization (WCO) accredited security program administered by a Foreign Customs Authority; or, by providing a completed Manufacturer security questionnaire). Based upon a documented risk assessment process, non-C-TPAT eligible business partners must be subject to verification of compliance with C-TPAT security guidelines by the Manufacturer.

Point of Origin Manufacturers must ensure business partners develop security processes and procedures consistent with the C-TPAT security guidelines to enhance the integrity of the shipment at point of origin. Periodic reviews of business partners' processes and facilities should be conducted based on risk and should maintain the security standards required by the Manufacturer. Participation / Certification in Foreign Customs Administrations Supply Chain Security Programs Current or prospective business partners who have obtained a certification in a supply chain security program being administered by a Foreign Customs Administration should be required to indicate their status of participation to the Manufacturer. Other internal criteria for selection Internal requirements,, such as financial soundness, capability of meeting contractual security requirements and the ability to identify and correct security deficiencies as needed, should be addressed by the Manufacturer. Internal

requirements should be assessed against a risk-based process as determined by an internal management team. Container Security Container integrity must be maintained to protect against the introduction of unauthorized material and/or persons. At point of stuffing, procedures must be in place to properly seal and maintain the integrity of the shipping containers. A high security seal must be affixed to all loaded containers bound for the U.S. All seals must meet or exceed the current PAS ISO 17712 standards for high security seals. Container Inspection Procedures must be in place to verify the physical integrity of the cargo container structure prior to loading, to include the reliability of the locking mechanisms of the doors. An inspection process is recommended for all full and empty containers:: Full: * Left side * Right side

* Roof * Outside doors, hinges, hasps * Undercarriage Empty: * Front wall * Left side * Right side * Floor * Ceiling/Roof * Inside/Outside doors, hinges, hasps * Outside/Undercarriage Container Seals Written procedures must stipulate how seals are to be controlled and affixed to loaded containers. Procedures must be in place for recognizing and reporting compromised seals and/or containers to US Customs and Border Protection or the appropriate foreign authority. Only designated employees should distribute container seals for integrity purposes. Container Storage Containers must be stored in a secure area to prevent unauthorized access and/or manipulation. Procedures must be in place for reporting and neutralizing unauthorized entry into containers or container storage areas.

65


Physical Access Controls Access controls prevent unauthorized entry to conveyances and facilities, maintain control of employees, visitors and protect company assets. Access controls must include the positive identification of all employees, visitors and vendors at all points of entry. Employees An employee identification system must be in place for positive identification and access. Employees should only be given access to those secure areas needed for the performance of their duties. Company management or security personnel must adequately control the issuance and removal of employee, visitor and vendor identification badges. Procedures for the issuance

removal and changing of access devices (e.g. keys, key cards, etc.) must be documented. Visitors Controls

Back TOC9

Visitors must present photo identification for documentation purposes upon arrival. All visitors should be escorted and visibly display temporary identification. Deliveries (including mail) Proper vendor ID and/or photo identification must be presented for documentation purposes upon arrival by all vendors. Arriving packages and mail should be periodically screened before being disseminated. Challenging and Removing Unauthorized Persons Procedures must be in place to identify, challenge and address unauthorized/unidentified persons. Personnel Security Processes must be in place to screen prospective employees and to periodically check current employees. Maintain a current permanent employee list, which includes the name, date of birth, national identification number or social security number, position held, and submit such information to CBP upon written request, to the extent permitted by law. Pre-Employment Verification Application information, such as employment history and references must be verified prior to employment. Background checks / investigations Consistent with foreign, federal, state and local regulations, background checks and investigations should be conducted for prospective employees. Periodic checks and reinvestigations should be performed based on cause and/or the sensitivity of the employee's position. Personnel Termination Procedures Companies must have procedures in place to remove identification, facility, and system access for terminated employees. Procedural Security Security measures must be in place to ensure the integrity and security of processes relevant to the transportation, handling and storage of cargo in the supply chain.

Documentation Processing Procedures must be in place to ensure that all documentation used in the clearing of merchandise/cargo, is legible, complete, accurate and protected against the exchange, loss or introduction of erroneous information. Documentation control must include safeguarding computer access and information. Manifesting Procedures To help ensure the integrity of cargo received from abroad, procedures must be in place to ensure that information received from business partners is reported accurately and timely. Ensure that all bills of lading and other documentation submitted for cargo is complete and a system in place to verify the accuracy of the weight, marks and quantity of the shipment. Shipping & Receiving Arriving cargo should be reconciled against information on the cargo manifest. The cargo should be accurately described, weighed, labeled, marked, counted and verified. Departing cargo should be checked against purchase or delivery orders. Drivers delivering or receiving cargo must be positively identified before cargo is received or released. Cargo Discrepancies All shortages, overages and other significant discrepancies or anomalies must be resolved and/or investigated appropriately. CBP and/or other appropriate law enforcement agencies must be notified if illegal or suspicious activities are detected. Security Training and Threat Awareness A threat awareness program should be established and maintained by security personnel to recognize and foster awareness of the threat posed by terrorists at each point in the supply chain. Employees must be made aware of the procedures the company has in place to address a situation and how to report it. Additional training should be provided to employees in the shipping and receiving areas, as well as those receiving and opening mail. Additionally, specific training should be offered to assist employees in maintaining cargo integrity, recognizing internal conspiracies and protecting access controls. These programs should offer incentives for active employee participation. Conduct periodic unannounced security checks to ensure that all procedures are being performed in accordance with defined guidelines. Physical Security Cargo handling and storage facilities in domestic and foreign locations must have physical barriers and deterrents that guard against unauthorized access. U.S./Canada Highway Carriers should incorporate the following C-TPAT physical security guidelines throughout their supply chains as applicable.

66


Fencing Perimeter fencing should enclose the areas around cargo handling and storage facilities. Interior fencing within a cargo handling structure should be used to segregate domestic, international, high value, and hazardous cargo. All fencing must be

regularly inspected for integrity and damage. Gates and Gate Houses Gates through which vehicles and/or personnel enter or exit must be manned and/or monitored. The number of gates should be kept to the minimum necessary for proper access and safety. Parking Private passenger vehicles should be prohibited from parking in or adjacent to cargo handling and storage areas. Building Structure Buildings must be constructed of materials that resist unlawful entry. The integrity of structures must be maintained by periodic inspection and repair. Locking Devices and Key Controls Back TOC9 All external and internal windows, gates and fences must be secured with locking devices. Management or security personnel must control the issuance of all locks and keys. Lighting Adequate lighting must be provided inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas. Alarms Systems & Video Surveillance Cameras Alarm systems and video surveillance cameras should be utilized to monitor premises and prevent unauthorized access to cargo handling and storage areas.

Information Technology Security Information Technology (IT) integrity must be maintained to protect data from unauthorized access or manipulation. Password Protection Automated systems must use individually assigned accounts that require a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training. back TOC10 Accountability A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse. Step 2. Submission of your application Submit your C-TPAT application and other required supplemental information via the C-TPAT Online Application submission process. Step 3. After entering your online application Applicants will be directed to upload your Supply Chain Security Profile. The only acceptable file formats are limited to: .doc, .rtf, .pdf, and .txt files. IMPORTANT: You must be ready to UPLOAD your Supply Chain Security Profile IMMEDIATELY upon completion of the online application. Step 4. CBP Review Process Upon receipt, CBP will review the Manufacturer's completed supply chain Security Profile. After CBP completes the profile review, the Manufacturer will receive feedback on their supply chain security profile within 60 days.

** [C-TPAT Application Qualifications for Foreign Manufacturers Currently, C-TPAT for Foreign Manufacturers is open to manufacturers in Mexico and other Foreign Manufacturers by invitation only.**]

67


4 ACME Business Partner Security Questionnaire (General Type) In maintaining security in our logistical supply and business chain, please answer the following questions and return within 30 days. If you are eligible for C-TPAT certification, have you applied and been certified? Yes____ NO____ If so, provide documentation (C-TPAT certificate, SVI number, etc.). Do you have evidence of Participation/Certification in Foreign Customs Administrations Supply Chain Security Program? Yes____ NO____ (if so furnish documentary evidence) Do you have controls over the following? Back TOC10 Physical Security: All buildings should be constructed of materials, which resist unlawful entry and protect against outside intrusion. Yes____ No_____ Do you have? Fencing Yes____ NO____ Gates and Gate Houses Yes____ NO____ Parking Restrictions to prevent private parking within or adjacent to cargo areas Yes____ NO____ Locking Devices and Key Controls - controls on use and access Yes____ NO____ Lighting - adequate to deter Yes____ NO____ Alarm Systems & Video Surveillance Cameras - Are these in use? Should be. Yes____ NO____ Information Technology Security - pass word access and security training Yes____ NO____ Access Controls: Unauthorized access to the shipping, loading dock and cargo areas should be prohibited. Controls include a method of identifying employees, visitors and vendors at point of entry. Are these controls in place? Yes____NO____ System in place requiring visitors and vendors to present photo identification. Yes____ NO____ Do you have a policy system to challenge and remove unauthorized persons? Yes____ NO____ Container Security: At point of stuffing, do you have controls to properly seal and maintain the integrity of the shipping container? Yes____

No_____

Container Inspection: Do you have a container inspection prior to loading, with special emphasis on the locking mechanisms of the doors? Check the following 7 points: Front Wall Left Side Right Side Floor Ceiling/Roof Inside/outside Doors Outside/Undercarriage Yes____ NO____ Container Seals: Do you have written procedures on how seals are controlled and affixed to loaded containers? Yes____ NO____ Do you have a procedure for reporting seal and/or container discrepancies? Yes____ NO____ Do you have control over the seals so that they are not misused? Yes____ NO____ Container Storage: Do you secure the containers in a controlled area?

68

Yes____NO____


Procedural Security: Measures for the handling of incoming and outgoing goods should include the protection against the introduction, exchange, or loss of any legal or illegal material. Yes____ NO____ Documentation Processing: Measures should ensure that all information provided by the importer/exporter, freight forwarder, etc., and used in the clearing of merchandise/cargo, is legible and protected against the exchange, loss or introduction of erroneous information. Documentation controls should include: Procedures for maintaining the accuracy of information received, including the shipper and consignee name and address, first and second notify parties, description, weight, quantity, and unit of measure (i.e. boxes, cartons, etc.) of the cargo being cleared. Procedures for recording, reporting, and/or investigating shortages and overages of merchandise/cargo. Procedures for tracking the movement of incoming and outgoing goods. Procedures to safeguard computer access and information. Yes____ No_____ Personnel Security: Companies should conduct employment screening and interviewing of prospective employees to include periodic background checks and application verifications in accordance with applicable statutes and regulations. This should include periodic reviews. Back TOC10 Yes____ NO_____ Education and Training Awareness: A security awareness program should be provided to employees and include instruction on how to recognize internal conspiracies, maintaining product integrity, and determining and addressing unauthorized access. These programs should offer incentives for active employee participation in security controls. Yes____ No_____ Threat Awareness: A threat awareness program should be established and maintained by security personnel to recognize and foster an awareness of the threat posed by terrorists and contraband smugglers at each point in the foreign-based logistical chain. This program should include routine briefings and issuance of memoranda illustrating smuggling trends, seizures and information on terrorist threats along routes or areas along the logistical chain. Yes____ No_____ Documentation Processing: Do you have a system to ensure that the shipment documentation is complete, accurate and protected against falling into the wrong hands. The process includes computer protection. Yes____ NO____ Manifest Procedures: The integrity of cargo must be protected and manifest information reported correctly so that pre-screening process is effective. Accurateness and timeliness is important. Yes____ NO____

_______________________ Officer Signature _______________________ Company Name _______________________ Date Simply sending your vendor or business partner a form to check is not enough. You must create a system that will go beyond the completed form with a method of audit verification.

69


Agreement to Voluntarily Participate Customs-Trade Partnership Against Terrorism MOU ACME This Agreement is made between concerned business partners. This Agreement is intended to enhance the joint efforts of ACME and its service vendors to develop a more secure border environment by focusing on the physical security of the production, transportation, and importation elements of the supply chain process. Customs and ACME recognize the need to address these security issues in order to maintain an efficient and compliant import process. Each business partner agrees to develop and implement, within a framework consistent with the attached recommendations/guidelines, a verifiable, documented program to enhance security procedures which fall under its area of responsibility. The listed recommendations/guidelines reflect the mutual understanding of the Business partner and what constitutes

the basic elements of supply chain security.

Back TOC10

__________________ Broker, Name and Title C-TPAT certified or validated so indicate____ indicate status of process ____certified____validated

(illustrates MOU and Broker responsibilities as follow) You need to work with a Broker who is in C-TPAT. The MOU and verification that the broker is accepted into C-TPAT should suffice.

70


EXECUTIVE SECURITY PROFILE SUMMARY EXAMPLE ACME Importer Number 56-123456-Any street Any Town Phone xxx ACME is committed to security and integrity of its supply chain. Back TOC10 We recognize that terrorism is a serious threat to the security of the United States and indeed the world. The vulnerability of societies to terrorist attacks results in part from the proliferation of chemical, biological, and nuclear weapons of mass destruction, but it also is a consequence of the highly efficient and interconnected systems that we rely on for key services such as transportation, information, energy, and health care. The efficient functioning of these systems reflects great technological achievements of the past century, but interconnectedness within and across systems also means that infrastructures are vulnerable to local disruptions, which could lead to widespread or catastrophic failures. As terrorists seek to exploit these

vulnerabilities, it is fitting that we harness our technological capabilities to counter terrorist threats. We are committed to furnishing business information that confirms the integrity of sourced materials and delivery methods that are free from the introduction of persons or materials that would or could be used to cause harm. ACME currently imports the majority of its products under HS, ____and parts of _____ (Chapter _) directly from countries. Some air freight is routed through ___.The C-TPAT contact person is ------. Physical Security 1. ACME has examined its facilities. All cargo handling and storage facilities provide a physical barrier against unauthorized access to cargo. a) All exterior doors and windows are equipped with locks or are secure. b) All windows through which entry can be made from ground level are secured by construction and security system. c) Shipping documents are secured. d) All delivery and receiving doors are constructed of steel or other material that will prevent or deter unlawful entry and are kept supervised or closed and locked when not in use. e) Freight access area is secure with fencing and security system contacts at doors f) Inspections, vigilance and construction prevent avenues for surreptitious entry through floors, roofs, or adjacent buildings g) Building has activated security system on the facility when not occupied. h) Adequate lighting is provided for: 1. Entrances and exits 2. Cargo areas, including container holding areas 3. Fenced lines 4. Parking areas 2. Supervised systems are in place from the point of shipment until receipt in warehouse to thwart theft or unauthorized entry.

Orders are placed electronically. ACME receives information concerning shipments from suppliers via email. Information is furnished to forwarders and Customs authorities. Purchasing is aware of shipments and email communication on shipments provides full knowledge. There have not been previous incidents of theft. Seals are placed on containers Receiving personnel check each shipment for contents; verifying quantities against shipment documents. Any discrepancy is brought to purchasing attention by warehouse receiving personnel. 3. Security measures are in place with respect to shipping and receiving controls. Shippers (identify countries): ACME primary import activity from these countries. All employees have access to the shipping area; any other party is escorted. Receiving: Seals are examined upon arrival of container. Cargo is tallied at time of receipt. In the event of any

discrepancies at time of delivery, the Import Compliance Manager is to be contacted. That manager is responsible to complete the Customs Form 5931 as appropriate. To facilitate accurate quantity and quality control, a check is made at receipt by packing list and invoice. Container Shipments & Seals All imported containers are sealed with Customs approved seals. Receiving inspects seals upon arrival. If the seals are not intact or there is evidence of tampering or the seal numbers are incorrect, notification of management is made and cargo is tallied. Used seals are safely disposed. 4. ACME has firewall and anti-virus security measures in place for protection of automated systems? 5. Security program's internal controls and method to report and correct problems are as follows:

71


1. Managers are tasked with reviewing internal security controls on a bi-annual basis. Employees are given orientation on terrorist threat in supply chain. Incidents of terrorist activity are communicated to employees. Employees are encouraged to report any improvement or exception found to management. 2. Personnel Department is to perform background checks at time of employment and update employee files every three years or more frequently if information is brought to a manager's attention. 3. ACME is considering improvements in electronic order processing to provide Customs information that would allow full disclosure (electronically) of transaction in advance of shipment. Protection of proprietary information is a concern. When Customs is able to assure that proprietary business information is protected, ACME will act to meet full electronic disclosure. Selection of one logistics provider is a goal to avoid multiple handling of shipment.

Personnel Security ACME employs approximately __ (X). Due to its size management is able to know individuals and reduce risk of insider activity that would pose a threat to its supply chain. (Describe your situation) ACME has a screening method included in its job advertisement and application process. Where appropriate criminal background checks are made. Primary product suppliers affirm that they conduct criminal checks. Foreign suppliers: Country 1 - They use an independent company to do background checks on all new employees before they are hired. Country 2 - They do background checks with the local police and have access to police files on all employees. Country 3.___________XXXXX Training consists of reviewing terrorist material and quiz. Instruction is given to contact managers of unusual events or behavior. Back TOC10 Code of conduct policy regarding security violations is same as other violations of law. Disciplinary steps regarding wrongful conduct may be subject to, but not limited to, reprimand, probationary action, and, or dismissal depending on the severity as determined by executive management review. Personnel (HR) provides any new employee with a supply chain security flyer. Each employee is trained on terror threat to the country with emphasis on introduction through the supply chain. The flyer instructs employee to report suspicious activity to management with emphasis on supply chain. ACME Service Provider Requirements - Product suppliers, Carriers, Forwarders X%(?) of supply chain is through C-TPAT certified parties. Those parties, not currently eligible for C-TPAT certification (foreign manufactures), have adopted TD 72-56 and suggested C-TPAT materials as guides. Working to ensure that entire supply chain consists of C-TPAT certified vendors. Standards for service providers' physical security are described in TD 72-56 and C-TPAT information on CBP website. Those are the primary guidance for standards incorporating experience and common sense. ACME Inc. is a small number employee company providing products for the ____Industry. X% of imports are from two main suppliers. Controls monitoring of the C-TPAT logistical supply chain is where our focus regarding production processes. ACME requests financial statements from providers. Attention to trade information is given for providers (trade associations, papers, periodicals). ACME has a check list for freight forwarder and broker selection. Information on seller and forwarder of imported goods is available under our C-TPAT information gathering process. Our suppliers participate in C-TPAT where the program is available. Off-shore facilities have furnished information in relation to TD 72-56 and C-TPAT recommended procedures. ACME is proceeding to use C-TPAT providers and limit the number of parties in its supply chain to maintain security integrity. ACME will perform an internal audit of the C-TPAT program requirements and its logistical supply chain annually. It

will maintain vigilance of supply chain events and make timely adjustments where needed to insure the integrity of the supply chain.

72


These elements comprise our security plan and are available for review. 1. Action Plan 2. Corporate Policy Statement 3. Memorandum of Understanding (MOU) a. MOU - Internal Departments b. MOU Business Partners 4. Confidential Questionnaire 5. U.S. & Overseas C-TPAT Site Procedures 6. C-TPAT Improvement Plan Template (refer to 9) 7. Supply Chain IMPORT/EXPORT Organization 8. Employee C-TPAT Training 9. Updates/Enhancement - Additions to Plan Continuous Improvement 10. C-TPAT Checklist 11. Internal Audits 5 ACME C-TPAT SITE PROCEDURES Overseas and U.S. C-TPAT Site Procedures. In order to formalize the documentation to support and verify C-TPAT requirements, a very specific Site Procedure document on the subject must be structured. The domestic site plan is based upon TD 72-56. Back TOC10 The foreign site plan is based upon TD 72-56 and C-TPAT Foreign Manufacturer Security Recommendations. (The importer is to ensure that the pertinent security measures are in place and adhered to by the business partners, and are documented in a security profile or report in the C-PAT profile submission for these suppliers. Business partners must provide a report which outlines their current securing procedures to identify potential weaknesses and to verify that the standards are being met.) Goal is to ensure that the manufacturer has controls, limits access, controls packing of container, seals with a Customs approved seal/lock, moves the goods under his control or a secure provider to the port of export and that port is secure, on a C-TPAT carrier, to a C-TPAT U.S. port using C-TPAT broker/forwarder... Submit the referenced documents to the vendors/manufacturers. Have them identify the controls in place. Incorporate the controls into the Site Procedures. The goal is a secure manufacturer who practices or puts into practice the suggestions of TD 72-56 and C-TPAT recommendations. It is imperative that a sound site plan be included in the C-TPAT manual for each domestic & foreign location, in particular your site(s) and the manufacturer/seller/vendor site. Other parties should be covered under their C-TPAT certification. ACME SITE PLAN 1234 any street Anytown, NC 27101 Contact name xxxx tel #

email address

THIS IS A DESCRIPTION Plan - USE AS ILLUSTRATION WITHOUT LIMITATIONS-Expand - DESCRIBE ACCURATELY & FULLY Office area - _____square feet

Warehouse adjacent/separate _________square feet

Visitor access is through receptionist. (describe access as illustrated) Building is secured by locks and alarm system (identify security status) Physical Security All cargo handling and storage facilities provide a physical barrier against unauthorized access to cargo. The facility is a covered structure with walls, and apertures, which can be securely closed and locked. Access to cargo is fenced. (description illustrated)

73


1. To prevent unauthorized persons and vehicles from entering cargo storage and handling areas. 2. Personnel are located in the cargo/storage area. Unauthorized parties are easily seen.

Buildings All buildings used to house cargo and associated support buildings are constructed of materials, which resist unlawful entry. Security protection is provided for all doors and windows. 1. All exterior doors and windows are equipped with locks. 2. All windows are secured. 3. Shipping documents area is secure. 4. All delivery and receiving doors are constructed of steel or other material that will prevent or deter unlawful entry. They are also under personnel supervision.

5. Building is equipped with an intrusion detection or alarm system. 6. Inspections are made to insure particularly that there are no avenues for surreptitious entry through floors, roofs, or adjacent buildings. FENCING The cargo receiving/shipping area does have a fence. The gate is kept locked to control access. Gate There is only one gate; It is kept locked. see fencing (T.D. 72-56 based). Parking Back TOC10 General Standard Private passenger vehicles should be prohibited from parking in cargo areas or immediately adjacent to cargo storage buildings. Access to employee parking areas should be subject to security controls. Recommended Specifications: 1. Locate parking areas outside of fenced operational areas, or at least a substantial distance from cargo handling and storage areas or buildings and support buildings. 2. Number of personnel does not require specific supervision. Ordinary work situation addresses controls. (describe your company situation to address security in this area) 3. Parking lot is visible from office. Number of employees allows adequate supervision. 4. Visitor parking spaces are identified. Access to building is through receptionist. LIGHTING Adequate lighting is provided for the following areas: 1. Entrances, exits and around gates. 2. Cargo areas, including container, trailer, aircraft and rail-car holding areas. 3. Along fence lines and string pieces. 4. Parking areas. LOCKS, LOCKING DEVICES, AND KEYS General Standard Locks or locking devices used on buildings, gates and equipment are constructed to provide positive protection against unauthorized entry. Issuance of all locks and keys is controlled by management. (Identify responsible person /department) PROCEDURAL SECURITY STANDARDS Personnel Screening Employment screening of prospective employees is performed. 1. Require all personnel, including maintenance and clerical personnel, who will have access to cargo are to submit a detailed employment application which contains a photograph of the applicant and lists his residences and prior employment for the preceding 10 years. 2. Screen all such employment applicants for: (a) verification of address and prior employment (b) credit record and (c) if possible, criminal record CARGO QUANTITY CONTROLS General Standard

74


Cargo should be tallied at time of delivery to the consignee or his agent. In the event of any discrepancies at time of delivery. a U.S. Customs From 5931 or a duplicate copy of the amended cargo manifest must be completed and submitted to Customs by the carrier or his agent.* *(All international carriers are required by Customs regulation to make discrepancy reports [19 CFR 4.12(b), 6.7(b). 158, 18.2(b), 18.6(b), (c), 123.9]). Recommended Specifications 1. To facilitate accurate delivery of cargo, terminal operators should maintain and continuously up-date a location chart or list of all cargo received. 2. Segregate imported cargo, cargo for export, and domestic cargo. 3. Carriers should arrange procedures with each terminal operator to insure that all overages and shortages are reported to Customs. DELIVERY PROCEDURES 1.Require the company name of all onward carriers

to be clearly shown on all equipment. Do not accept temporary placards or cardboard signs as proper identification of equipment. Require carriers using leased equipment to submit the lease agreement for inspection and note the leasing company's name on the delivery order. 2. Check Seal number on containers and trailers against number on shipping documents. 3. If a violation/discrepancy is detected, identify the reporting procedures. CONTAINERIZED SHIPMENTS & SEALS Back TOC10 1. All imported containers are sealed. 2. Inspect seals whenever a sealed containerized shipment enters or leaves a facility. If the seals are not intact or there is evidence of tampering or the seal numbers are incorrect, notify management personnel and tally the cargo. 3. Seal all export containerized/trailer shipments leaving the facility and note the seal number on the shipping documents. 4. Release seals to as few persons as possible. Require all persons handling seals to maintain strict control of the seals assigned and store them in a secure place. 5. Maintain a seal distribution log which indicates to whom seals have been released. 6. When appropriate (unloaded, unattended), secure containers by butting or "marrying" their door ends against each other. 7 Supply chain summary IMPORT/EXPORT SUPPLY CHAIN Active support from top management - Companies that develop best practices often have top executives who recognize the potential value that lies in their supply chains, and actively support (and fund) supply management efforts. At a minimum, CEOs and other high-ranking executives must have a full understanding of supply value, good relations with their peers at strategic supplier companies, and they must provide the corporate investment needed to develop best practices. Comment: Deep understanding of cost drivers--- Companies that have developed best practices nearly always know in detail all elements of their cost structures and take actions to drive costs lower all the time. They also continuously collect and analyze data and other information on the costs of the suppliers that comprise their supply base. Supply freight/forwarder/broker costs on annual

basis. Comment: Cooperative supplier relations- Leading companies realize that suppliers offer value that is not present in their own companies. These companies integrate strategic suppliers into programs that involve supply, such as new product development, cost reduction, and logistics operations. They also understand that suppliers must achieve profit margins sufficient for them to meet their own business plans and to invest in new technologies, facilities, equipment, and talented people. Comment: Culture of continuous improvement - Companies that have achieved best practices in procurement do not stand idle and admire their accomplish-ments. At all levels, they seek to learn from others and to continuously advance their practices and

processes. Comment: Cross-functional approach - To function at an optimum level, supply management must include not only the procurement group but other corporate functions that can add value through interacting with suppliers, such as technology, logistics, manufacturing, operations, distribution, and research and development, to name a few. The use of cross-functional teams became a common way to involve other departments in supply management over the past

75


decade, but too many companies deploy teams without first developing a sound strategy for how these teams will enhance value. Comment: Appreciation of advanced communications technology - While technology by itself will do nothing to improve procurement/supply management operations, intelligent deployment of advanced technologies within the confines of a superior supply strategy can reap great value - value that not only is untapped, but often is completely invisible to even trained procurement eyes. Far too many companies view technology use in procurement as a best practice unto itself. These companies don't truly understand that technology's value is wasted unless it is part of a sound supply strategy. Technology is a tool, not a strategy. When technology is not used correctly, it can cause a lot of damage to supply operations. Electronic order processing? (explain) Comment: An important factor in maximizing supply value is active support from top management. 1. Understand the potential value of supply to company success 2. Recruit and/or develop the best available supply management talent 3. Provide the necessary funding for supply management, even (or especially) in tough business climates 4. Show internal personnel at all levels that they are fully committed to excellence in supply management 5. Interact with their counterparts at key supplier organizations on a regular basis Common elements of a strong procurement/supply management group and a position on the strategic business team for the head of procurement are characteristic of best practices. Companies that have achieved a best practice in cost management not only measure and see clearly all costs involved with producing and delivering a product or service, they also help their suppliers do the same. Reduction of costs is found by continuously examining processes to removing redundancies and other inefficiencies, and by showing suppliers how they can remove costs from their own processes. Comments: ACME Supply Chain Organization (Summarize how your supply chain is organized.) Cover the complete process order placement through delivery. VENDOR PRE-CARRIAGE MOVEMENT

Back TOC10

OCEAN/AIR - MAIN CARRIAGE ON-CARRIAGE (inland) * As an exporter to ACME in the U.S., refer this letter to the security representative (officer) most knowledgeable about shipments to ACME . Encourage him/her to review the attached U. S. Customs supply chain security recommendations. * Ask your security representative to complete and return the attached ACME Supply Chain Security Acknowledgement to Attn: name (contact) Fax number email (address). * The person completing the ACME Security Acknowledgement should be aware that U. S. Customs could request an on-site visit to your facility to verify security procedures. Accessibility to written security procedures and evidence of periodic review of internal controls to ensure compliance will be beneficial. Adherence to C-TPAT security recommendations will help strengthen security for all supply chain members. Questions about C-TPAT may be directed to me at telephone number or by email to (address) . Further information about C-TPAT is available at the U.S. Customs website http://www.cbp.gov. I appreciate your cooperation in this important security initiative. Sincerely, Name title

76


20XX ACME Supplier Security Acknowledgement Read the attached security recommendations from U. S. Customs, then describe your company's security procedures related to exports to ACME in the U. S. by checking the appropriate block(s) below. Select the category that best describes your business with ACME in the U.S. Manufacturer Warehouse Operator Freight Forwarder Customer returning U.S. originating products, packing materials, etc. Other, specify type Back TOC10 Have you read the attached U.S. Customs security recommendations and compared them to your security program to identify changes, if needed? Yes No Comments Does your company have written security procedures at non-U.S. facilities doing business with ACME and conduct periodic reviews of internal controls to ensure security compliance? Yes No Comments Has your company been accepted by U.S. Customs as a certified member of C-TPAT, the Business Anti-Smuggling Coalition

(BASC) or other internationally-recognized security initiatives? Yes, C-TPAT Yes, BASC Yes, specify other No Comments Have you developed and communicated a process to report shipment losses or abnormalities, whether suspected or confirmed, to ACME ? Yes No Comments Identify the individual to whom questions about security of ACME shipments may be directed: Contact Name & Title Phone Company Name

77


Email Address Fax (insert Company Name) _____________________________ acknowledges ACME 's emphasis on supply chain security and recognizes the expectation that business partners share that commitment. I understand that ACME may refer security inquiries from U. S. Customs to me. NAME: _______________________________ TITLE________________________________ SIGNATURE: __________________________ DATE _______________________________

Attach necessary documents i.e. ACME security points as guide to cover with references U. S. Customs Manufacturer Security Recommendations (prior to 3/25/05) and other that will assist in obtaining useful security profile information.

78


sites for starting training to use in your plan

http://www.au.af.mil/au/awc/awcgate/navy/gmt_terrorism.pdf http://www.michigan.gov/documents/dleg_bccfs_manual_ert_tc_company_officer_161654_7.pdf 8 ACME TRAINING Each Employee is required to take the Terror training on

Back TOC10

www.ruraltraining.org/training/online you will have to register for above Continuing training updates are provided in-house from outside sources CBP and private. http://www.ukpandi.com/search/?id=4856&L=0&tx_solr%5Bq%5D=signum&search=Search

LIST ALL EMPLOYEES Internal Training See 486 Other see pg 268

YES

DATE

pages 640-

79


9 Updates/changes UPDATES & ENHANCEMENTS - Additions to Plans 1. Customs Updates: The C-TPAT company contact is responsible to stay current on C-TPAT updates posted to the Customs web-site. A log sheet is part of this section and it is required that the assigned party check the web-site monthly for Customs changes/updates to the C-TPAT program. The date of site check will be noted to the log and initials of the responsible party. 2. Third Party Actions: Third party changes will occur by outside requirements or from their initiatives. When changes are made, a synopsis of the change will be logged to the third party log sheet with date changes are made and initialed. 3. Company Changes: As changes are made by ACME , they will be noted in synopsis form with date and initials of the responsible person. Changes to any of these subjects fall under this requirement. Back TOC10 Corporate Policy Statement Memorandum of Understanding between Company Departments Memorandum of Understanding between Company and Business Partners Vendors' Confidential Questionnaires C-TPAT Site Procedures - Domestic and Foreign Organization of IMPORT/EXPORT Supply Chain Employee C-TPAT Training - Security Awareness C-TPAT Checklist Updates/Enhancement Module - Additions to Plan Internal Audit Self - Assessing Security Systems Communicating C-TPAT Guidelines The following guidelines are to be considered in updating the C-TPAT Manual TD 72-56

80


10 ACME IT SECURITY POINTS 1. Information Security Policy Document 2. Allocation of security responsibilities 3. Information security education and training 4. Reporting of security incidents 5. Virus controls 6. Business continuity planning process 7. Control of proprietary copying. 8. Safeguarding of Company records. 9. Compliance with data protection legislation Compliance with security policy. Goal of the Information Security Program The goal of the Information Security Program is to ensure that the… · Confidentiality, · Integrity and Back TOC10 · Availability Of each piece of information owned by or entrusted to ACME is protected in a manner that is consistent with… · The value attributed to it · The risk ACME can accept · The cost ACME is willing to pay (in dollars and convenience) Wherever it resides, i.e.: · On printed media (e.g., forms, reports, microfilm, microfiche, books), · On computers, · On networks, · On magnetic or optical storage media (e.g., hard drive, diskette, tape, CD), · In physical storage environments (e.g., offices, filing cabinets, drawers), · In a person’s memory, etc. Purpose of Information Security Policy The purpose of this document is to define the principles to which ACME personnel must adhere when handling information owned by or entrusted ACME in any form. The principles cover the following areas: · Defining the confidentiality, integrity and availability requirements for information used to support the ACME objectives, · Ensuring that those requirements are effectively communicated to individuals who come in contact with such information, and · Using, managing and distributing such information – in any form, electronic or physical - in a manner that is consistent with those requirements. This policy describes in general terms the Information Security Policy of ACME, which is also embodied in various policies developed by the guardians of specific information. User Responsibilities Protecting Information Wherever It Is Located Each individual who has access to information owned by or entrusted to ACME is expected to know and understand its security requirements and to take measures to protect the information in a manner that is consistent with the requirements defined by its Manager, wherever the information is located, i.e., On printed media (e.g., forms, reports, microfilm, microfiche, books), On computers, On networks (data and voice), On magnetic or optical storage media (e.g., hard drive, diskette, tape, CD), In physical storage environments (e.g., offices, filing cabinets, drawers), In a persons memory, etc. If an authorized user is not aware of the security requirements for information to which he or she has access, he or she must provide that information with maximum protection until its requirements can be ascertained. Any individual who has been given a physical key, ID card or logical identifier (e.g., computer or network account) that enables him or her to access information is responsible for all activities performed by anyone using that key or identifier. Therefore, each individual must be diligent in protecting his or her physical keys and ID cards against theft, and his or her computer and network accounts against unauthorized use. Passwords created for computer and network accounts should be difficult to guess (see “Password Policy” document for guidelines). Furthermore, passwords should never be shared or recorded and stored in a location that is easily accessible by others.

81


Stolen keys and ID cards, and computer and network accounts suspected of being compromised should be reported to the appropriate authorities immediately. The assignment of a single network or system account to a group of individuals sharing the same password is highly discouraged and may only occur in cases where there is no reasonable, technical

E-MAIL POLICY All business-related e-mail containing “confidential” or “highly confidential” information sent to recipients who are not in the ACME domain must include the following disclaimer: “This electronic communication, including any attached documents, may contain confidential and/or legally privileged information that is intended only for use by the recipient(s) named above. If you have received this communication in error, please notify the sender immediately and delete the communication and any attachments.” Discarding Information Back TOC11 Physical documents containing information that has been classified as “confidential” or “highly confidential” by their Information Guardians and/or designates must be shredded using ACME approved device or shredding facility prior to being discarded. Any computer hard drive or removable magnetic medium, such as a diskette, magnetic tape, Zip disk, etc., that has been used to hold any kind of “confidential” or “highly confidential” information must be electronically “scrubbed” using OIT-approved software prior to being discarded or being transferred to any individual or entity who is not authorized to view such information. On such media, the mere deletion of confidential data is not sufficient as deleted information is still accessible to individuals possessing any of a number of available software tools. Any non-erasable medium, such as a CD, optical disk, etc., that has been used to hold any kind of “confidential” or “highly confidential” information must be

physically destroyed before being discarded. The Operations/IT Department provides two strategies for shredding materials when the volume to be discarded requires their assistance. Information on office shredders is available from the Purchasing Department, which has equipment recommendations based on projected volume. Reporting of Security Breaches or Suspicious Activity Any member of the University staff who comes across any evidence of information being compromised or who detects any suspicious activity that could potentially expose, corrupt or destroy information must report such information to his or her immediate supervisor or to the ACME IT Security Officer. No one should take it upon himself or herself to investigate the matter further without the authorization of ACME IT Security Officer or General Counsel. ACME IT INTERNAL AUDIT PLAN 1. Is software TCSEC (Trusted Computer System Evaluation Criteria) certified? *Is it securely configured and installed? * Are audits regularly carried out? 2. Are passwords secure (easy to guess, regularly changed, use of temporary & default passwords)? your staff entering passwords on their terminals and PCs? * Are screens ever left logged on or unattended, however briefly? * Are screens automatically locked after 10 minutes idle? 3. Is your most valuable data encrypted? 4. How accessible is your equipment; * Are PCs or servers anywhere near public areas? 5. Do staff wear ID badges? * Are our computer areas physically secured? Do we check the credentials of external contractors? 6. Do we have a machine dedicated to checking against viruses?

* Can people see

7. Is waste paper binned or shredded? * Do we have procedures for disposing of waste material? 8. How do we dispose old computer equipment? * Are we sure old hard and floppy discs can't be read by someone else? * Do we have a policy for allowing old or used computer components out of the building? 9. Do we keep backup records? * Do we have a system for archiving information? * Are the archives kept in a secure environment? * Are Restores regularly tested? 10. Do we have rules about what can and cannot be sent over email and what may or may not be download from the Internet. *What procedures do we have for remote logon or support? 11. Has each employee read and signed the IT Policy Statement? Dated

Reviewer

82


11 ACME C-TPAT - Checklist (EXAMPLE) Update, Internal Audit 1. C-TPAT POLICY STATEMENT Yes_______ No______ 2.MOU - Internal Departments Yes____No______

Back TOC11

3.MOU Business Partners Yes_______ No______ 4. Confidential Questionnaire Yes______ No______ 5. U.S. & Overseas C-TPAT Site Procedures Yes_______ No______ 6. C-TPAT Improvement Plan Template Yes_______ No______ 7. Supply Chain IMPORT/EXPORT Organization Yes_______ No______ 8. Employee & Security Guard C-TPAT Training Yes_______ No______ 9. C-TPAT Checklist Yes_______

No______

10. Updates/Enhancement - Additions to Plan Yes_______ No______ 11. Internal Audits Yes_______ No______

_____________ Manager _____________ Date

Deficiencies (no): Action Taken to Correct Personal observation should be documented as a part of your internal review not just a check list. Incorporate TD 72-56 in the audit.

83


10+2", importers are required to submit the following ten data elements to U.S. Customs via the Automated Manifest System (AMS) or Automated Broker Interface (ABI). Manufacturer name and address Seller name and address Container stuffing location Consolidator name and address Buyer name and address Ship to name and address Importer of record number Consignee number Back TOC11 Country of origin of the goods Commodity Harmonized Tariff Schedule number (6 digit) see above for more details Advanced These data elements must be submitted 24 hours prior to the loading of the U.S.-bound vessel. In addition, ocean carriers will be required to submit the Vessel Stow Plan and Container Status Messages. What are events that trigger CSM? 1. Confirmation of booking 2. Arrives/departs facility 3. Gate inspection 4. Load/unload action 5. Vessel w/container departs port/arrives 5. Vessel moves between terminals 6. Stuffing/stripping container 7. Confirmation that container completed stripping or stuffing 8. Containers ordered stripped or stuffed 9. Container goes to repair (significant)

Customs developed the "10+2" Policy to enhance targeting capabilities for high-risk shipments, a requirement of the Trade Act of 2002. As stated by Customs in CBP Proposal for Advanced Trade Data Elements, "this new security filing is focused on those specific data elements that further identify the entities involved in the supply chain, [their] locations, as well as...more precise description of the commodities being shipped to the U.S." Once published, the policy will be phased in over a period of 12 months before penalties or shipment denials begin to apply. Though the new rule exclusively applies to ocean cargo, Customs plans to eventually follow suit for other modes. NOTE! (Wednesday, January 02, 2008) contacts for this news release Washington — U.S. Customs and Border Protection (CBP) has published on January 2, 2008 a Notice of Proposed Rulemaking (NPRM) requiring importers and carriers to electronically submit additional information on cargo before it is brought into the United States by vessel. The Security Filing, also known as “10+2,” is another step in the Department of Homeland Security’s (DHS) strategy to better assess and identify high-risk shipments to prevent terrorist weapons and materials from entering the United States.

8/21/13 Penalty In order to achieve the most compliance with the least disruption to the trade and to domestic port operations, CBP has been applying a measured and commonsense approach to Importer Security Filing (ISF or 10+2) enforcement. On July 9, 2013 CBP will begin full enforcement of ISF, and will start issuing liquidated damages against ISF importers and carriers for ISF non-compliance. Please visit http://www.cbp.gov/xp/cgov/trade/cargo_security/carriers/security_filing for more information and send questions to security_filing_general@cbp.dhs.gov.

84


If you actually visit the CBP website above, you will not currently find any new additional information about ISF filings. The open-ended nature of the CBP message is leaving the importing community with number of unanswered questions. 1.) Is CBP going to focus on serial offenders who regularly and consistently fail to file ISF or are they going after each and every ISF non-compliance issue? How will they handle regular importers who might happen to have a late filing once every 100 shipments? 2.) Is CBP going to focus penalties on non-filing OR are they also going to be concerned with late filing of ISF? 3.) How is CBP going to handle possible clerical errors? How is CBP going to handle ISF’s that were filed on time, but with incorrect AMS matching of bills of lading? Until these questions are answered, the importing community must assume the worst. That every possible instance of ISF non-compliance is subject to penalties. Here are some steps that I would recommend for the importing community. 1.) Importers need to make certain of who is the party responsible for making sure that the ISF is filed on time and correctly for each shipment. There could be multiple parties who maintain partial responsibility. For example, the freight forwarder may be responsible for getting ISF information to the importer in a timely and correct manner. The importer may be responsible for sending this information to the Customs Broker. 2.) The importing community must make sure they keep records of just when the ISF information are sent over to the party responsible for the ISF filing. 3.) The importing community must make sure that the ISF information they receive is accurate. The #1 leading cause of ISF discrepancy that we see is a bad/incorrect AMS bill of lading number. When we receive an AMS bill of lading number that is not on file, there are two possible reasons that the number is not on file: · Either the bill of lading number is incorrect (bad or missing number). OR · The AMS filer (carrier or NVOCC) has not yet filed the bill of lading with AMS. Whenever the ISF filer received a “bill not on file” message, the filer cannot assume that the bill of lading number they used was either correct or incorrect. It is entirely possible that they used the correct number, but the AMS filer just hasn’t completed their AMS filing yet. The ISF filing party must double-check with whomever gave them the ISF information to make sure that the number is accurate and be vigilant about each ISF filing until they receive the “bill on file” message. Customs may have intentionally left their message vague and open-ended in order to reserve the right to penalize for any ISF non-compliance. Based on the number of messages and phone calls I have received from the importing community about this issue, I would hope that Customs will soon send out a follow up message clarifying how they intend to penalize importers.

The following ten (10) data elements are selected because of their probative value and because of their ready availability in current logistics processes. (See Annex A for proposed definitions of the data elements.) 1. Manufacturer name and address Back TOC11 2. Seller name and address 3. Container stuffing location 4. Consolidator name and address 5. Buyer name and address 6. Ship to name and address 7. Importer of record number 8. Consignee number 9. Country of origin of the goods 10. Commodity Harmonized Tariff Schedule number (6 digit) B. In addition to the data elements outlined above, CBP will require ocean carriers to provide two additional data sets to complete the security filing: Vessel Stow Plan Container Status Messages The vessel stow plan is used to transmit information about containers loaded aboard a vessel. The CBP proposal will require the vessel stow plan, no later than, 48 hours after the departure from the last port foreign. For voyages less than 48 hours in duration, the vessel stow plan must be transmitted to CBP prior to arrival of the vessel at the first U.S. port. Vessel Stow Plan information consists of: Vessel Name (IMO number)

85


Vessel Operator Voyage number Container Operator Equipment Number Equipment size/type Stow position Hazmat-UN Code Vessel Location load/discharge ports Annex A: Proposed Data Definitions Manufacturer/Supplier Name & Address Back TOC11 Manufacturer/Producer/Grower/: Name and Address The name and address of the entity that last manufactures, produces, or grows the imported commodity. These entities produce or grow raw materials that are shipped to the United States or transform raw materials into a finished product or article that is shipped to the United States. The transformation of the raw material may involve processing into finished goods, or the production of goods to be further assembled to create a finished product, or the assembly of goods into a finished product. Name and address of the entity that last manufactures, assembles, produces, or grows the commodity; or Name and address of the supplier of the finished goods in the country from which the goods are leaving Alternatively, the name and address of the manufacturer (or supplier) that is currently required by the import laws, rules and regulations of the United States (i.e., entry procedures) may be provided (this is the information that is used to create the existing manufacturer identification (MID) number for entry purposes) A widely recognized commercially accepted identification number for this party may be provided in lieu of the name and address. CBP will accept a DUNS number in lieu of the name and address. Seller Name/ Seller Address The last named overseas (foreign) sellers/addresses on the transaction invoice/purchase order. Name and address of the last known entity by whom the goods are sold or agreed to be sold. If the goods are to be imported otherwise than in pursuance of a purchase, the name and address of the owner of the goods must be provided. The party required for this element is consistent with the information required on the invoice of imported merchandise. See: 19 CFR 141.86(a)(2). A widely recognized commercially accepted identification number for this party may be provided in lieu of the name and address. CBP will accept a DUNS number in lieu of the name and address. Buyer Name/Buyer Address The last named buyer and address 24 hours prior to foreign lading. Name and address of the last known entity to whom the goods are sold or agreed to be sold. If the goods are to be imported otherwise than in pursuance of a purchase, the name and address of the owner of the goods must be provided. The party required for this element is consistent with the information required on the invoice of imported merchandise. See: 19 CFR 141.86(a)(2). A widely recognized commercially accepted identification number for this party may be provided in lieu of the name and address. CBP will accept a DUNS number in lieu of the name and address. Ship To Name and Address The named party and the address on the transaction that will physically receive the merchandise, which may be different from the consignee (e.g. de-consolidator warehouse)

86


·

CBP is looking for the actual deliver to name/address; not the corporate address

·

If unknown, provide the name of the facility where the goods will be unladen.

· May provide a FIRMS code of a warehouse or terminal if the specific ship to name/address is unknown at the time of the filing. For example, a container freight station is acceptable. · May provide the name and address of an in-land distribution center if the specific ship to name/address is unknown at the time of the ISF filing. · A widely recognized commercially accepted identification number for this party may be provided in lieu of the name and address. CBP will accept a DUNS number in lieu of the name and address. source http://www.cbp.gov/sites/default/files/documents/10%2B2%20presentation.pdf Container Stuffing Location The physical foreign location street, city, country,) where the goods were stuffed into the container prior to the closing of the container. Consolidator Name and Address (if applicable) Back TOC11 Foreign receiving party that physically stuffs the container prior to receipt by carrier for shipment to the US. The consolidators address identifies the physical location of cargo, which may differ from the usual manufacturer or shipper premises. Typically, this is a fixed location. Importer (of Record Number) The unique identifying number of the entity primarily responsible for the payment of any duties on the merchandise, or an authorized agent acting on his behalf. The importer may be any one of the parties noted below: • The consignee • The importer of record • The actual owner of the merchandise • The transferee of the merchandise For any of the above named parties, the unique identifying number can be the IRS, EIN, SSN, or the CBP assigned number, is required on the Security Filing. http://www.cbp.gov/linkhandler/cgov/import/carriers/adv_data_elements.ctt/adv_data_elements.doc Consignee (Number) The unique identifying number of the entity to which the goods are to be consigned. Typically, the consignee is the deliver to party at the end of the supply chain who has a fiduciary interest in the cargo. This is normally the party defined at the house bill level. For of the above named party, the unique identifying number can be the IRS, EIN, SSN, or the CBP assigned number, is required on the Security Filing. Internal Revenue Service (IRS) number, Employer Identification Number (EIN), Social Security Number (SSN), or CBP assigned number of the individual(s) or firm(s) in the United States on whose account the merchandise is shipped. This element is the same as the “consignee number” on CBP Form 3461. Country of Origin The country of origin of a good is the country in which the good is wholly obtained or produced, as defined in CFR 19 102.11, Subpart B Rules of Origin. Country of manufacture, production, or growth of the article, based upon the import laws, rules and regulations of the United States. This element is the same as the “country of origin” on CBP Form 3461 Commodity 6-Digit HTS Indicates the initial classification required of a shipment prior to entry being filed. Provides specific HTS identification of the commodity being ordered from the purchase order. Alternatively, the filer may choose to provide the HTSUS number to the 10-digit level. source http://www.cbp.gov/sites/default/files/documents/10%2B2%20presentation.pdf

87


Current Required Manifest Data Security Filing Data (10 + 2) Entry Data Bill of Lading Number Manufacturer/Shipper name/address Entry Number/Type Foreign Port prior to Depart to U.S. Seller name/address Entry Port/Entry Carrier SCAC Container Stuffing Location Filer Code Carrier Assigned Voyage Number Buyer name/address Importer of Record Date of Arrival at First U.S. Port Ship to name/address Ultimate Consignee APPENDIX IV U.S. Port of Unlading Importer of Record Number Surety Number Quantity Consignee Number Filing Date & Time Unit Measure of Quantity Country of Origin Importing Carrier First Foreign Place of Receipt Commodity HTS-6 Vessel Name Commodity Description (HTS/6) Consolidator name/ address Country of Origin Commodity Weight Stow Plan Exporting Country Shipper Name Container Status Message Exporting Date Shipper Address Foreign Port Arrival Consignee Name Estimated Arrival Date Consignee Address Entry Value Vessel Name HSUSA (10) Vessel Country Manufacturer ID Vessel Number Foreign Port of Lading Hazmat Code Back TOC11 Container Numbers Seal Numbers Date of Departure from Foreign Port Time of Departure from Foreign Port Amendment(s) published November 25, 2008, in 73 FR 71779 Effective Date(s): January 26, 2009 5. Add a new section 4.7d to read as follows: § 4.7d Container status messages. (a) Container status messages required . In addition to the advance filing requirements pursuant to §§4.7 and 4.7a of this part and the vessel stow plan requirements pursuant to §4.7c of this part, for all containers destined to arrive within the limits of a port in the United States from a foreign port by vessel, the incoming carrier must submit messages regarding the status of the events as specified in paragraph (b) of this section if the carrier creates or collects a container status message (CSM) in its equipment tracking system reporting that event. CSMs must be transmitted to Customs and Border Protection (CBP) within the time prescribed in paragraph (c) of this section via a CBP-approved electronic data interchange system. There is no requirement that a carrier create or collect any CSMs under this paragraph that the carrier does not otherwise create or collect on its own and maintain in its electronic equipment tracking system. (b) Events required to be reported . The following events must be reported if the carrier creates or collects a container status message in its equipment tracking system reporting that event: (1) When the booking relating to a container which is destined to arrive within the limits of a port in the United States by vessel is confirmed; (2) When a container, which is destined to arrive within the limits of a port in the United States by vessel undergoes a terminal gate inspection; (3) When a container, which is destined to arrive within the limits of a port in the United States by vessel, arrives or departs a facility (These events take place when a container enters or exits a port, container yard, or other facility. Generally, these CSMs are referred to as “gate-in” and “gate-out” messages.); (4) When a container, which is destined to arrive within the limits of a port in the United States by vessel, is loaded on or unloaded from a conveyance (This includes vessel, feeder vessel, barge, rail and truck movements. Generally, these CSMs are referred to as “loaded on” and “unloaded from” messages); (5) When a vessel transporting a container, which is destined to arrive within the limits of a port in the United States by vessel, departs from or arrives at a port (These events are commonly referred to as “vessel departure” and “vessel arrival” notices); (6) When a container, which is destined to arrive within the limits of a port in the United States by vessel undergoes an intra-terminal movement; (7) When a container, which is destined to arrive within the limits of a port in the United States by vessel is ordered stuffed or stripped;

88


(8) When a container which is destined to arrive within the limits of a port in the United States by vessel is confirmed stuffed or stripped; and (9) When a container, which is destined to arrive within the limits of a port in the United States by vessel is stopped for heavy repair. (c) Time of transmission . For each event specified in paragraph (b) of this section that has occurred, and for which the carrier creates or collects a container status message (CSM) in its equipment tracking system reporting that event, the carrier must transmit the CSM to CBP no later than 24 hours after the CSM is entered into the equipment tracking system. Back TOC11 (d) Contents of report . The report of each event must include the following: (1) Event code being reported, as defined in the ANSI X.12 or UN EDIFACT standards; (2) Container number; (3) Date and time of the event being reported; (4) Status of the container (empty or full); (5) Location where the event took place; and (6) Vessel identification associated with the message if the container is associated with a specific vessel. (e) A carrier may transmit other container status messages in addition to those required pursuant to paragraph (b) of this section. By transmitting additional container status messages, the carrier authorizes Customs and Border Protection (CBP) to access and use those data. (f) Compliance date of this section . (1) General . Subject to paragraph (f)(2) of this section, all affected ocean carriers must comply with the requirements of this section on and after January 26, 2010. (2) Delay in compliance date of section . CBP may, at its sole discretion, delay the general compliance date set forth in paragraph (f)(1) of this section in the event that any necessary modifications to the approved electronic data interchange system are not yet in place or for any other reason. Notice of any such delay will be provided in the Federal Register.

89


Capitalize on 10 + 2 Consignees & Carriers must collect and convey necessary shipment information to CBP 24 hours prior to loading at a foreign port. This information must be furnished to allow importers to electronically submit security filing specifying 10 data elements plus two carrier requirements before cargo is permitted entry into U.S. by vessel. (required) Back TOC11 10 + 2 allows business to restructure the points of supply in their point of origination. Review supplier networks. Align upstream processes with reconsideration of of offshore business models. 24 hour rule requires shippers and consignees to be more diligent in cut off times. Better processes are warranted by demurrage charges, penalties, and costly shipping delays. Better capture of demand signals with linkage to suppliers and accountability are very important. 10 + 2 information requires information speed to avoid delays in your chain. There are 3rd party companies that offer electronic 10 + 2 solutions which merge , manage and convey proprietary information quickly and securely. This data empowers shippers and consignees to drive the supply chain process. 10 + 2 is communication. With technology processes in place, you have better connectivity with supply chain partners. Find new synergies, drive greater transparencies and better partnerships. While there will be up front investment costs, meeting 10 + 2 requirements in the most effective manner will result in improvements. These can be supply chain speed, visibility*, and capacity utilization. Results can affect competitive advantage in speeding inventory cycles**, reducing static inventory, & transporting *** product to market. * Visibility requires open line of communication among involved parties. Trusting partners, investing in technology and set your performance requirements. Know your customers and their stakes. Make sure they know the effects of changes and what is required . ID cost savings and business process improvements. Visibility is understanding what is happening at each point in the supply chain from sub-process to sub-process. Software allows you to evaluate partners performance. You might shift some work to the partner and use the information to schedule your workforce needs. Data can assist in evaluating vendors' performance and provide info to pressure for better results. Have them track their performance and make improvements. Information tools providing information (immediate) allow fast response to situations as well as subsequent analysis for cost reduction. **A good inventory policy states the threshold for any class of inventory. A good software tool can provide visibility when that threshold is crossed. Risky inventory can be identified and policy implemented to adjust. Result of quick action from good evaluation tools likely will result in recovery of costs before major erosion. *** One 3PL (Ryder Supply Chain Solutions offers a program that audits, manages carriers and provides some transportation services through a dedicated fleet. Most important the information can be used to evaluate options that have shown a savings through changes to transportation.

90


10 + 2 FORM

Date this form is filled - up : _______________

Container Nbr : _____________________

MB/L# _________________________MB/L SCAC:___________________(SCAC CODE) __________ HB/L# _________________________HB/L SCAC : ________________________ Name of Vessel :_______________________Voyage No. : ________________ ETD : ______________ ETA : _________________ * Back TOC11 1 Manufacturer (or Supplier) Name ____________________________________________ Manufacturer (or Supplier) Address ____________________________________________ 2 Seller Name ____________________________________ Seller Address____________________________________ 3 Buyer Name_____________________________________ Buyer Address_____________________________________ 4 Ship to Name____________________________________ Ship to Address____________________________________ 5 Container Stuffing Location__________________________________ Name & Address ____________________________________________ I0o 6 Consolidator(Stuffer) Name ________________________________________ Consolidator(Stuffer) Address ________________________________________ 7 Commodity HTSUS No. or Description _________________________ of Commodity/Merchandise _____________________________________ 8 Country of Origin ________________________________________ I certify that the above information is true and correct and verified by me. Signature of Authorized Representative: __________________________________ Note : SCAC Code - This is the four-letter code used to identify the shipping lines issuing the Bill of Lading *- ETD - Estimated Time Departure of Vessel from Port of Loading *- ETA - Estimated Time Arrival of Vessel at first U.S. Port of Discharge **** Please see page 2 for Explanatory Notes and ISF LIQUIDATED DAMAGES for "Failure to File", "Untimely Filing", "Incomplete or Inaccurate ISF", "Filing an Inaccurate Update", "Failing to Withdraw an ISF". <*> ISF is submitted to U.S. Customs by electronic filing.

91


10 + 2 FORM 10+2 ISF (Importer Security Filing - for "Containerized Shipments" Page 2 Notice : The ISF is required for containerized shipments of goods to be imported into the United States. Violations will be subject to liquidated damages defined by U.S. Customs as follows : Violation Consequences Failure to file complete, CBP shall withhold release of transfer of cargo until ISF received. accurate, and timely ISF CBP may limit permit to unlade so that cargo is not un-laden and may seize cargo that has been un-laden without permission. Filing an incomplete ) or inaccurate ISF ) Assess liquidated damages against the ISF Importer for Filing an untimely ISF ) $5,000.00 per violation; up to 2 violations may be assessed. Filing an inaccurate ) update ) Failing to withdraw an ISF Back TOC11 ISF ) Note : The ISF is filed for shipments consisting of goods intended to be entered into the United States and goods intended to be delivered to a Foreign Trade Zone. Although Customs flyers on the ISF filing requirement says : Eight Data Elements must be provided to U.S. Customs no later than 24 hours before the cargo is laden aboard a vessel destined to the United States, and Two additional Data Elements, the Container Stuffing Location, and Consolidator, are to be submitted to U.S. Customs as early as possible, but no later than 24 hours prior to the ship's arrival at a US port, 14 Data Elements as listed below and as required in the ISF Compliance Form be submitted to filer at least 48 HOURS PRIOR TO LOADING OF YOUR SHIPMENT AT THE PORT OF ORGIN OR PORT OF LOADING. Need all the 14 Data Elements at least 48 HOURS PRIOR TO LOADING IN ORDER TO AVOID CUSTOMS SANCTIONS FOR "UNTIMELY FILING OF ISF". Set your time guidelines * Seller * Buyer * Importer of Record * Consignee number(s) * Manufacturer (or Supplier) * Ship to party * Country or Origin * Commodity Harmonized Tariff Schedule of the United States (HTSUS) number * MB/L number (Master Ocean Bill of Lading Number) - this will identify on what vessel your containerized shipment is loaded; * Name of Vessel and Voyage Number - this will confirm the MB/L number; * SCAC (This is the Vessel SCAC - the 1st four letters of the M/BL number - this will identify the steamship lines; * AMS HB/L number (AMS stands for Automated Manifest System [reported to U.S. Customs]. You will need this if you are a co-loader in the container holding your shipment. Your co-load shipment will be identified thru this AMS HB/L and your shipment will be considered as timely reported to U.S. Customs and complied with the ISF requirement. * Container stuffing location; and * Consolidator filled-up and completed and within 48 HOURS PRIOR TO LOADING AT PORT OF LOADING OR ORIGIN.

92


ISF problemsâ&#x20AC;Śaddress

Bill of Lading errors carrier record vs House Bill NVOCC HTS filed ISF vs entry HTS errors ISF never filed ISF filed after loading = late filing Back TOC11 ISF missing required fields or info provided not accurate ISF does not match to automated manifest system (usually misrepresentation of BOL number CBP Enforcement Options Do not load order Intensive exam required (x-ray) Withhold release of cargo Monetary fines Steps to take

Need to review process Make sure filings are timely and accurate

93


Seal Procedures draft posted CBP website as of 11/17/17 Below is a listing of seal procedures for various types of companies involved in different links and activities within the supply chain. Note many of these items are above and beyond the minimum security criteria, and some have been previously identified as Best Practices. Included are seal requirements for companies that are not eligible to be direct Partners of the C-TPAT Program, such as domestic highway carriers in the U.S. and other countries. This information is included as part of the minimum security criteria for importers and others is to ensure all business partners and links in the supply adhere to the minimum security criteria. 1. U.S. Importers–Point of Sealing Back TOC11 • Seals must be compliant with ISO 17712 standards for high security seals. • Documentation regarding the compliance standard must be maintained on file for verification. • Upon receipt of seals, an inventory must be conducted and the seals must be logged in a seal log. • Seal inventories must be conducted at least once per year during the internal audit. • Seals must be assigned to a designated employee/ department and stored in a secured storage container. • Upon issuance of seals, the seal log should be updated with the seal usage information. • A designated person who has received seal security training must affix the seal to the loaded container/trailer, 1) witnessed by another person to ensure it has been properly affixed and 2) using CBP’s View, Verify, Twist, and Tug (VVTT) method to ensure the seal is the correct seal number, un-compromised, and properly affixed to the loaded container/trailer. • Compromised seals and/or containers must be reported to CBP or the appropriate foreign authority. 2. Manufacturers–Point of Sealing • Seals must be compliant with ISO 17712 standards for high security seals. • Documentation regarding the compliance standard must be maintained on file for verification. • Upon receipt of seals, an inventory must be conducted and the seals must be logged in a seal log book. • Seal inventories must be conducted at least once per year during the internal audit. • Seals must be assigned to a designated employee/ department and stored in a secured storage container. • Upon issuance of seals, the seal log should be updated with the seal usage information. • A designated person who has received seal security training must affix the seal to the loaded container/trailer, 1) witnessed by another person to ensure it has been properly affixed and 2) using CBP’s View, Verify, Twist, and Tug (VVTT) method to ensure the seal is the correct seal number, un-compromised, and properly affixed to the loaded container/trailer. • Compromised seals and/or containers must be reported to CBP or the appropriate foreign authority. 3. Exporters – Point of Sealing • Seals must be compliant with ISO 17712 standards for high security seals. • Documentation regarding the compliance standard must be maintained on file for verification. • Upon receipt of seals, an inventory must be conducted and the seals must be logged in a seal log book. • Seal inventories must be conducted at least once per year during the internal audit. • Seals must be assigned to a designated employee/ department and stored in a secured storage container. • Upon issuance of seals, the seal log should be updated with the seal usage information. • A designated person who has received seal security training must affix the seal to the loaded container/trailer, 1) witnessed by another person to ensure it has been properly affixed and 2) using CBP’s View, Verify, Twist, and Tug (VVTT) method to ensure the seal is the correct seal number, un-compromised, and properly affixed to the loaded container/trailer. • Compromised seals and/or containers must be reported to CBP or the appropriate foreign authority. 4. U.S. Importers – Point of Receipt • Prior to cutting the seal on inbound shipments, CBP’s View, Verify, Twist, and Tug (VVTT) method must be used, with a witness, to ensure the seal is 1) the correct seal number, 2) un-compromised, and 3) properly affixed to the loaded container/trailer. • Cut seals must be disposed of in a separate container, the contents of which are inaccessible, and must be delivered to or picked up by a recycling company on a regular basis to ensure proper destruction. • Cut seals must be destroyed on - site, if possible. 5. Consolidators handling inbound for U.S. importers –Point of Receipt • Prior to cutting the seal on inbound shipments, CBP’s View, Verify, Twist, and Tug (VVTT) method must be used, with a witness, to ensure that the seal is 1) the correct seal number, 2) un-compromised, and 3) properly affixed to the loaded container/trailer. • Cut seals must be disposed of in a separate container, the contents of which are inaccessible, and must be delivered to or picked up by a recycling company on a regular basis to ensure proper destruction. • Cut seals must be destroyed on-site, if possible. 6. Consolidators receiving from U.S. exporters – Point of Receipt • Prior to cutting the seal on inbound shipments, CBP’s View, Verify, Twist, and Tug (VVTT) method must be used, with a witness, to ensure the seal is 1) the correct seal number, 2) un-compromised, and 3) properly affixed to the loaded container/trailer.

94


• Cut seals must be disposed of in a separate container, the contents of which are inaccessible, and must be delivered to or picked up by a recycling company on a regular basis to ensure proper destruction. • Cut seals must be destroyed on - site, if possible. 7. Importers who do not physically handle seals • All partners who, at any point have any contact with a seal (attach, remove, in-transit etc.) must have written seal policies describing requirements to ensure seal integrity, proper usage, verification of numbers, reporting tampering/theft, and disposal or destruction. Back TOC12 8. Cross-border highway carriers • Carriers must verify the seal number and location of the seal is the same as stated by the shipper on the shipping documents. • Carriers must verify the seal is intact, and if it exhibits evidence of tampering along the route, note and report in writing to interested parties within the supply chain as well as to proper authorities. • Carriers must properly document the original and second seal numbers (if a second seal is needed). • If a seal is removed in-transit to the border 1) a second seal must be placed on the trailer, 2) the seal change must be documented, 3) the driver must immediately notify the dispatcher that the seal was broken, by whom, and the number of the second seal, and 4) the driver must make immediate notification to the shipper, the customs broker, and/or the importer of the placement of the second seal. • If a seal is removed or tampered with in -transit, the driver must report it to CBP or the appropriate foreign authority, depending on where the compromise occurred. 9. Domestic highway carriers (within either U.S. or another country) (manufacturer or exporter to point of export) • Carriers must verify the seal number and location of the seal is the same as stated by the shipper on the shipping documents. • Carriers must verify the seal is intact, and if it exhibits evidence of tampering along the route, note and report to interested parties within the supply chain as well as to proper authorities. • Carriers must properly document the original and second seal numbers (if a second seal is needed). • If a seal is removed in-transit to the border 1) a second seal must be placed on the trailer, 2) the seal change must be documented, 3) the driver must immediately notify the dispatcher that the seal was broken, by whom, and the number of the second seal, and 4) the driver must make immediate notification to the shipper, the customs broker, and/or the importer of the placement of the second seal. • If a seal is removed or tampered with in-transit, the driver must report it to CBP or the foreign authority, depending on where the compromise occurred. 10. Domestic highway carriers (within either U.S. or another country) (location of import to point of receipt/seal cutting) • Carriers must verify the seal number and location of the seal is the same as stated by the shipper on the shipping documents. • Carriers must verify the seal is intact, and if it exhibits evidence of tampering along the route, note and report to interested parties within the supply chain as well as to proper authorities. RECEIVING EXAMINATION: If potential loss or signs of tampering: All parts of seal are to be retained Give special attention to container doors, whether there are any different shaped rivit heads or signs of repainting Any irregularity should be noted, with consideration to a surveyor's examination. If a container is correctly packed/stuffed and doors secured, there are only three ways that an unlawful entry can be made. Removal of a section of container's body Interference to seal or seal on door of container Interference to the container doors. The weakest link is the pivot rivet connecting the door handle to the handle hub, the rivet to the swivel bracket and the rivets on the door hinges

95


IMPORTANCE of THIS PART TD 72-56 deals with smuggling. It applies to anti-terrorism C-TPAT. Follow the procedures here to deal with suspicious introduction of terror related materials and theft reduction in supply chain. Content shows you how to guard against tampering and to have an effective program. TOC this part Receiving Purpose 700 Container Door Markings illustrated 702 - 707 Basic Guidelines for Receiving Shipment 708 Designate a Person Designate Receiving Area Carton Count 709 Damage Sign Freight Bill and associated steps 710

Back TOC12

RECEIVING Purpose of controls Procedural Security ( What is the first package as an importer you will most likely see from security viewpoint? CONTAINER (shipping container is answer) Primarily your first exam will be the door area. What will you look for? ANY evidence that there has been tampering. ALSO check container numbers Secure shipping will prevent the introduction of terror devices. (Verifying and Disposing of Seals: Seal numbers are verified at the distribution center by writing the number of the actual seal next to the seal number listed on the shipping documentation. This procedure provides a written record that the actual seal was checked and verified against the seal number listed on the shipping documentation. The shipping supervisor must be present to verify the seal before it is broken. He/she gathers and secures broken seals to prevent their misuse. http://www.normanjaspanassociates.com/c-tpat-resource-center/joining-c-tpat/container-seal-regulation/ below In the event that there is a problem with the shipment, CBP will want to inspect the seal. Therefore, CBP highly recommends that cut/removed seals be saved, along with the corresponding paperwork, for 6 months.) Seal should be intact at receipt. When removed, it should be controlled until all is verified then securely disposed. Seal security is important even after removed (prevent seal from falling into criminal use) address high security seal that meets or exceed the current PAS ISO 17712 standards for high security seals must be utilized. see pg 726 VVTT TRAILER Seals for specific procedures. A thorough examination should be made of the container doors and its locking mechanism. Signs of replaced bolts, rivets damage marks or repainted areas should be recorded &, if possible, photo. The use of a digital camera or a mobile phone (camera) is recommended. Conveyance security is paramount. Prevent unauthorized access. A quick means of verifying if it is a rogue container is to check the CSC plate or the right side door base corner fitting, where the correct container reference number should be engraved. Procedures should also exist for recognizing and reporting compromised seals and/or containers to US Customs and Border Protection or the appropriate foreign authority consistent with the seal anomaly reporting requirements once promulgated and mandated by the U.S. government.

96


AMFU consists of 6 arabic numeric digita assigned by owner Back TOC12

or operator, uniquely identifying the container within that owner/operator's fleet. 856420 is on plate AMFU 856420 6 is check digit

97


Match number to plate - check digit and number shown below

^ 45G1 = above and on container door. GP = General Purpose Back TOC12 The codes are compiled of the following elements: ¡ First character, representing the length (coded) ¡ Second character, representing the width and height (coded) ¡ Third and fourth character indicating the type of the container Plate Identification Number below from page 704

check digit 6

98


Basic guidelines for receiving all shipments. 1. Designate a person (alternate when needed) to receive all shipments. One person in your building must be identified as the one who will be responsible for checking in all shipments. This would preferably be the "your designation" ____________, and/or the requisition or finance clerk. One should serve as back up for the other. In any case, there must be someone to cover all hours when the building is available to accept shipments. 2. Designate a formal receiving area. Set aside one specific area where all shipments must be delivered. Importer receiving check 4 page 94 proceduresâ&#x20AC;Ś. two goals * it will provide for all shipments to be sent to one location so that the designated receiving person(s) will know when a shipment arrives. * all personnel will be aware that while merchandise is in that receiving area, nothing is to be tampered with until it has been accounted for properly. * designated formal receiving area must be as close to a convenient entrance as possible. Check marks Purchasing should have required specified marks to be placed on cartons (ie. diamond with diagonal line). Purpose to offer security to shipment. Security check of mark to ascertain valid cartons from vendor. Carton Label Markings P.O. Policy It is the vendor's responsibility to ensure each and every carton is marked clearly with the proper markings as specified in purchase order by carton label or markings. see example below

Preferred PO location Back TOC12 3. Accurate carton count When any delivery is made, the designated receiving person(s) must go to the receiving area and make a carton count to insure that all of the packages are there. Any shortage or overage is discovered, note the discrepancy on the carriers delivery receipt and have the driver note the discrepancy on all the copies. Both parties should then sign the receipt as noted and one should be retained as your copy. Allowance in duties for short shipped, lost or stolen is covered in Customs Regulations 158.3. 4. Check for damage & weights A. Visible damage After verifying the carton count, visually inspect the cartons looking for indications of visible damage. If a carton appears that the contents may be damaged, insist that the carton be opened at that time and make an inspection of the contents. If there are any signs of apparent damage, make a notation of the damage on the freight bill. The receiving person

and the driver should both sign the freight bill after all notations have been made, and a copy retained. If no signs of damage are apparent, sign the freight bill that the shipment has been received in apparent good order. B. Concealed damage Once the packages have been opened and concealed damage has been detected, see step 6 for details. 5. Sign the freight bill with the necessary notation (damaged, missing cartons(s) or any discrepancies). IMPORTANT When the person receiving the shipment signs the freight bill, he/she is, in effect, accepting the shipment as stated on the freight bill. If damage is apparent and it is not noted on the freight bill, the right to have a valid claim to compensation for the damage has been signed away! The driver should not be given a clean delivery receipt if there is any indication of damage. Make notation of all overages, shortages or visible damage on the Freight Bill and sign. 6. Filing a claim for overages, shortages, visible and concealed damages. When filing a claim becomes necessary, the following steps should be implemented:

99


A. Note all exceptions on the delivery receipt. It is important to identify on the delivery receipt all indications of damages, overages or shortages. For overages and shortages, the notation is made on the delivery receipt and will serve as your proof of your claim. B. Open all cartons immediately after taking receipt of the merchandise. Once the merchandise is in your possession, you must immediately check all of the contents to detect concealed damage and to verify quantity of contents. Depending on the nature of the discrepancy, there is limited time in which to file claims (see definitions). Back TOC12 C. Set all damaged items aside. After inspecting all of the material it is important to set aside any damaged items. One may elect to distribute the remainder of the shipment so as not to penalize people needing the merchandise that was received in good condition. All cartons and packaging materials used in packing the carton involved in damage should be retained. This will prove beneficial in establishing responsibility for any damage. In order to make a valid claim with the vendor (or freight company), the following documents must be submitted: (a) The original Bill of Lading (b) The original paid freight bill. (c) Allowance in duties see Customs Regs 158.2, 3, 5 etc. D. Call the vendor/freight company immediately and follow their advice and direction for processing. After all of the cartons have been opened and inspected, the Freight Company should be contacted and informed that a claim will be filed. The Freight Company must be verbally notified within 10 days upon receipt of the visibly damaged shipment and 15 days for concealed damage or risk losing the right to compensation. When contacted, the company will supply a claim number, which should be used in all future correspondence concerning the claim. E. File a claim form in writing (if necessary. After verbally contacting the carrier, confirmation of the claim must be made in writing. There is a standard claim form to be used but the claim may also take the form of a letter to the Freight Company, or carrier. A copy of the confirming letter must be kept for the office file. It is a mandatory carrier regulation that reports of damage and requests for an inspection be in writing. F. Inspection of the damaged merchandise. When notified of a damaged shipment, the freight company may choose not to come out for inspection, but instead may order the merchandise picked up for inspection. G. Settle the Claim. Damaged items cannot be used or disposed of without written permission of the carrier. Do not return damaged items to the shipper because the return of such items should not be made without written authorization of the vendor. The carrier must pay, decline, or make a firm compromise settlement offer within 120 days of receipt of the claim, whenever possible. If such disposition is not possible within that time, the carrier must then, and at each succeeding 60- day interval, notify you of the reason for the delay. Do not hesitate getting the vendor involved. They can be very helpful in settling a claim, particularly in the replacement of damaged merchandise. 7. Notify Accounts Payable An electronic record of what you have received, or not received, on a specified Purchase Order should be entered. When A/P receives the invoice, they check the Receiving Screen to see what has been entered then pay the vendor accordingly.

http://www.htsol.com/Files/SeeGateInformation.pdf = source The container ID is composed of several fields, including the following fields: 1. the shipping company (e.g., â&#x20AC;&#x153;UXXâ&#x20AC;?)

100


2. the equipment category (always “U” for freight containers, "Z" or "C" for chassis) 3.serial number of the container (e.g., “423697”). 4. the check digit of the first 3 fields (e.g.,”0”) 5. the container type (e.g.,”SE4310”) Only the first 3 fields are relevant to the identification of the container, and represent a unique identification number for each shipping container. In the above case, this ID is UXXU 423687”. The shipping company field ("UXX"in the example) is verified against a pre-defined list of known companies. Additionally, the second field ("U") is always verified. The check digit is used in order to verify the entire 10-fonts identification number. If the check digit is not identified, only the 10 fonts are compared and reported. If it is recognized and tested for correctness, it will also be reported (a "0" in the above case). The container type (in the above xample,”SE4310”) is not part of the ID and is not identified or transmitted. Importance in knowing about container numbers aids in detecting evidence of tampering for either theft or terrorism purposes. From CBP - with additions by C Key Back TOC12 Seal Affixing Process: * Written procedures must stipulate how seals are to be controlled and affixed to loaded containers - to include procedures for recognizing and reporting compromised seals and/or containers to U.S. Customs and Border Protection or the appropriate foreign authority.

Seal Affixing Process: *· Only designated, authorized employees must distribute and affix container seals for integrity purposes. The fewer people who have access to seal(s), the better! * Unauthorized employees must never handle container seals

Seal Affixing Process: · At point of stuffing, procedures must be in place to properly seal and maintain the integrity of shipping containers. - All seals used must meet or exceed the current PAS/ ISO 17712 standards for high security seals. - Seals should be affixed to the right door of the container on the hasp that has the welded rivet. This practice will raise the level of security for your shipment. - After the seal is affixed to the container, an authorized employee should make sure that the seal is secure by pulling down on it.

101


Seal Affixing Process:

Seals should be affixed to the right door on the hasp that has the welded rivet. Back TOC12 Seal Affixing Process:

Make sure seal is affixed properly, then pull down on seal. RECEIVING check that seal was affixed properly by pulling down to see if lock is maintained. Seal Inspectionâ&#x20AC;Ś Seal Verification and Inspection Process: *A seal inspection process should be implemented throughout the supply chain. The V.V.T.T. Seal Inspection Process is a good example of one: V View seal & container locking mechanisms. V Verify seal number for accuracy. T Tug on seal to make sure it is affixed properly. T Twist & Turn seal to make sure it does not unscrew.

see 728-731 for more on above Seal Inspectionâ&#x20AC;Ś VERIFY Seal Verification and Inspection Process: * View seal & container locking mechanisms. Excessive damage to the seal or locking mechanisms must be reported to a Supervisor before opening the container.

102


https://www.youtube.com/watch?v=2x-S7v-5Cdk https://www.youtube.com/watch?v=Hu-rA2epsC4 https://www.youtube.com/watch?v=XjzeKodqe5Q

Seal Verification and Inspection Process: * Verify seal number for accuracy. Compare with shipping documents, and look for alterations to the seal numbers!

VERIFY

these youtube videos provide insight on proper procedures-steps Seal Verification and Inspection Process: Back TOC12 * Tug on seal to make sure it is affixed properly. Seals that come apart must be reported to a Supervisor before opening the container. Human error might cause this to happen, or the container might have contraband inside!

VERIFY SEAL & TUG Seal Inspectionâ&#x20AC;Ś Seal Verification and Inspection Process: * Twist & Turn seal to make sure it does not come off. Seals are threaded, so they can be unscrewed. These altered seals are reusable throughout the supply chain for multiple attacks!

VERIFY SEAL TWIST/TURN Container Inspectionâ&#x20AC;Ś 7-Point Container Inspection Process: 1. Outside/ Undercarriage (before entering facility) 2. Inside/ Outside doors 3. Right side 4. Left Side 5. Front Wall 6. Ceiling/Roof 7. Floor (Inside)

103


Container Inspection Form

FORM Back TOC12 Printed name of person who conducted security inspection upon arrival: ______________________ Signature: _______________ Inspection was completed: Date: ______________ Time: ______________ Printed name of person who conducted follow up security inspection: ________________________ Signature: _______________ Seal number(s) that was on container when it arrived at this facility: ___________________________________ Seal number(s) that was on container when it departed this facility: ____________________________________ Printed name of person who affixed seal(s): ________________________ Signature: ___________________ Printed name of person who verified physical integrity of seal(s): ________________________ Signature: ___________________

Is q inspection Front wall

Cleared ok ?

Abnormality Detected ?

Left side

?

?

Right side

?

?

Floor

?

?

Ceiling/Roof

?

?

Inside/outside doors

?

?

Outside/Undercarriage

?

?

104

Explain


7-Point Container Inspection 1. Undercarriage * Inspect prior to entering facility - SUPPORT Beams should be visible Back TOC12

7-Point Undercarriage

Solid plate; support beams not visible TIP ??? 7-Point Undercarriage

432 lbs cocaine could be used terrorist delivery

105


7-Point Container Inspection Outside Doors Back TOC12

Rivet Type and color; new vs old Raises suspicion tampering 7-Point Container Inspection Outside Doors

Detachable or loose bolts can permit entry 7-Point Container Inspection Inside Doors

106


Chemicals are used to make bolts look old and rusty. antiquing-flag alert 7-Point Container Inspection Inside Doors Back TOC12

Non-factory putty keeps bolts in place. Shody /> 7-Point Container Inspection Inside Doors

Solid plates should not cover standard container cavities. /> 7-Point Container Inspectionâ&#x20AC;Ś Inside Doors:

Container cavities Five container shipment/ 837 lbs. of cocaine.

107


Right/Left Sides

Example depicts finding of 1275 lbs cocaine 17 container shipment Back TOC12 Right/Left Sides

1 beam 55 lbs cocaine

108


Front Wall

Normal Block & Vent Back TOC12 Front Wall

Short distance between block & vent;wall colors are different though not clear of that in picture.

109


Front Wall

Fake Block made of cardboard Front Wall Back TOC12

Real Block behind fake wall.... Front Wall

1290 lbs marijuana found; range finder used.

110


Ceiling/Roof Back TOC12

one row of vent holes above pointing finger /> Red flag Ceiling/Roof

Blocks are not visible. /> red flag

111


Ceiling/Roof

1200 lbs cocaine found! FLOOR Back TOC12

STEP up to get inside? WHY? /> /> ANY concerns about the appearance of this container? Suspicious tips for exam of containers! fake floor

112


Floor

Messy Repairs & Welding

/>

Back TOC12

113


Floor

Welded Steel Plates />

cocaine concealed beneath

Floor Back TOC12

False Floor - compartment

/>

Container Inspection 17-Point Tractor & Trailer Inspection Process: · Procedures should be in place to verify the physical integrity of the trailer structure prior to stuffing, to include the reliability of the locking mechanisms of the doors. · Border crossing tractors & trailers should be inspected upon arrival at the domestic facility. · A 17-point Tractor & Trailer Inspection Process is recommended for all trucks and trailers arriving from foreign 17-Point Tractor & Trailer Inspection 1. Bumper 2. Engine 3. Tires (truck & trailer) 4. Floor 5. Fuel Tanks 6. Cab/ Storage Compartments 7. Air Tanks 8. Drive Shafts 9. Fifth Wheel 10. Outside/ Undercarriage 11. Floor 12. Inside/ Outside Doors 13. Side Walls 14. Ceiling/ Roof 15. Front Wall 16. Refrigerated Unit 17. Exhaust

114


Inspection techniques illustrated on previous pages.

Back TOC12

115


MANUAL POINTS 1. Whether the company has performed a meaningful risk analysis. RISK greatest risk is in pre and on carriage land carriers 2. The existence of a formal written compliance program. WRITTEN MANUAL 3. Whether appropriate senior organizational officials are responsible for overseeing the compliance program. OFFICER has clout to get program in place & operating 4. Whether adequate training is provided to employees. TRAINING (internal & external) 5. Whether the company adequately screens its customers/(suppliers-import) and transactions. Checks/screen 6. Whether the company meets record-keeping requirements. Records 7. The existence and operation of an internal system for reporting violations. Reporting 8. The existence and result of internal/external reviews or audits. Reviews & changes 9. Whether remedial activity has been taken in response to violations. Action Back TOC12

3. Worldwide Establishing Security Directors and Country Managers: Establish positions to ensure that worldwide adoption of supply chain security is a reality.These positions are responsible for risk assessments and contingency plans. Security Councils: Formulates global security guidelines, determines methods to evaluate security weaknesses, formulates action plans, and determines methods to control security procedures worldwide. Senior management at all locations is responsible to document actions they have taken to support and improve supply chain security practices.

116


http://www.cosco-usa.com/omd/security/ctpat2010/2010-Seminar-Risk-Assessment-Process.pdf https://www.cbp.gov/sites/default/files/documents/CTPAT%27s%20Five%20Step%20Risk%20Assessment%20Process.pdf Training Seminar March 2010 FROM CBP (first above pdf reference) 5-Step Risk Assessment Process Introduction In order to assist C-TPAT Partners with conducting a risk assessment of their international supply chain(s) in accordance with C-TPAT minimum security criteria, the 5 Step Risk Assessment Process is recommended. This reference guide contains some of the basic tools, resources, and examples C-TPAT partners should consider using when conducting a risk assessment on their international supply chain(s). The information contained herein is intended to serve as a guide, and is not “all inclusive” of what should be included in an international supply chain security risk assessment. security risk assessment. FIVE STEP RISK ASSESSMENT (SEE PAGE 147) 1. Mapping Cargo Flow and Identifying Business Partners (directly or indirectly contracted) 2. Conducting a Threat Assessment focusing on: Terrorism, Contraband Smuggling, Human Smuggling, Organized Crime, and conditions in a country/region which may foster such threats and rate threat High, Medium, Low 3. Conducting a Vulnerability Assessment in accordance with C-TPAT Minimum Security Criteria and rate vulnerability High, Medium, Low 4. Preparing an Action Plan 5. Documenting How Risk Assessments are Conducted It is understood that some C-TPAT members may have numerous supply chains which may present a monumental task when conducting a comprehensive security risk assessment of their international supply chains. Therefore, it is recommended for C-TPAT members to identify their “High Risk” supply chains by conducting a threat assessment at the point of origin/region and where the cargo is routed/transshipped, and then conduct a comprehensive security vulnerability assessment of those supply chains. Conversely, if supply chains involve a limited number of business partners or related business partners, their supply chain security risk assessment may not require such extensive efforts. Risk Assessment Process Definition of Terms The definition of terms below is intended as a guide when examining the roles of parties involved in the international supply chain. Instruments of International Traffic (IIT): Containers, trailers, flatbeds, unit load devices (ULDs), lift vans, cargo vans, shipping tanks, bins, skids, pallets, caul boards, cores for textile fabrics, or other specialized containers arriving (loaded or empty) in use or to be used in the shipment of merchandise in international trade. International Supply Chain Security: Encompasses securing all of the following processes from the cargos point of origin (factory/farm) until its arrival and distribution in the United States: Procurement, Production, Packing, Staging/Storing, Loading/Unloading, Transportation, and Document Preparation. International Supply Chain Security Risk Assessment: Process of identifying the security threats, vulnerabilities, and weaknesses throughout the international supply chain and prescribing corrective actions with follow-up procedures to ensure weaknesses have been mitigated. Loading/Unloading: Placing cargo in/on or taking cargo out/off of an IIT, including containers, trailers, vessels, planes etc. Mapping Cargo Flow/Parties Involved: Method of identifying all parties involved and their prospective roles in the following processes throughout the international supply chain: Procurement, Production, Packing, Staging/Storing, Loading/Unloading, and Document Preparation of cargo destined for the United States. All partners involved both directly and indirectly in exportation/movement of the goods from the point of origin to the importers distribution center must be included. Some examples of parties involved in the international flow of cargo include, but are not limited to, the following: * factories * farms

117


* suppliers * export packing facilities * buying/selling agents * trading companies * freight forwarders * non-vessel operated common carriers (NVOCCs) * inland truck/rail carriers * warehouse/consolidation/deconsolidation facilities * feeder vessels * rail depots * trailer/container yards * shipyards * local drayage companies * international air/rail/sea/truck carriers * Customs brokers. Packing: Encompasses both packing the goods for export into non-reusable containers and reusable instruments of international traffic (IIT). It includes but is not limited to placing goods in/on pallets, cartons, cardboard boxes, crates, bins, or other specialized containers. It also entails bundling, wrapping, shrink-wrapping, and other types of packaging. Procurement: Ordering products or services from business partners in the international supply chain. Raw materials that go into making the exported products are excluded from this process. These products only pertain to finished cargo/raw material that will be exported to the United States. Services include indirect procurement methods for goods shipped to the United States such as buying agents and trading companies. Production: Making, growing/harvesting, or assembling products to be exported to the United States. Risk Rating: Assigning numerical values to threats and vulnerabilities identified during a supply chain security risk assessment (e.g. 1-Low, 2-Medium, and 3-High). Staging/Storing: Placing products and/or IITs at a location of “rest” prior to or during movement to the United States. This includes any warehousing/consolidation/deconsolidation of goods and/or facilities where goods wait to be loaded onto another transit mode such as a rail depot or shipyard in the country of origin or other countries the goods may transit through on the way to the United States. Supply Chain Security Action Plan: Identifies security weaknesses and vulnerabilities found during the risk assessment process for a business partner. The plan assigns responsibility for corrective actions/mitigation strategies (internal and external), establishes deadlines/timeframes, documents evidence of actions taken, outlines processes used to verify actions have been taken, and delineates the final outcome. Transportation: Movement of cargo throughout the international supply chain. Transporting the goods for export to the United States includes any domestic legs of the goods journey in the country of origin to the Port of Export, from the Port of Export to any countries that the goods may transit through, to the US Port of Entry, and to the US domestic distribution center. C-TPAT Training Seminar March 2010 6 Security Risk Rating Each C-TPAT partner is responsible for establishing its own overall Security Risk Rating System based on its business model. It is understood that businesses use various methodologies for rating risk within their international supply chains. However, the following “Risk Ratings” are recommended when examining security threats and vulnerabilities within the international supply chain. Threat Assessment There are many “Open Sources” which provide information on threats within the international supply chain. After conducting research, it is recommended to assign a threat risk rating based on the following. 1 - Low Risk - No recent incidents/intelligence/ information 2 - Medium Risk No recent incidents/some intelligence/information on possible activity 3 - High Risk - Recent incidents and intelligence/information A Score of 3 in any of the following areas would deem the supply chain “High Risk” 1) Terrorism 2) Contraband Smuggling 3) Human Smuggling 4) Organized Crime Vulnerability Assessment One method that may be used to conduct a vulnerability assessment is sending security surveys to Business Partners who are not eligible or do not participate in the C-TPAT program. Security surveys should be based on the process

118


performed by the business partner in the international supply chain (e.g. Procurement, Production, Packing, Storage, Loading/Unloading, Transportation, and Document Preparation). Questions should ask the business partner to describe security measures used, and not only be “Yes/No” questions. The survey should address whether or not a system of checks, balances, and accountability are in place, particularly in areas of Securing Instruments of International Traffic, Tracking and Monitoring Cargo, Seal Security, and Business Partner Screening (subcontracted). The following is a recommended risk rating of vulnerabilities for C-TPAT minimum-security criteria categories: Business Partner Requirements, Securing Instruments of International Traffic, Procedural Security, Physical Security, Physical Access Controls, Personnel Security, Security and Threat Awareness Training, and Information Technology Security. 1 - Low Risk - Meets all applicable Minimum Security Criteria (Musts and Shoulds) 2 - Medium Risk - Meets all applicable “Musts” Minimum Security Criteria, but does not meet all “Shoulds” 3 - High Risk Does not meet all “Must” Minimum Security Criteria 34% For example, 1) If all “Musts” for Procedural Security were met, the risk rating for that category would be “1-Low risk.” 2) If all “Musts” were met for Procedural Security and “Shoulds” were not met, the rating would be “2-Medium Risk.” 3) If one “Must” is not met for Procedural Security, then it would be rated a “3-High Risk,” because a supply chain security measure is only as strong as its weakest link. Post Incident Analysis and Risk Rating Based on a study conducted by the C-TPAT Program in June 2009 on factors contributing to Security Breaches, the following data should be taken into consideration when conducting a Security Vulnerability Assessment. 34% Conveyance Security: Conveyances not inspected 35% Business Partner Requirements: Failure to Screen Business Partners 41% Instruments of International Traffic (containers, trailers, pallets, etc. not secured/properly inspected prior to loading 44% Seal Controls: Lack of Seal Procedures 53% Transportation Monitoring: Inadequate Transportation Monitoring 68% Security Procedures not followed (lack of checks, balances, accountability) 90% Involved “trucks” as the mode of transportation for breached cargo

RISK ASSESSMENT RESOURCE LIST* Customs & Border Protection: www.cbp.gov CIA – The World Fact Book: https://www.cia.gov/library/publications/the-world-factbook/ Information Technology Security: http://www.us-cert.gov/nav//nt01/ Federal Trade Commission – Identity Theft/Data Breach: http://www.ftc.gov/bcp/edu/microsites/idtheft/ Licensed Freight Forwarders/NVOCC/OTI/Terminal Operators: http://www.fmc.gov/ U.S. Department of State - Terrorist Threats/Country Information: http://travel.state.gov/travel/cis_pa_tw/pa/pa_1161.html Federal Motor Carrier Safety Administration – Check Carriers: http://www.fmcsa.dot.gov/safety-security/safety-security.htm Manufacturer Seal Requirements – U.S./Mexico FAST: http://www.customs.gov/xp/cgov/trade/cargo_security/ctpat/fast/us_mexico/mexico_manuf/manuf_seal_requi rements.xml Global Security Newswire is now available: http://gsn.nti.org/gsn/ 7 Signs of Terrorism: http://www.homelandresponder.org/pages/7signs.html State Dept. Overseas Security Advisory Council: www.osac.gov National Cargo Security Association: www.tncsa.org FBI Infrastructure Security: www.infragard.net International Chamber of Commerce: www.icc-ccs.org Cargo Security Alliance: www.securecargo.org U.S. Department of Commerce: www.commerce.gov International Maritime Organization: www.imo.org Department of Transportation: ASIS International: www.asisonline.org World Bank: Web.worldbank.org Transported Asset Protection Association: www.tapaonline.org

119


Business Alliance for Secure Commerce: www.wbasco.org Department of Homeland Security Crisis Management Planning: www.ready.gov Information Systems Audit and Control Association: www.isaca.org Department of Homeland Security: www.dhs.gov International Container Owners Association: www.containerownersassociation.org U.S. Postal Service: www.usps.com/communications/news/security/mailcenter Supply Chain Information Sharing and Analysis: https://secure.sc-investigate.net/SC-ISAC/ *Note: C-TPAT partners should also consult with local law enforcement when conducting threat assessments. In addition, there are many private for profit organizations who offer security risk assessment services. This list is not all inclusive and is not meant to be an endorsement of any organization or service. www.phmsa.dot.gov

http://www.cosco-usa.com/omd/security/ctpat2010/2010-Seminar-Risk-Assessment-Process.pdf Go to the above pdf for examples of risk tables and how to construct tables to evaluate your suppliers and partners in the supply chain. Find in the document attachments.

TRAINING suggestions

http://www.au.af.mil/au/awc/awcgate/navy/gmt_terrorism.pdf http://www.michigan.gov/documents/dleg_bccfs_manual_ert_tc_company_officer_161654_7.pdf

120


I APPENDIX I

C-TPAT Best Practices Catalog Addendum 2009


TABLE OF CONTENTS .

A. Introduction to Best Practices

Page 3

B. Risk Assessment

Page 5

C. Business Partner Requirements

Page 6

D. Conveyance/Container/Trailer Security

Page 8

E. Physical Access Controls

Page 12

F. Physical Security

Page 14

G. Personnel Security

Page 16

H. Security Training/Threat Awareness/ Outreach

Page 17

I. Procedural Security

Page 21

J. Information Technology (IT) Security

Page 23

2


Introduction to Best Practices

BACK

In 2006 C-TPAT published the first Best Practices Catalog in an effort to provide members with up to date information regarding highly effective cargo security practices identified while conducting validations. Since then C-TPAT has conducted more than 8000 validations and revalidations throughout the world and clearly security processes have improved and evolved over time. This supplement identifies innovative solutions developed by C-TPAT members to comply with the minimum security criteria. Best Practices are generally defined as supply chain security measures that: 1) 2) 3) 4) 5)

Exceed the C-TPAT minimum security criteria Incorporate senior management support Have written and verifiable process that govern their use Employ a system of checks and balances Have measures in place to ensure continuity

This addendum is written in a generic manner to allow for flexibility while maintaining the confidentiality of C-TPAT partners and preventing the endorsement of specific technology, services, or products. To provide context we have identified the business entity type e.g. Company, Highway Carrier, Importer, Foreign Consolidator in which the best practice was identified. Best practices listed in this addendum and the original catalog are not necessarily exclusive to the entity mentioned and are applicable to many supply chains. For example, a physical security best practice described as being performed by a foreign manufacturer may also apply to an importer. Best Practices are achieved through the effective utilization of people, processes and available technology. They incorporate a system of checks and balances, high level managerial oversight, accountability, and verification of reliability to ensure that a company’s international supply chain cannot be compromised. While many of the best practices listed in this addendum may help businesses in theft prevention and asset protection, their intended use here focuses on the prevention of weapons of mass effect, terrorists, and/or contraband from entering the international supply chain. This addendum is not exhaustive or all-inclusive of all the best practices present in the thousands of C-TPAT partners’ international supply chains. It is intended to serve as a living document which is periodically updated to reflect the best practices found during validations and revalidations. In addition, this addendum and the original Best Practices Catalog are not designed to function as a “master check list” of security practices. The C-TPAT program from its inception has taken a flexible approach to supply chain security. It is recognized that “one size does not fit all” and that customized security measures have been developed and implemented to address each partner’s risk assessment. It is also important to remember that a single best practice does not constitute an effective supply chain.

3


My thanks to all of the C-TPAT companies and their business partners who have developed new and innovative ways to secure the international supply chain through the implementation of the best practices identified in this document.

Bradd M. Skinner Director, C-TPAT/Industry Partnership Programs Office of Field Operations U.S. Customs and Border Protection

4


Risk Assessment

BACK

The Importer has adopted a computer software risk-based assessment tool. The use of this program allows the company to analyze and identify critical areas of its international supply chain that are the most likely targets for infiltration. The Importer has created an extensive “Facility Performance Manual”, which management uses to grade its suppliers supply chain security criteria. Upon completion of a security audit by management, a grade of 0-100 is assigned to the facility: “Probation”, “Authorized”, “Excellent” or “Business Partner”. If a facility’s score correlates to “Probation” status, the facility will have two weeks to provide a corrective action report and a follow-up audit will be conducted. If the follow-up audit does not result in a score correlating to “Authorized” status, the contract with the Importer will be terminated. If a facility’s score correlates to “Excellent” status, it receives a certificate from the president of the Importer and if a facility’s score corresponds to “Business Partner” status a “Business Partner Award” plaque and a $5,000 reward will be given to the facility. The Company has written processes for the selection of their business partners to include a detailed risk assessment software system called the Supplier Business Engagement Model (SBEM). This strategy focuses on managing and recognizing the supplier's products, software and services. The process includes various site visits made annually. The SBEM Model includes a six step process: • Conduct Supplier Evaluation • New Supplier Assessment, Approval and Coding • Product/Material/Component Qualification and Coding • Supply Agreement Process that includes a review board • Complex/Product/Application Approval/Functional Verification (New Product Introduction or First Piece Evaluation) • Relationship Management (On-going monitoring & verification) The Company has implemented a three tier internal audit system. A Tier One audit of the company’s security and safety procedures is conducted on a monthly basis. A Tier Two audit is conducted every two months to serve as a more comprehensive security audit of all the Company security policies and procedures. A Tier Three audit is a Company wide check on all of the Company’s security policies, process and procedures. This audit also includes all security measures used to secure the company’s international supply chain. Each tier audit is documented and executed according to the company’s standard operating procedure (SOP).

5


Business Partner Requirements

BACK

The Company’s C-TPAT liaison personnel (full-time employees dedicated to C-TPAT compliance) conduct supply chain security audits to ensure compliance of their non-C-TPAT business partners. An outside security agency hired by an Importer conducts security audits of the Foreign Manufacturer’s warehouse without advance notice. If sufficient cause exists, based on non-compliance or suspicious activity, the outside security agency has the authority to have the facility cease loading operations and prevent freight from boarding aircraft at the foreign airport. An Importer’s foreign manufacturer has created a full-time dedicated Director of Responsible Care Coordination, who is responsible for conducting and coordinating security self-assessments. The self-assessments include reviews and audits of security procedures, physical security, and security training. An Importer’s foreign manufacturer is certified as an “Authorized Exporter” by the Ministry of Finance (MOF). MOF conducts onsite inspections and verifications to ensure that the freight is secure and that the exporter is following security processes. The Importer only ships cargo through CSI ports. The Importer also only uses steamship lines that are C-TPAT certified. An Importer has created a Facility Status Tracking Log to monitor the compliance of all its North American manufacturing facilities. An “easy-to-read” spreadsheet incorporates all C-TPAT security criteria and designates risk-level (based on cargo volume and product source country) at each facility. The company’s C-TPAT task force and executive managers review the spreadsheet monthly to identify any new security threats. The Importer has developed a “Three Audit Rule”, for its foreign manufacturing companies. If a foreign manufacturer is identified as having a security violation, the company is issued a letter that identifies security discrepancies. A corrective action letter is also sent to the factory to give management the opportunity to correct the deficiency. If the deficiency is not remedied by the third visit, the Foreign Manufacturer’s contract with the Importer is terminated. The Importer has established a C-TPAT Program Management Team consisting of a dedicated internal panel of managers who direct the company’s security efforts and involvement in the C-TPAT Program. To ensure its supply chains from foreign source points are secured, the company has established and maintains numerous supply chain inspection offices in foreign countries where they conduct business.

6


The Company’s supply chain management buyers are required to screen all procurements, regardless of dollar amount, for supplier debarment or ineligible status using the Company's restricted party screening tool. This computer-based program includes the U.S. General Services Administration "List of Parties Excluded from Federal Procurement and Nonprocurement Programs" as well as other known sanctioned party lists (e.g. Terrorist List, Specially Designed Nationals, Denied Parties, etc.). When performing periodic audits of their business partners, the Importer utilizes a thirdparty security company that joins them on the site visits. The contract security company is tasked with making specific observations as they relate to the security criteria in the C-TPAT program. The third-party company submits written reports of their findings to the Importer’s senior management. Management carefully reviews all audit reports and potential security weaknesses are immediately addressed. The information contained in these reports is made available in advance to C-TPAT validation teams. The Importer’s security department distributes an operational audit report several times throughout the year. Each of the Importer’s domestic and foreign manufacturing facilities has an audit completed of their internal security processes each year. A numerical security assessment score is generated for each facility worldwide. If the score is lower then a minimum requirement, the Importer’s security department determines the facility’s security weaknesses and starts corrective actions.

7


Conveyance/Container/Trailer Security

BACK

High security seals are considered to be company property by the Importer, not an expendable item. All seals are logged into the foreign supplier’s inventory control system. The Highway Carrier’s global positioning system (GPS) is equipped with the capability to detect when the engines of the company’s vehicles have been shut off, or if the door of the conveyance has been opened. As an added security measure, the company’s security manager remotely disables the engines of all conveyances not in use between 8:00 pm and 6:00 am through the GPS system. The Importer maintains two colors of ISO/PAS 17712 seals (blue & yellow) that coincide with the ultimate consignee's relationship with the foreign manufacturing facility. Bluecolored seals, bearing the company name, are used if the shipment is consigned to another company-owned entity and yellow-colored seals are affixed to the intermodal container if it is destined for a third party such as an independent distributor. All empty containers are stored at a Foreign Manufacturer’s loading docks. The dock doors are equipped with infrared sensors to detect any unauthorized access to the container doors. In addition, all empty containers are also kept sealed at all times. An Importer’s foreign manufacturer affixes labels on export freight that bear a special code. The unique code identifies the shipments to a contracted security firm’s personnel at the foreign airport loading site. An Importer has produced a seal change form that accompanies the bill of lading and invoice for each shipment destined to the U.S. This form is written in French and English and is required to be used to document all seal changes that occur while a shipment is in transit to the U.S. The Importer requires that all arriving cargo from foreign locations is delivered by authorized Company drivers and must be scanned by company-owned radiation detectors prior to unloading. The Importer requires that all containers it uses are never used by any other company and are always sealed except during loading in Japan and unloading in the United States. The Importer requires that its Foreign Manufacturers ship service parts directly to the U.S. using C-TPAT carriers in full container loads only. No foreign consolidators are used in the loading process.

8


An Importer utilizes metal racks for shipping its products from foreign locations to the U.S. These racks are sized specifically to fit into the ocean containers. Any anomaly within the container, such as a false wall, ceiling or floor, would prohibit the metal racks from fitting within the container and would alert those loading that the container may have been altered. A Foreign Manufacturer utilizes a progress control board to monitor the status of up to 230 trucks per day. The progress control board is a simple and highly effective magnetized grid board that has color-coded magnets which show the appointment times and status of each incoming delivery for the day. There is a written procedure in place to identify/inquire if trucks are late for their appointment at the Foreign Manufacturer. The board is checked every hour and if a truck is over 30 minutes late, then the Foreign Manufacturer notifies the Highway Carrier of the discrepancy. The Importer’s containers are laden onto vessels via a private section of an internationally recognized steamship line. The steamship line is C-TPAT certified. A private berth is used in the foreign port of lading to load the Importer’s containers. The private berth is controlled by three steamship lines which are all C-TPAT certified carriers. The Importer requires that a “Declaration of Security” regarding laden cargo be signed by both the ship captain and the foreign port facility before any containers are loaded onto the vessel. This declaration certifies that containers have been inspected for anomalies. An Importer has used its leverage with shipping lines by requiring ocean carriers to provide “seaworthy” containers at all times. The Importer requests that containers dispatched from the steamship line be less than five years old. This policy enables the Importer to easily perform container inspections, since newer containers are less likely to have had repairs or modifications made to them. On inbound refrigerated containers the Importer uses in-transit temperature data sensors to ensure product quality. The data sensors are integrated into the Importer’s computer software and if a refrigerated container’s door is opened in-transit, it activates an electronic alarm. The Importer’s container storage area is enclosed by a 20 ft. concrete wall. The high walls prevent viewing inside critical cargo and handling areas by outside parties. To increase cargo security, all of the Importers shipments undergo Non-Intrusive Inspection (NII) prior to loading on a vessel in a foreign port. Radiation Portal Monitors (RPM) are used to measure nuclear and radiological levels in cargo and the Company has written procedures in place to address any anomalies.

9


The Importer requires that containers have four separate inspections conducted in the foreign country in accordance with written checklists. Each checklist contains the recommended C-TPAT seven-point inspection. The first inspection of an empty container is conducted at the vessel carrier’s yard. The empty container is sealed by an Importer’s representative immediately after the inspection and the corresponding seal number is communicated to the security center at the foreign manufacturing facility for verification upon arrival. The second inspection is conducted at the foreign manufacturing facility’s main gate by security guards. A third inspection is conducted at the facility weight scales. The final documented inspection is conducted by shipping personnel before loading begins. All checklists are maintained on file by the Foreign Manufacturer. The Importer requires that five security devices are used on each container destined for the U.S. An ISO/PAS 17712 certified cable seal, two hinge tapes, one bolt seal, and an electronic seal are used on each container destined to the U.S. The Steamship Terminal’s operational facility contains an automated container yard. Cranes are utilized to pick up each container; once the container is attached to the crane the operator pushes a button that activates the automated process. The automated system controls the stacking of the containers and these boxes are randomly assigned a spot in the 22-stack block. This feature makes it virtually impossible for an individual to know the exact location of a container. The Importer has instructed all their foreign suppliers to attach a copy of the inspection checklist conducted on the empty container/trailer to the inside of the front door to validate against the arrival condition. Orange shrink-wrap as well as tamper proof tape is used on all U.S. bound shipments. There are four employees responsible for the sealing of containers: the packing area manager, a security guard, the "lead loader" and the driver. All four sign their names next to the seal number on the manifest. The employees must use a seal verification and inspection process (view, verify, tug and twist) when affixing a seal to a container. There are signs posted at each of the loading doors with pictures and examples of the correct seal verification and inspection process. The Foreign Manufacturer uses dock locking arms for container storage. The dock locking arm anchors the container chassis against closed dock doors to prevent unauthorized access and the loaded container from being moved during while at the loading facility. A foreign manufacturer or consolidation facility must receive approval from the Importer’s overseas representative before cargo can be loaded into a container. The Importer’s representative must be present at the factory to observe the container inspection and the actual loading and sealing operations.

10


The Importer’s trailers are equipped with roof mounted motion sensors. If a trailer’s doors are opened and cargo is manipulated in any way, an alarm notification is sent to the Highway Carrier’s dispatchers and driver. The president of a Highway Carrier places playing cards in various key hiding areas within the company’s conveyances. When drivers perform the mandatory 17-point inspection, he/she must find all the hidden cards in order to use the vehicle. The Highway Carrier utilizes a laser beam to protect company trailers when stored in the yard. The laser is positioned 6 inches from the back of parked trailers. If the beam is broken an intrusion alarm is activated. The Foreign Manufacturer requires their contracted highway carriers to travel to the U.S./Mexican border in a convoy of four or five trailers at a time. The Foreign Manufacturer has also contracted a security service to follow the convoy to the border in an unmarked vehicle. The two guards in the unmarked vehicle record stops, delays and maintain communication with the Foreign Manufacturer’s dispatch team in Mexico. The unmarked vehicle is equipped with a digital video recorder, hard drive, and microphone to record the entire 18 ½ hour trip to the U.S. border. When the convoy reaches the border and clears U.S. Customs and Immigration, the unmarked vehicle returns to the manufacturer’s location and the guards prepare a trip report. All reports, including pictures and audio/video recordings are maintained on file by the Foreign Manufacturer for review. The Company has documented a seal destruction policy in its conveyance security handbook. This policy requires that all used seals be sent to a certified hazardous disposal and destruction facility. Once the seals have been destroyed, the hazardous disposal and destruction facility provides a report of the number of seals destroyed and the process of how they were destroyed. A physical seal inventory audit is also conducted on a weekly basis to ensure that all seal logs are reconciled.

11


Physical Access Controls

BACK

The Importer’s domestic manufacturing facility has multiple security stations within the building. At these locations security guards are required to challenge and ask for identification from visitors. All employees, regardless of position within the company, are required to pass through a metal detector upon entering and departing the container packing area to prevent internal conspiracies. On-site security guards collect all Company ID cards at the end of each shift. Employees are prohibited from taking their ID cards off company property. This procedure mitigates the possibility that a card will be lost and compromise facility security. This system forces the guards to match each employee with the picture on the ID card. The ID cards are kept in a secure location inside the security booth until the next workday. An Importer’s foreign manufacturer has installed an electronic swipe card/lock box system for access control where sensitive trade documents are stored. Only selected managers are given access cards to this secure room. The manager must pass through a manned security desk and swipe the access card to open the lock box which holds the manual key. If at any point an employee needs to enter a room requiring a physical key, the employee must swipe his Company ID to gain access to a secure lock box containing the designated key to the room. All visitors’ driver licenses are electronically scanned at the Importer’s facility and a computer program is used to determine authenticity. A temporary and numbered visitors badge is issued and a sign-in sheet is maintained by the Importer’s reception personnel. All visitors are given a safety and security pamphlet which lists general company safety and security rules that need to be followed while on the premises. Personnel at the Company’s reception area are provided with a hidden duress (panic) button that can be used to alert Company and community law enforcement personnel to a security threat.

12


The Importer utilizes a third-party software system to manage, design, and plan their physical key inventory. This system ensures that each in-house-produced key is unique. The system tracks all keys in circulation and assigns each authorized employee a key. The Foreign Manufacturer creates new visitor badges once it is determined that twentyfive percent of the current visitor badges have been lost or damaged.

13


Physical Security

BACK

The Importer’s domestic facility has been equipped with a feature that allows the security force to shut down vehicle exits from the facility by electronically closing gates and activating tire puncturing devices. The Importer uses unmarked security vehicles to patrol the numerous employee and visitor parking areas. The Importer’s facility is inspected three times a day by company security force personnel. The Importer uses an electronic Security Information Reporting System (SIRS) to notify the chief of security and other senior management personnel of any security breaches as soon as they are discovered. The Importer’s foreign business partner’s manufacturing facility is located on a large lake that forms part of the border between Germany and Switzerland. In addition to a physical fence, the facility perimeter is also equipped with an invisible electronic fence line that alerts the security force of a possible intruder. The perimeter fencing is also equipped with sensors that detect if the fence has been cut. A Foreign Manufacturer has installed laser sensors in remote areas of the facility. These sensors help secure those areas of the perimeter of the facility that are inaccessible to security patrols. An Importer has developed a monitoring platform that incorporates optical light beams that automatically detect the presence of an intruder who might attempt to gain access to the manufacturing facility alongside a train. Once activated, the system sets off an audible alarm at the gate and inside the security command center. The guards also have the ability to speak to the person through a loudspeaker system. The inbound receiving areas at the Importer’s manufacturing plant are kept secured by a double locking door system. The exterior door is locked once the truck and trailer enters the holding area and the interior door is then opened to permit commercial vehicles to park at a loading bay. The entire Foreign Manufacturer’s facility is enclosed by perimeter fencing equipped with infrared sensors to prevent unauthorized access. The Foreign Manufacturer’s external shipping door is assembled in such a way that opening the door requires a security guard outside and a shipping clerk inside the facility to open it. All of a Foreign Manufacturer’s security guard’s radios are equipped with a body alarm function, which can be activated by guards during an extreme emergency. When this button is depressed an alert is sent to all guards on duty and the command center. The command center has a direct hotline to the local police department. 14


The Importer’s security force has a K-9 unit onsite. The K-9 unit consists of six trained guard dogs with handlers. The guard dogs and their handlers patrol the perimeter of the facility during working hours. The Importer’s headquarters reception area has multiple glass meeting rooms that can be viewed by the security staff. The enclosed glass rooms allow the Importer’s employees to conduct business such as applicant interviews with visitors without providing further access to the facility. The Foreign Manufacturer’s cargo handling area is equipped with multiple interior infrared security alarm beams to detect unauthorized access. In addition to the general alarm contacts, the photo eye beam alarm system is activated in the warehouse after business hours and monitored by a contract security company. The Foreign Manufacturer’s property fence line is duplicated resulting in a dual fence that forms a wide security barrier. The bottom of the fence is buried one foot under ground to deter underground access to the facility. The foreign manufacturer has installed security guard view towers at each corner of the facility’s perimeter. The towers are manned at all times and allow the security staff to monitor activities inside and outside the property.

15


Personnel Security

BACK

The Importer requires that all business partners provide a monthly master list of employees and provide immediate notification when their employees are hired or terminated. This procedure ensures the only authorized business partnerâ&#x20AC;&#x2122;s employees are authorized to enter the Importerâ&#x20AC;&#x2122;s manufacturing facilities.

16


Security Training/Threat Awareness/Outreach

BACK

The Importer conducts an annual security awareness seminar (modeled on the C-TPAT Security Seminar) for its U.S-.based suppliers, customers, and other business partners. In 2008, 250 separate entities were invited to this training. The Importer’s website homepage contains a direct link to the C-TPAT security website. There are four levels of C-TPAT training offered by the Company: management and supervisors; shipping and receiving personnel; internal personnel dealing with contractors; and hourly staff. All employees receive formal and documented training on security/threat awareness. This training includes ways to improve the physical security of the facility, challenging unidentified persons on the premises, and maintaining a safe work environment. The Importer has an on-line training portal. This training portal requires unique user names and passwords. Employees are trained on the purpose of C-TPAT and C-TPAT security guidelines and criteria. All newly hired employees are given a 90-minute formal presentation on the C-TPAT program and a log is maintained for all training sessions. Managers of specific departments are sent an e-mail in the event employees have not completed mandatory training via the training web site. After a training session is completed, employees receive a written Certificate of Completion from the Company. Security employees in the Importer’s shipping and receiving areas receive additional training that must meet the standard for the local foreign government’s Department of Industry and Trade. This training includes instruction in conveyance security and incident reporting procedures, in addition to emergency response practice drills. An Importer has a continuity of operations plan in place to ensure operations in the event of a man-made or natural disaster. The plan includes mock-disaster exercises to ensure employees are well prepared and the plan is kept up-to-date as organizational changes occur. A suggestion box has been installed in the facility so that employees can make security suggestions and report anomalies to management. Monthly security reminders are sent out to all personnel via the company’s email system. The Importer has instituted a program to place C-TPAT placemats on all food service trays in the employees’ cafeteria. These placemats provide employees with up-to-date information on the C-TPAT program and the company’s role in supply chain security.

17


The Importer’s overseas manufacturing facility security staff is licensed by the foreign government. Security guards receive forty hours of general security training and an additional thirty-two hours of site-specific training that is given by the U.S. Importer’s management representatives. Guards also receive three full days of C-TPAT training and orientation. A Foreign Manufacturer’s facility displays container security inspection posters outlining the C-TPAT recommended container inspection process throughout its facility. The Importer maintains a proprietary internal television network. This network is used to relay pertinent information to employees at the Company’s U.S. facilities. The network is routinely used by management to deliver information on the C-TPAT program and supply chain security. This system is also used to reinforce classroom security training and keep employees current and up to date on Company security policies and procedures. The Importer issues security advisories to its worldwide business partners. Security issues are also sent on a daily basis to employees via e-mail, notice boards and in first line supervisor briefings. A yearly security awareness assessment, given annually to a random sample of employees, is used by an Importer’s management staff to gauge employees’ general security awareness and identify any security issues that need greater attention. An Importer regularly conducts table-top exercises to address possible security breaches in the Company’s supply chain. The Importer has implemented a “Quick Response Team” that can be deployed immediately after suspicious activity is discovered involving the movement of their product. An Importer has established a situation matrix chart to address possible incidents (i.e., incorrect seals, container tampering or unexpected cartons) in arriving cargo. The oversize easy-to-read chart is posted on the wall of each warehouse facility. The table provides possible discrepancies, and persons to notify. The Importer has a security assessment team whose function is to conduct periodic “penetration assessments” of the Company’s supply chain security procedures. Company representatives make unannounced visits to an overseas facility and see if they can gain entry. A C-TPAT based Best Practices Catalog has been developed by the Importer. A yearly site assessment of the company’s U.S. manufacturing facility is conducted to ensure that security procedures and guidelines remain consistent with the C-TPAT program security requirements and/or recommendations.

18


The Importer utilizes a variety of measures to ensure that its employees are notified of the current Department of Homeland Security threat level. The Company uses digital message boards at all building entrances, CCTV monitors, e-mail notifications, the Company web site, and a toll-free phone number to notify employees of any changes in the threat level. The Importer has instituted a “Speak Up” program, a direct communication channel to the president of the company to address security issues via a confidential written form. An Importer has two forums that allow concerned employees the opportunity to express security concerns. Company personnel can call a toll free hotline that is administered by a neutral third-party or send messages via an internet based forum. Both forums provide the same opportunity to express safety concerns, and present security issues. All of an Importer’s U.S. facilities conduct security drills and exercises that are designed to test the effectiveness of the company’s workforce to react to a security related incident. The security drills and exercises include the involvement of vendors, contractors and local, state and federal agencies, including CBP and the US Coast Guard (USCG). The drills are conducted on a quarterly basis and focus on the initiation and reporting of a security related incident. An annual company-wide security exercise, which is broader in scope than each facility’s individual exercises, is also conducted. Web-based security awareness training is available to all of a Foreign Manufacturer’s employees’ 24-hours, seven-days a week and it is offered in three languages. The training modules provide instruction on container and seal inspections, parcel and mail screening, as well as a basic overview of the C-TPAT program. The Company also displays C-TPAT awareness posters throughout the facility which are printed in several languages. Once employees have completed the C-TPAT awareness training, they are issued a button which displays the C-TPAT logo and it is worn as part of their uniform. Management offers a monetary award for exhibiting good work practices including recommendations and informing management of any security issue. Employees are penalized for not following company security guidelines. Severe violations result in disciplinary action up to and including termination. All security incidents are documented and recorded on a central database by the Importer. The database is analyzed by the Company’s security department for patterns and to determine if changes to existing security policies and/or procedures are warranted. The Importer has designated one month a year as “Security Month” to further promote security awareness among its employees. Numerous security workshops are conducted during this month and outside law enforcement authorities are invited to provide additional security information/training.

19


The Importer has established a global communication system to contact all employees and contractors remotely via tele-conferencing technology on a quarterly basis to discuss security issues and provide information on recent security threats. The process allows the security team to offer advice as to how the issues can be prevented in the future and allows all parties to share ideas and offer input as a team.

20


Procedural Security

BACK

A Foreign Manufacturer utilizes a bio-thermal intrusion alarm system to protect access to sensitive business documents. The Importer utilizes a global SAP network to generate all written orders for import and export. A specific Company policy regulates this process and requires all orders to be generated within the SAP environment. This system permits only authorized stakeholders to view relevant shipping information. Every order entered into this system is vetted against the Denied Persons list and the U.S. Office of Foreign Assets Control (OFAC) lists. An Importerâ&#x20AC;&#x2122;s foreign facility receives in excess of 15,000 mail parcels per day. The company operates its own post office which is located just outside the premises. A Global Trade System (GTS) automatically screens purchase orders for restricted parties and internationally sanctioned destination countries. The system blocks such orders until reviewed by an export sales expert for final decision. If a particular shipper delivers an unauthorized quantity or product, the system will automatically log this information in the Importerâ&#x20AC;&#x2122;s SAP program. Management personnel review this data, along with comments from various departments on a quarterly basis. Senior management uses this information when considering contract renewal with specific suppliers and/or vendors. The weekly use of an Importerâ&#x20AC;&#x2122;s Quality Audit Form insures consistent and thorough management oversight of daily operations by providing a documented means in which shipment problems can be identified and resolved. The Importer has implemented lock boxes for all sensitive documentation that has to be shredded to safeguard business information. The Foreign Manufacturer utilizes an automated loading module called the Automatic Truck Loading System (ATLS). A robotized lift-truck is mounted on a transfer platform that travels sideways, allowing it to move from various dock doors and enter trailers to deposit the loads. Once the platform has aligned with the appropriate door, the ATLS automatically measures the length and dimensions of each trailer with a laser distance meter to optimize the load pattern. If the dimension of the container being loaded is inaccurate the ATLS immediately rejects the container and stops the loading process to electronically notify management of the issue. The Importer uses the container seal number as the shipment tracking (invoice/bill of lading) number. This helps to ensure the seal number is always stated on the shipping documents and helps each partner in the supply chain to verify that the original seal is intact.

21


Seal usage (seal number/trailer number/driver/date) and seal removal information (name of removing official/badge id/date/location/second seal number) are also notated on a run sheet in a special section entitled “Seal Usage Index Card”. A run sheet is a document supplied to all drivers for each pickup/delivery, and used by the company to capture information relevant to the driver’s trip such as destination, trailer number, route used, border crossed, odometer reading, and expenses incurred. Also included on the run sheet is a C-TPAT high security inspection that consists of 17 examination points drivers are required to perform as part of their pre-trip inspection

22


Information Technology (IT) Security

BACK

The Foreign Exporter’s automated systems server room is secured by a biometric fingerprint door lock. Only IT managers are allowed access into the room. An Importer has identified a threat to its IT system data backups due to high earthquake activity and has placed the remote data backup center in a location that has a low incidence of earthquakes. The server room is in an earthquake proof building protected by a halon gas equipped fire extinguishing system. IT managers perform quarterly access rights reviews for employees. In addition, they review access rights on a monthly basis for contractors to safeguard the manufacturing facility’s electronic business data. An agreement of liability for the use of an Importer’s information systems is renewed each time a user changes a password. A retina scan is required to access the Foreign Manufacturer’s computer system. There is a secure door for access to the mainframe computer. The door will only allow one person to enter. No one can follow or “piggy back” the person entering the door, or the secondary door to the mainframe computer will not open. The Importer's employee desktop computers do not contain hard drives capable of copying company data onto a CD or disk. Employees must gain supervisory approval to copy data. The Importer has a dedicated IT office which can copy company business data once supervisory approval is obtained. This process allows the Importer to limit access to new research and development information and assist in identifying abuse of improper access, tampering or alteration of their business data. Within the Foreign Manufacturer’s production facility, each office workstation contains a photo of the employee who is assigned to that work area, allowing management to be aware of any unauthorized computer terminal usage. The Importer uses electronic password protected purchase orders with its foreign supplier. Only five company officers in the foreign supplier’s headquarters have access to the password. The Importer does not permit employee use of "blackberry" type PDA's due to the possibility of Company emails or business data being read while on the service providers computer system. The IT server room is unmarked to provide additional security to the company's business data.

23


An Importer’s employees are trained and tested in computer and facility security by being required to take a daily “e-test” on their computers. Employees must pass the “e-test” before being able to log on to the computer terminal. Upon logging into an Importer’s computer system, a security warning message is displayed and the user must accept to continue. Disciplinary action is taken against any employee violating the policy.

24


C-TPATâ&#x20AC;&#x2122;s Five Step Risk Assessment


U.S. CUSTOMS AND BORDER PROTECTION


C-TPAT’s Five Step Risk Assessment Table of Contents

back to pg 12

APPENDIX II

Introduction and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Action Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Recommending a Risk Assessment Process  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Documenting the Risk Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1

Chapter One — Importers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Chapter Two — Brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6 Chapter Three — Consolidators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 8 Chapter Four — Highway Carriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Chapter Five — Foreign Manufacturers and U.S. Exporters . . . . . . . . . . . . . . . . 3 6


U.S. CUSTOMS AND BORDER PROTECTION


T

he Customs-Trade Partnership Against Terrorism (C-TPAT) program is one layer in U.S. Customs and Border Protection’s (CBP) multi-layered cargo enforcement strategy. Through this program, CBP works with the trade community to strengthen international supply chains and improve United States border security; in exchange, CBP affords C-TPAT Partners certain benefits, including reduced examination rates and access to the Free and Secure Trade (FAST) lanes. Launched in November 2001 with seven major importers as a direct result of the tragic events of September 11, 2001, the program now includes more than 10,700 Partner companies, and covers the gamut of the trade community to include importers; exporters; bordercrossing highway carriers; rail, air, and sea carriers; licensed U.S. Customs brokers; U.S. marine port authority/ terminal operators; U.S. freight consolidators; Mexican and Canadian manufacturers; and Mexican long‐haul highway carriers. One vitally important aspect of the minimum security criteria Partners must address to maintain the security of their shipments is a documented risk assessment process. As a voluntary public-private sector partnership program, C-TPAT recognizes that CBP can provide the highest level of cargo security only through close cooperation with the principal stakeholders of the international supply chain. Those companies that become C-TPAT Partners are expected to meet and maintain the security standards of the program. Part of that criteria is the requirement for Partners to conduct and document for C-TPAT’s review a risk assessment of their international supply chains. The risk assessment process is critically important as it allows Partners to truly understand their supply chains, where the vulnerabilities lie within those supply chains, and determine what to do in order to mitigate any risks identified. To assist Partners in creating a robust and effective Risk Assessment process, in 2010 C-TPAT published the “5 Step Risk Assessment Guide.” Much time and many world events have occurred since then that necessitate an update and enhancement to the initial guide. Not least among these changes are the creation of the C-TPAT Exporter Entity, and the signing of several additional Mutual Recognition Arrangements. C-TPAT has now signed arrangements with the customs agencies of Canada, the European Union, Japan, Jordan, New Zealand, South Korea, Taiwan, and Israel. Since its inception in 2001, the C-TPAT program has evolved dramatically. During the revalidation process and when conducting an in-depth review of security breaches, it became apparent the process of conducting a security risk assessment was not being adequately performed, often due to a lack of knowledge on the topic. An analysis of validation results for C-TPAT importers in 2013 revealed 22.6% did not have a documented Risk Assessment process that effectively addressed their international supply chains. U.S. CUSTOMS AND BORDER PROTECTION

Introduction and Concepts

INTRODUCTION AND CONCEPTS

3 3


4

INTRODUCTION AND CONCEPTS

Introduction and Concepts

The lack of a documented process generated an Action Required in the Partners’ validation reports, and those Partners that did not adequately address this Action Required were subsequently removed from the program. Most C-TPAT Partners are conducting a comprehensive domestic risk assessment of their own facilities and processes in the United States; however, many Partners are not assessing the potential threats and vulnerabilities that may exist within their international supply chain from the point of manufacture/ packing/stuffing and at each transportation link within the chain, until the cargo reaches the final point of distribution. As part of the application process to join the C-TPAT program, applicants must be able to provide a documented process of how the company assesses risk. Due to the unique nature of every Partner’s business model, the risk assessments described below are only guides, and all companies should establish a process that conforms to the needs of their business model, and not simply adopt a generic, externally provided model. C-TPAT Partners must conduct a risk assessment at least annually in order to remain in the C-TPAT program. Even small Partners are required to have a documented Risk Assessment Process. In fact, the smaller a Partner is, the easier it is to conduct a Risk Assessment. If, for example, a small highway carrier with an established business model of hauling from a single manufacturer to a single U.S. importer, and not soliciting other clients or using owner-operator truckers, desires to establish a Risk Assessment process, it should take only several hours to conduct and document an effective process. The key is that Partners are expected to implement a proactive approach and mentality to address risk in their supply chains, and not simply shrug the issue off as being out of their control. Partners should keep in mind they have an important resource to assist them in all security-related issues — their assigned C-TPAT Supply Chain Security Specialist (SCSS). Other concepts to keep in mind include that quantity does not necessarily define risk. An importer who sources 300 shipments a year from a low risk source in a politically stable country with a low risk of terrorism and smuggling should not disregard the risk of importing two shipments per year from a country that has recently had a violent turnover in government, a high corruption index, or has a current history of a low level of security. As a further example, an importer that receives 80% of its shipments from a specific manufacturer may not have a low risk supply chain if the manufacturer selects foreign ground transportation providers based solely on cost. From week to week or shipment to shipment, a manufacturer who frequently changes carriers is much higher risk than a manufacturer who always uses the same foreign trucker who is certified in an Authorized Economic Operator (AEO) program. U.S. CUSTOMS AND BORDER PROTECTION


In addition to security, there are other issues that may cause delays in the movement of goods through a company’s supply chain. Partners willing to take extra steps to reduce unexpected delays for agricultural issues are encouraged to consider expanding their risk assessments beyond security concerns. The use of wood packaging material (WPM) that is improperly treated and/or shows evidence that pests are present may result in substantial delays and additional costs incurred by the importer, i.e., possible liquidated damages, demurrage charges, costs for remedial mitigated action, and potentially even immediate re-exportation of the shipment. WPM is defined as wood or wood products (excluding paper products) used in supporting, protecting, or carrying a commodity. Some examples of WPM include, but are not limited to, bins, cases, cratings, load boards, reels, boxes, containers, drums, pallets, skids, bracing, crates, dunnage, pallet collars, etc. The supply chains with the highest risk of finding imports with non-compliant WPM are WPM Inspection metal, stone, food, and finished wood products, along with machinery, electronics, and plants. All imported shipments arriving into the United States using WPM must be properly treated under the International Standards for Phytosanitary Measures (ISPM 15). C-TPAT has partnered with CBP’s Agriculture Programs and Trade Liaison office to help Partners identify and mitigate the risks posed by the use of WPM in their supply chain(s). If your company imports, exports, or transports goods using WPM, please visit the CBP website for more information and training materials. As part of a C-TPAT Partner’s risk assessment process, C-TPAT Partners are not required to gather specific security-related procedures from business partners who have shared their certified C-TPAT or AEO status with the Partner conducting the risk assessment. The fact C-TPAT or a foreign mutually recognized customs program has validated such a Partner’s procedures as meeting the minimum security criteria is intended to save time and effort on both Partners’ security verification efforts. While conducting risk assessments, these C-TPAT or AEO certified Partners should be considered low risk, although this does not mean the risk in the partner’s involvement in the supply chain should be disregarded. It does mean the business partner is lower risk than other links in the supply chain, and should be treated accordingly.

“The key to building a successful Risk Assessment Process is to ensure it is unique to your company’s business model and practices.” U.S. CUSTOMS AND BORDER PROTECTION

Introduction and Concepts

INTRODUCTION AND CONCEPTS

5 5


6

INTRODUCTION AND CONCEPTS

Introduction and Concepts

The original “5 Step Risk Assessment” guide in 2010 was written with importers in mind, and since the initial publication many questions and suggestions regarding the other types of Partners in the C-TPAT program have been received. Thus, this guide is broken into chapters for different types of business models, though not necessarily by specific C-TPAT entity classifications. This is because some consolidators might have business models similar to importers, while other consolidators might have models similar to brokers. Third Party Logistics operators may have models similar to highway carriers or to consolidators, and exporters may have models similar to foreign manufacturers. The key to building a successful Risk Assessment Process is to ensure it is unique to your company’s business model and practices. Generic, one-size-fits-all, “cookie cutter,” externally inflicted procedures can lead to a false sense of security and an eventual breach of security. As a lead in to the discussion of risk assessments, we will first define some terminology.

Risk Assessment A Risk Assessment is analyzing external threats against company procedures to identify where vulnerabilities exist, and what procedures can be implemented or improved to reduce such risk. This may include ensuring (through process improvement, retraining, working with business partners, etc.) that issues identified through analysis and audits as being vulnerabilities are successfully addressed. This may often be something as simple as clarifying a written policy, automating a process, simplifying a form to ensure more effective use of the form, or requiring the security guard to manually hold and examine identification documents (as opposed to viewing ID as a person walks by). A Risk Assessment consists of several components, including a Threat Assessment, Cargo and Data Flow, Vulnerability Assessment, and audits of security procedures. These steps are further delineated on the following pages. A Risk Assessment should also include how security procedures would be affected by natural and manmade disasters, to include how backup systems will address these vulnerabilities. Such issues include power outages; weather events such as hurricanes; earthquakes; civil unrest; and terrorist events. Partners seeking to reduce the impact of such disasters should have documented business resumption procedures in place that are periodically tested. You will note throughout the minimum security criteria that expensive technology is not mandatory, for in the end security relies upon the human component. This is why effective personnel screening and security training are critical issues. As an example, no matter how complicated a computer password is required by an Information Technology policy, if employees practice habits such as writing their passwords on sticky notes or “concealing” them underneath keyboards, security is easily breached.

Threat Assessment A Threat Assessment is simply identifying threats to a supply chain that exist within a country or region, that are external and outside the control of the Partner, to a Partner’s business model. Examples include terrorist activity, drug smuggling, hijacking, corruption levels, and human smuggling. Be aware threats in one state or province of a country may differ from threats in other states and provinces within the same country. Below you can see a snapshot of part of a Threat Assessment developed by a C-TPAT Partner for the region (British Columbia) in which they operate. A full, blank version of this document can be found for your use on the public CBP.gov website, under the C-TPAT Resource Library and Job Aids. U.S. CUSTOMS AND BORDER PROTECTION


Threat Assessment: An assessment of a criminal or terrorist presence within a jurisdiction integrated with an assessment of potential targets of that presence and a statement of probability the criminal or terrorist will commit an unlawful act. The assessment focuses on the criminal’s or terrorist’s opportunity, capability, and willingness to fulfill the threat. 1 – Low Risk — No recent activity/intelligence information. 2 – Medium Risk — No recent incidents/Some intelligence/information on possible activity. 3 – High Risk — Recent incidents and intelligence/information. Note: For C-TPAT purposes, a “3” for any Threat Risk Factor below results in a “High Risk” rating for the supply chain.

Partner: SP Trucking Location: British Columbia Country/Region: Canada Threat Risk Factor

Risk Rating

Activity

Source of Information

Terrorism (Political, Bio, Agro, Cyber)

2

Threats posed by terrorism within Canada, particularly the radicalization of domestic extremists, has been clearly demonstrated through…

Canadian Security Intelligence Service www.csis.gc.ca

Threat Assessments should use some type of risk scaling, but this need not be complex. For an importer with dozens of supply chains, a numerical ranking system of 1–10 may be appropriate. For companies with few variances in regions of operations, a limited number of supply chains, and a steady business model, a simple high / medium / low system may be appropriate. The goal is to have a ranked output to determine where your company should focus time, energy, and resources to reduce and mitigate risk. In the previous Risk Assessment Guide C-TPAT provided numerous internet sites to aid in developing a Threat Assessment. In this edition, internet sites are not being provided as there are literally thousands of useful and informative websites available on this topic. It would thus be presumptive to list only a few of these sites, and considering the extreme variances and complexities within Partners’ business models, perhaps counter-effective.

Vulnerability Assessment A Vulnerability Assessment is identifying weaknesses in a company’s security procedures and supply chain that can be used to the advantage of terrorists and other criminals identified in the Threat Assessment. Internal audits and security reviews can be important instruments in identifying vulnerabilities. For example, an internal audit of the company itself (such as an internal audit during the annual security profile review, security questionnaires, and site visits conducted during business partner screening), could go into the overall vulnerability assessment. Corrective actions based on the findings of internal audits and business partner reviews can be implemented as part of the Action Plan. This is how the various actions taken by C-TPAT Partners to address program requirements all interact and overlap to strengthen security overall. U.S. CUSTOMS AND BORDER PROTECTION

Introduction and Concepts

INTRODUCTION AND CONCEPTS

7 7


8

INTRODUCTION AND CONCEPTS

Introduction and Concepts

C-TPAT Partners are required to determine and assess the level of risk business partners bring into the supply chain. This is a requirement under the business partner screening section of the minimum security criteria, and information developed as part of that process should be included in determining risk in the appropriate supply chain. Typically, business partners should be analyzed against the appropriate minimum security criteria. For example, the highway carrier minimum security criteria should be used as a tool to assess the practices of, and risk level of, foreign and domestic highway carriers, even if those carriers do not physically cross a border. Similarly, foreign freight forwarders and brokers should be analyzed using the consolidator and/or broker minimum security criteria. Consider on a personal basis: Assigning High Risk Targets You have recently purchased a new vehicle. The vehicle appears as number five on the most frequently stolen vehicle list in the United States for the past two years. This is your Threat Assessment, the external threat to your vehicle over which you have no control. You may need to further research this issue on-line, or by contacting local police departments and insurance companies, to determine if the threat in your area is higher or lower than the national average. Your insurance rate no doubt already includes risk factors of national and local theft rates. A Vulnerability Assessment is next, which describes where your vehicle is susceptible to theft, and should include issues such as: ■■ Do

you live in an area known for a high vehicle theft rate?

■■ Do

you frequently use street parking at home and at restaurants, or do you lock the vehicle in your garage and only use secure parking lots or valet parking?

■■ Do ■■ Is

you live on an island connected to the mainland via only a single causeway?

it a convertible, with easier access than a traditional hardtop vehicle?

Once these vulnerabilities are identified and documented, you are ready to proceed to the next step, completing an Action Plan that will put into place procedures to reduce or mitigate the threats identified above.

Action Plan An Action Plan consists of once having identified and documented vulnerabilities, developing and implementing procedures and/or improvements to reduce those vulnerabilities. In severe instances, a company may decide to withdraw from a high risk supply chain. In some instances, additional direct management oversight in daily operations might be deemed adequate to address the risks (e.g., posting an employee who works directly for the importer at a high-risk foreign manufacturer). In others, the U.S. CUSTOMS AND BORDER PROTECTION


implementation of additional overlapping, interlocking procedures or technology might be deemed to adequately address and mitigate the risk. Using the personal vehicle example above, once having identified when and/or where your vehicle is most at risk of being stolen, what procedures do you put in place to mitigate the threat of theft? Examples might include installation of a theft alarm; installation of a false theft alarm by placing stickers on windows and a flashing red light on the dashboard; installation of a remote engine shutdown system; use of only manually attended parking lots/garages or valet parking at restaurants; use of a steering wheel locking mechanism; or registering and tagging your vehicle with the local police as not being allowed on the road between midnight and five a.m. An audit of these procedures might include ensuring family discussions with all family members (i.e., periodic security threat and awareness training, or “company musters”) on the reasons for, and necessity of, following these procedures, and that all persons understand the ramifications a “family member” (i.e., employee) might face for not following such procedures (resultant loss of use of the vehicle).

Audit An audit is a periodic documented review to ensure the procedures the company has in place are being conducted and followed through on, as part of regular, every day procedures, and that records are completed and properly filed. Audits may reveal security deficiencies, but do not replace, rather enhance, a company’s Vulnerability Assessment. For a sample Audit procedure incorporating the entirety of the minimum security criteria, see the chapter on Brokers.

Recommending a Risk Assessment Process In order to assist C-TPAT Partners with conducting a risk assessment of their international supply chain(s) in accordance with the C-TPAT minimum security criteria, a Five Step Risk Assessment Process is recommended. This reference guide contains some of the basic tools, resources, and examples C-TPAT partners should consider using when conducting a risk assessment of their international supply chain(s). The information contained herein is intended to serve as a guide, and is not “all inclusive” of what should be included in an international supply chain security risk assessment. For various free examples of some of these procedures and the suggested evidence of implementation, please see the Resource Library and Job Aids page on CBP.gov. The Five Step process described below can be used by Partners of all entities to determine what threats exist to their business models, even if a Partner does not physically handle cargo. Those Partners that only handle data are also at risk, for if a terrorist or other criminal seeks access to a cargo shipment, the first thing they require is knowledge of a shipment and the identifying information of the companies involved in the cargo movement. An example of how the C-TPAT minimum security criteria addresses these issues is under Broker Procedural Security, “Security measures must be in place to ensure the integrity of any data or documents relevant to security of processes, transportation, handling, and storage of cargo in the supply chain.” While many Partners use a numerical rating system to assess risk, an alternative method can be used. It is up to each Partner to determine how risk will be assessed. The threat and vulnerability factors described in this document should be used to determine the level of risk, which should be described U.S. CUSTOMS AND BORDER PROTECTION

Introduction and Concepts

INTRODUCTION AND CONCEPTS

9 9


10

INTRODUCTION AND CONCEPTS

Introduction and Concepts

appropriately (e.g., high, medium, or low; acceptable or unacceptable; pass or fail, etc.). A complex rating system may be used, but is not appropriate for all business models. Partners should be aware that Incoterms have little to do with security assessments for terrorism and criminal activity. Incoterms are primarily directed towards cost, ownership, and insurance purposes. A terrorist willing to explode a device within a U.S. harbor, or a human trafficker impersonating a legitimate shipment through identity theft, cares not for legitimate ownership and insurance claims. The C-TPAT Partners responsible for the importation and exportation of goods across U.S. borders, no matter where the actual transfer of ownership occurs, are ultimately responsible for the security of that shipment, regardless of the Incoterms. The acknowledgment of this fact, and the willingness to be proactive and energetic in addressing supply chain security, is what separates C-TPAT Partners from those who are not Partners. Companies that feel the requirements of the C-TPAT minimum security criteria are too burdensome are not suited for the C-TPAT Program. For exporters particularly, it is critical shipments are protected from threats to U.S. allies to whom shipments are destined. The reputation of the entire U.S. business community rests on exporters being proactive and conscientious of their responsibilities concerning supply chain security. It is thus critical for the survival of all C-TPAT Partners to be aware, and selective of, its business partners.

The Five Step Risk Assessment Process includes: 1. Mapping Cargo/Data Flow and Control and Identifying Business Partners(whether directly or indirectly contracted) and how cargo moves throughout the supply chain to include modes of transportation (air, sea, rail, or truck) and nodes (country of origin, transit points). 2. Conducting a Threat Assessmentfocusing on Terrorism, Contraband Smuggling, Human Smuggling, Agricultural and Public Safety Threats, Organized Crime, and conditions in a country/region which may foster such threats, and ranking those threats. 3. Conducting a Vulnerability Assessment in accordance with the C-TPAT Minimum Security Criteria.A vulnerability assessment includes identifying what the Partner has that a terrorist or criminal might desire. For brokers this might be data; for importers, manufacturers, and exporters, this might be access to cargo and company information. Then, identifying weaknesses in company procedures that would allow a terrorist or criminal to gain access to these processes, data, or cargo. 4. Preparing a Written Action Plan to Address Vulnerabilities.This includes mechanisms to record identified weaknesses, who is responsible for addressing the issues, and due dates. Reporting results to appropriate company officials and employees on completed follow up and changes is also essential. 5. Documenting the Procedure for How Risk Assessments are Conducted, to Include Reviewing and Revising the Procedure Periodically.The process itself should be reviewed and updated as needed at least annually, and a Risk Assessment should be conducted — and documented — at least annually, more frequently for highway carriers and high risk supply chains. It is understood that some C-TPAT Partners have numerous supply chains, which may present a major task when conducting a comprehensive security risk assessment of their international supply chains. Therefore, it is recommended that C-TPAT Partners first identify their “High Risk” supply chains by conducting a threat assessment at the point of origin/region and where the cargo is routed/transshipped, and then conducting U.S. CUSTOMS AND BORDER PROTECTION


a comprehensive security vulnerability assessment of those supply chains. Subsequently the Partner should address the supply chains identified as medium and then low risk. This is to ensure the assumptions made in identifying risk levels as medium or low are in fact accurate. Companies that seek to elevate their security procedures to a Tier III status would be expected to complete threat, vulnerability, and risk assessments on all partners and supply chains.

Documenting the Risk Assessment Process The five-step process above is generic in nature to allow its application to all business entities and models. A sample Risk Assessment Procedure, as described in Step Five above, is displayed here. A company’s documented risk assessment process (e.g., policies and procedures) should contain, at minimum, the following information: 1. Date the Risk Assessment Process was established by the Partner, and latest revision date. 2. Identify company personnel responsible for keeping the process up-to-date, including “back-up” personnel. 3. W  hen or how often a Risk Assessment must be conducted (e.g., annually, quarterly (recommended especially for highway carriers); a new business partner in a supply chain; threat conditions change in a country or region). 4. R  equired frequency of review and update to the actual Risk Assessment procedure (e.g., annually, quarterly, etc.). 5. How Threat Assessments of international supply chains are to be conducted. 6. H  ow Vulnerability Assessments on the International Supply Chain are to be conducted (e.g., verification of C-TPAT/PIP/AEO Status, site visits by Quality Assurance Managers, analysis of completed security questionnaires). 7. H  ow follow-up is conducted on “action items” (e.g., site visits to address vulnerabilities, termination of contracts). 8. P rocedure for training key individuals who are responsible for the Risk Assessment Process, to include regional employees who frequently visit foreign sites for other purposes (e.g., quality assurance managers, sales representatives). 9. Internal management oversight and accountability for ensuring the process is carried out consistently and effectively.

Verifying Radioactive Isotopes Are As Manifested

U.S. CUSTOMS AND BORDER PROTECTION

Introduction and Concepts

INTRODUCTION AND CONCEPTS

11 11


Chapter One

U.S. CUSTOMS AND BORDER PROTECTION


F

or importers, the first step in a Risk Assessment is identifying all business partners involved in the knowledge and movement of cargo from point of origin to destination. If an importer cannot identify all steps and business partners in the movement of cargo from origin to destination in the U.S., the importer will not be able to control the security of each step in the supply chain. A sample spreadsheet delineating business partners involved in the movement of cargo from point of manufacture to destination in the U.S. is shown below. Note some supply chains may contain more steps than shown in the example, and some will contain fewer steps. A modifiable version of the below document for Everything Importers is available on the public CBP.gov website, under the C-TPAT Resource Library and Job Aids. Supply Chain Step

Type of Service Provided

Details About Business Partner

Issues to Consider

Foreign Manufacturer Information

Manufacturer

ABC Manufacturer 183 Jalan Bukit Bintang, Kuala Lumpur, Malaysia. Provides importer approximately 63% of imports.

Not eligible for C-TPAT; country has no AEO program

Highway Carrier (for both FCL and LCL)

Moves cargo from factory to consolidator and port of export

Super Secure Freight, Lebuh Relau, 11360 Bayan Lepas, Kuala Lumpur, Malaysia

Not eligible for C-TPAT; country has no AEO program

Consolidation Facility

Physical location where LCL freight is stuffed into container

FastCon, Building 62, Predak Commercial Zone, Kuala Lumpur, Malaysia

Not eligible, but visited by a C-TPAT team 12/12/2013. Report on file with importer, no Actions Required U.S. CUSTOMS AND BORDER PROTECTION

Chapter One â&#x20AC;&#x201D; Importers

INTRODUCTION ANDIMPORTERS CONCEPTS

13 13


Chapter One â&#x20AC;&#x201D; Importers

14

IMPORTERS Supply Chain Step

Type of Service Provided

Details About Business Partner

Issues to Consider

Highway Carrier

Moves cargo from consolidator to port of export

Reliable Haulers, 168 Jalan Imbi, Kuala Lumpur, Malaysia

Not eligible for C-TPAT; country has no AEO program

Freight Forwarder

Processes paperwork for cargo export, including ISF

Global Freight Coordinators, No 32, 1st Floor, BBandung Lepas, Kuala Lumpur, Malaysia

Not eligible for C-TPAT; country has no AEO program

Port of Export

Stores and handles cargo prior to lading

Pelabuhan Klang, Malaysia

Meets ISPS requirements

Ocean Carrier

Moves cargo from port to port

Excellent Ocean Carriers, 626 Joro Blvd, Pelabuhan Klang, Malaysia

C-TPAT status verified in Portal.

Transhipment Port

Stores and handles cargo in between vessel movements

Kaohsiung, Taiwan

Taiwan AEO Certified, Certificate in Portal Document Exchange

Ocean Carrier

Moves cargo from port to port

Pacific Swells, 5th Floor, No. 2, Chung Cheng 3rd Rd., Xin-Xing District, Kaohsiung City, Taiwan

C-TPAT status verified in Portal.

Ocean Terminal in US

Location of unlading

LA/Long Beach, CA

C-TPAT status verified in Portal.

US Import Broker

Files US import documentation

Paperwork Professionals, 555 Imperial Highway, Suite 816, Los Angeles, CA 90211

C-TPAT status verified in Portal.

Terminal Operator

Handles and stores cargo after unlading

Smith Terminal Facilities, Pier Z, Los Angeles, CA 90809

C-TPAT status verified in Portal.

Domestic Drayage

Trucks cargo from ocean terminal to consolidator or ultimate destination

Porter Transportation, 301 Normandie, Torrance, CA 90518

Not eligible, completed security questionnaire for this year on file

U.S. CUSTOMS AND BORDER PROTECTION


Supply Chain Step

Type of Service Provided

Details About Business Partner

Issues to Consider

Deconsolidator

Cuts seal and unloads container prior to domestic delivery of cargo.

Ochoa Warehousing, 201 Del Amo, Wilmington, CA 90512

Has no bond with CBP, thus not eligible. Security site visit conducted in past three months, results analyzed and on file. Three Actions Required. Uses outsourced day laborers; high risk.

Domestic Drayage

Trucks cargo from ocean terminal to consolidator or ultimate destination

Parsons Parcels and Trucking, 689 Opp St., Los Angeles, CA 90613

Not eligible, completed security questionnaire on file from last month.

Importer

This is our company.

Everything Importers, Address of Receiving Facility

This is our company, see latest Internal Audit on security procedures.

Container Inspections Should Detect Altered Container Frames U.S. CUSTOMS AND BORDER PROTECTION

Chapter One â&#x20AC;&#x201D; Importers

IMPORTERS

15 15


Chapter Two

U.S. CUSTOMS AND BORDER PROTECTION


F

or brokers that do not handle cargo, the primary item they possess and need to safeguard is information. If a terrorist desires to conceal weapons or people in a shipment, the first thing they need is specific knowledge of the shipment. C-TPAT has identified at least two occasions of identity theft targeting brokers, one the theft of identity of a client-importer of the broker to smuggle trademark violation merchandise, and the other an attempt at financial fraud. For brokers that physically handle cargo, the choice for a risk assessment may be a combination of the broker and consolidator, or even importer, risk assessment processes. When determining how to create a Risk Assessment Process, brokers should consider their business model first. For a broker, steps one through three of the five step process could vary widely depending on the company’s business model. 1. Cargo Mapping ■■ Cargo

handler — similar to importer, with addition of broker example

■■ Non-cargo

handler — use broker example

2. Vulnerability ■■ Cargo

handler — similar to importer, with addition of broker example

■■ Non-cargo

handler — use broker example

3. Threat ■■ Cargo

handler — similar to importer, with addition of broker example

■■ Non-cargo

handler — use broker example

4. Action Plan 5. Documented Procedure The primary security task for brokers is to control who has access to their data and their clients’ data. A full assessment of risks to the data can be identified through an internal audit that includes all aspects of the minimum security criteria, to determine both if procedures are adequate and if security procedures are being followed by employees. By controlling who the broker does business with and who has access to its facilities and data systems, the broker can control who can access its information.

“The primary security task for brokers is to control who has access to their data and their clients’ data.” U.S. CUSTOMS AND BORDER PROTECTION

Chapter Two — Brokers

INTRODUCTION AND CONCEPTS BROKERS

17 17


18

BROKERS

Chapter Two â&#x20AC;&#x201D; Brokers

The first step in a risk assessment process for brokers includes an audit of documentation to ensure security procedures are followed on a daily, systemic basis, and that adherence to these standards is adequately documented. Persons conducting audits on various processes should not be those responsible for conducting the work regularly, but someone from another division or assignment. Results of the audits should be documented, to include possible vulnerabilities identified, and suggestions on how to improve and revise procedures. The process used to conduct the first full risk assessment audit should be documented for future use. The process should be conducted on a scheduled basis, and should include the persons responsible for the completion of the project and those tasked with its parts. All security-related procedures that have not yet been documented should be documented as part of the first assessment. All procedures and policies should have issuance and revision dates. A broker must consider all aspects of the minimum security criteria. A more detailed checklist of items that should be reviewed, documented, and followed up on by the broker may be found at the end of this chapter. Please remember that under the broker minimum security criteria, business partners are broken into two categories: Importer Clients and Service Providers. An Importer Client is a company that approaches the broker and offers to pay the broker for services rendered to assist in clearing cargo with CBP. A Service Provider is a business partner selected by the broker to supply services to the broker. Examples of the latter include a domestic drayage company; a de-consolidator; or a freight forwarder. U.S. CUSTOMS AND BORDER PROTECTION


A visual for possible variations in screening these classes of partners is displayed here: Importer Clients

Service Providers

C-TPAT status queried, verified, and documented?

C-TPAT status queried, verified, and documented?

Status in foreign program queried, verified, and documented?

Status in foreign program queried, verified, and documented?

Status within ISO 28000 queried, verified, and documented?

Status within ISO 28000 queried, verified, and documented?

Credit checks verified and documented?

Credit checks verified and documented?

Business References verified and documented?

Business References verified and documented?

Original Power of Attorney on file?

Membership in professional organizations verified and documented? (e.g., American Trucking Association) Status with U.S. government programs verified and documented? (TSA, IATA, FMC, etc.) Written statement (security questionnaire, letter of affirmation, etc.) that non-C-TPAT company is meeting minimum security criteria? Site visit for security purposes documented? Follow up action plan documented? Resolution of action items documented?

At the end of this chapter is a sample listing of some, but not all, of the items a broker might include on its Internal Audit Checklist to ensure employees are conforming to company security procedures. The items are broken down into these general C-TPAT criteria sections: ■■ Business

Partners

■■ Container

and Trailer Security

■■ Procedural

Security

■■ Physical

Security

■■ Physical

Access Controls

■■ Personnel ■■ Security

Security

Training and Threat Awareness

■■ Information

Technology Security U.S. CUSTOMS AND BORDER PROTECTION

Chapter Two — Brokers

BROKERS

19 19


20

BROKERS

Chapter Two — Brokers

Audit Checklist Business Partners ■■ Do all C-TPAT Partners show “certified” in the portal? If not, why not? ■■ If a previous C-TPAT partner now shows “not certified,” have the remaining steps in the

business partner screening process been conducted and documented? ■■ For all non-C-TPAT business partners, are records up to date with documented evidence of

the required additional screening? This might include copies of current PIP/AEO certificates; completed copies of Security Questionnaires; documented reviews and analysis of completed Security Questionnaire; documented site visits; documented follow up on weaknesses; results of background queries, such as Specially Designated National queries, and industry certifications. ■■ Have “extra scrutiny triggers” for the screening of business partners been reviewed and

updated? ■■ Has the company’s Preferred Provider List been rescreened and updated? ■■ Has the updated list been disseminated to employees and old lists destroyed? ■■ Has Outreach/Training on the C-TPAT program been conducted with non-C-TPAT partners? ■■ Has the Outreach/Training been documented for each company?

If yes, in what manner? (On-site, telephonic, web-based, etc.). ■■ What topics were covered in the Outreach/Training (e.g., tracking and monitoring, conveyance

inspections, seal procedures, notification to our company and customs/law enforcement with discrepancies, access controls, internal conspiracies, challenging strangers)? ■■ Have all business partners (both importer clients and service providers) been provided with

the broker’s contact information for security inquiries? ■■ Has the broker’s website been updated with C-TPAT information and valid links to CBP.gov? ■■ What actions were taken to improve processes in this security category?

U.S. CUSTOMS AND BORDER PROTECTION


Procedural ■■ Powers of Attorney — Does our company have original, current powers of attorney for each

active importer client? ■■ If no, what follow up actions are to be taken? ■■ Importer Security Filing — What score did our company receive on its latest Importer

Security Filing Progress Report? ■■ How can this score be improved upon, if necessary? ■■ How and what information was requested from importer clients whose track record

requires improvement? ■■ Who was tasked with this improvement? ■■ Have the improvements been completed? ■■ Entry filing — What is the date of the last audit of entries filed with CBP? ■■ What issues were identified that could be improved upon? ■■ Who was tasked with this improvement? ■■ What steps were taken to complete these improvements? ■■ Have the improvements been completed? ■■ Visitor and Driver Logs — A manual review of all Visitor and Driver logs must be conducted. ■■ What were the results? ■■ Were all entries complete and legible? ■■ What patterns of concern emerged? ■■ Are there additional items it would make sense to add to the logs? ■■ What actions can be taken to improve the logs?

U.S. CUSTOMS AND BORDER PROTECTION

Chapter Two — Brokers

BROKERS

21 21


22

BROKERS

Chapter Two â&#x20AC;&#x201D; Brokers

Below, please find an example of the business processes typically provided by brokers to their clientimporters. This Procedural Security breakdown is displayed below to assist brokers in drilling down to determine the level of security procedures in place to protect data. Supply Chain Step

Type of Service Conducted by Our Company

Process

Risks Identified

Actions Taken to Mitigate Risks

Receipt of entry processing information

Documentation: Receiving in advance of arrival

Brokerage and Import Managers monitor the documentation transfer

Data leakage

Employees of both Departments sign nondisclosure statements. IT Firewall, Anti-virus, Antispyware software installed Training computer users on internet threats, to include phishing emails, and how to identify and report suspicious IT activity

Verification of import documents

Verification of Commercial Invoice information and other relevant import data

Brokerage Manager monitors the documentation verification

Overlooking inadequate, or not recognizing tampered documentation

Training appropriate employees on recognizing suspicious shipment and document indicators. Regular Audits and corrective actions

Having valid Power Brokerage Manager Obtaining and monitors the POA validating Power of Attorney validation of Attorney (POA)

Mistaken validation

Regular sampling and checking of validated POAs

Verification of description for proper classification

Verification of description for correct classification of imported goods

Brokerage Manager monitors the verification and classification

Misclassification, Training appropriate especially of employees on recognizing suspicious goods suspicious shipment and document indicators Regular sampling and checking of Schedule B numbers against product descriptions

Contact CBP Website

Perform Bond Query

Brokerage Manager monitors the Bond Query process

Phishing through company internet access and email

IT Firewall, Anti-virus, Antispyware software installed Training computer users on internet threats, to include phishing emails, and how to identify and report suspicious IT activity

Contact CBP Website

Processing CBP entry and receive immediate electronic CBP release

Brokerage Manager monitors the CBP release

Phishing through company internet access and email

IT Firewall, Anti-virus, Antispyware software installed Training computer users on internet threats, to include phishing emails, and how to identify and report suspicious IT activity

Contact CBP Website

Print CBP Forms

Entry processing

Storage of blank forms

All forms kept in locked cabinets or only available electronically on computer

U.S. CUSTOMS AND BORDER PROTECTION


Supply Chain Step

Type of Service Conducted by Our Company

Process

Risks Identified

Actions Taken to Mitigate Risks

Arranging Pickup and Delivery

Arrange pick-up and delivery by approved Trucker upon arrival of freight

Quality Assurance Department monitors the selection of Truckers

Selection of trucker not on approved list Use of outdated approved list

Ensure employees trained to use truckers only on current list posted on intranet (no hardcopies that may be outdated allowed)

Instructing Notify Trucker to selected Trucker validate container number, inspect container and perform View, Verify, Tug, and Twist seal inspection

Brokerage Compliance Department monitors the notification to Truckers

Improper communication to the selected Trucker

Periodic audit of notification e-mail messages

Pick Up and Deliver Shipment

Dispatch trucker for Pickup and Delivery of shipment

Dispatching Brokerage Staff

Diversion of products for introduction/ removal of unauthorized materials

Use of escort, GPS and driver who calls dispatcher often to update on movements until delivery. Dispatcher who logs contacts with driver and conducts real-time comparisons to GPS data/ driver calls. Audits of tracking and monitoring records for anomalies

Contact with Consignee

Verify delivery and obtain Proof of Delivery

Brokerage Manager monitors the process

Modification of documentation to conceal wrong doing

Regular checking by Brokerage Manager

Contact CBP

Submission of Brokerage Manager entry summary for monitors the final reconciliation process by CBP

Concealing wrong doing

CBP reconciliation detects anomalies

Closing and filing

Closing entry files and filing them away for records

Brokerage Manager monitors the process

Ensure prevention of leakage of documents

Regular documented auditing by Brokerage Manager

Destruction of Records

Destroying entry files, commercial invoices, email printouts, etc.

Use of on-site contract shredding truck

Ensure documents are actually destroyed and not diverted during process

All destruction is conducted under direct supervision of brokerage employee

U.S. CUSTOMS AND BORDER PROTECTION

Chapter Two â&#x20AC;&#x201D; Brokers

BROKERS

23 23


24

BROKERS

Chapter Two — Brokers

Physical Security If the company has a security alarm system: ■■ What was the date of the last system test? ■■ What were the results? ■■ What possible improvements were identified?

If the company has a video surveillance system: ■■ What was the date of the last system test? ■■ Does review of night time video show adequate lighting in place? ■■ Were repairs made immediately upon discovery of a malfunction? ■■ Was a verification conducted to ensure that security cameras remained pointed on key areas? ■■ Are cameras not easily accessible in order to prevent tampering? ■■ Are recordings stored in a secure location? ■■ Describe what issues were identified and actions taken to address issues: ■■ What actions were taken to improve processes in this security category?

Access Controls Access Device Logs ■■ Did a review of the issuance/retrieval of access device logs reveal any discrepancies? (e.g. any

ex-employees still shown as having keys, ID cards, alarm codes?) ■■ Was a physical inventory of all access devices conducted? ■■ If yes, what issues of concern were found? ■■ What actions were taken to resolve these issues? ■■ What actions were taken to prevent recurrences?

U.S. CUSTOMS AND BORDER PROTECTION


BROKERS

Chapter Two — Brokers

■■ Building Inspections

25 25

■■ Are building inspection logs complete? ■■ Were identified issues resolved? ■■ How can the process to ensure building integrity be improved? ■■ What actions were taken to improve processes in this security category?

Personnel Review all personnel files of persons hired and separated since last assessment. ■■ Did the review show any documents or data missing or incomplete? ■■ Were I-9 forms complete? ■■ Were all new hires queried through the E-Verify system? ■■ What patterns emerged concerning missing documents or data? ■■ What actions were taken to prevent recurrences? ■■ What actions were taken to improve processes in this security category?

Security Awareness and Training ■■ Has security training been updated since the previous iteration? ■■ Have all employees received mandatory training for their job position? ■■ If no, has make-up training been scheduled? ■■ What security topics were covered, and was training tailored to the responsibilities/jobs of the

employees?

U.S. CUSTOMS AND BORDER PROTECTION


C-TPAT Program Criteria

17-Point Inspections

Documenting Inspections

Challenging Strangers

Abnormal Shipments

Reporting Suspicious Activities

Conducting Site Security

IT Security

Mail / Package Safety

Chapter Two — Brokers

Below find a sample log that can be kept to ensure each employee receives the necessary job-specific training.

Job Title

BROKERS

Employee Name

26

Woods, Porter

Operations Clerk

[Date]

N/A

N/A

[Date]

[Date]

[Date]

N/A

[Date]

[Date]

Adams, John

Dispatcher

[Date]

[Date]

[Date] [Date]

[Date]

[Date]

N/A

[Date]

[Date]

Fraser, Alex

Mechanic

[Date]

[Date]

[Date] [Date]

N/A

[Date]

N/A

N/A

N/A

Foss, Joseph

Driver

[Date]

[Date]

[Date] [Date]

[Date]

[Date]

[Date]

N/A

N/A

N/A — Not applicable, this employee does not perform this activity/task. [Date] — Last date this training was completed by this employee. All training should be refreshed periodically, at least annually.

U.S. CUSTOMS AND BORDER PROTECTION


Information Technology (IT) ■■ Has the IT service provider been rescreened since the initial contract was signed? ■■ How frequently are firewall, anti-virus, and anti-spyware software updated? ■■ Was a security intrusion test performed to determine the effectiveness of protections? ■■ What were the results? ■■ What can be improved? ■■ How frequently are system backups conducted? ■■ Are backups stored in secure location? ■■ If cloud storage is used, was business partner screening conducted on the provider? ■■ Has IT retraining been conducted and documented? ■■ What actions were taken to improve processes in this security category?

U.S. CUSTOMS AND BORDER PROTECTION

Chapter Two — Brokers

BROKERS

27 27


Chapter Three

U.S. CUSTOMS AND BORDER PROTECTION


C

onsolidator Partners in the C-TPAT program are not required to physically handle cargo, or even be involved in the import process. Consolidators who otherwise meet the C-TPAT eligibility requirements may be involved solely in the export business. Thus, many potential business models for C-TPAT consolidators exist. When determining how to create a Risk Assessment Process, consolidators should consider their business model first. For a consolidator, steps one through three of the five step process could vary widely depending on the company’s business model. 1. Cargo Mapping ■■ Cargo

handler (foreign or domestic) — similar to importer and exporter

■■ Non-cargo

handler — similar to broker

2. Vulnerability ■■ Cargo

handler (foreign) — similar to foreign manufacturer

■■ Cargo

handler (domestic) — similar to importer and exporter

■■ Non-cargo

handler — similar to broker

3. Threat ■■ Cargo

handler (foreign) — similar to foreign manufacturer

■■ Cargo

handler (domestic) — similar to importer and exporter

■■ Non-cargo

handler — similar to broker

4. Action Plan 5. Documented Procedure If the company does not physically handle freight, instead functioning primarily as a freight forwarder or “paper” consolidator, the Broker Risk Assessment model may best apply. If the consolidator is physically handling imported freight, the importer model may apply, with modifications. For export-only consolidators, a risk assessment process closer to that of a U.S. exporter may apply. For consolidators that also control the operations at a foreign facility for cargo moving to the U.S., concepts from the foreign manufacturer risk assessment process may be most applicable. Obviously, consolidators are not typically in the business of selecting foreign manufacturers or foreign incountry transportation providers. Manufacturers are typically selected by the consolidator’s client-importer, and foreign in-country transportation providers are often selected by the consolidator’s foreign business partner agents. To address this lack of control over selecting business partners, it is extremely important for consolidators to address risk by selecting quality foreign agents, and to have strong and proactive outreach and education programs on C-TPAT and equivalent AEO programs. “Pushing out” the C-TPAT minimum security criteria to all levels of the supply chain through outreach and education, including to third and fourth level business partners, is a critical minimum security criteria element for all C-TPAT Partners, and becomes especially important when Partners have limited ability to select transportation providers in foreign countries. The best-case scenario is to require all partners in all links in the supply chain to be AEO or C-TPAT certified. U.S. CUSTOMS AND BORDER PROTECTION

Chapter Three — Consolidators

CONSOLIDATORS

29 29


Chapter Three — Consolidators

30

CONSOLIDATORS As an example of the dangers of using generic, “cookie cutter” risk assessments, consider a consolidator that does not handle cargo and has a single office located in a high-rise office building, but has elected to use a generic risk assessment process provided by an external advisor. The only valuable item such a consolidator possesses is information, but the generic process adopted from their advisor is actually formulated for importers who physically handle their own cargo. Now consider these vulnerabilities: ■■ A

third-party janitorial service, selected by the building landlord, has metal keys allowing access for cleaning on Sundays when the consolidator’s office is closed.

■■ The

consolidator has no alarm system to record when the third party employees, who are completely unknown and unscreened by the consolidator, actually enter and exit the office space.

■■ The

consolidator assumes the janitors access the office only on Sunday evenings, but have no method to verify this.

■■ No

video camera system exists for the consolidator’s managers to review each morning to determine who was in the office after hours, and what they were doing.

■■ The

office photocopier’s electronic records are not reviewed to determine if photocopies are made outside normal office hours.

■■ The

consolidator’s IT contractor conducts no special checks or reports to determine if the company’s IT system has been accessed or used outside normal business hours.

While the company has established a Risk Assessment process, it does not fit the company’s business model and can lead to a false sense of security and eventual data theft. Is this the type of business partner with whom you would willingly put your personal bank account or company identity information at risk?

U.S. CUSTOMS AND BORDER PROTECTION


31

U.S. CUSTOMS AND BORDER PROTECTION


Chapter Four

U.S. CUSTOMS AND BORDER PROTECTION


C

ross-border highway carriersâ&#x20AC;&#x2122; business models have some similarities to brokers, in the sense both brokers and carriers are hired by importers or manufacturers to provide services to these clients. However, while brokers need only protect a set location or locations, carriers, by their very nature, must be able to protect stationary facilities and moving conveyances. For highway carriers, a supply chain might be displayed as the sample below. Supply Chain Step

Type of Activity

Details About Partner

Issues to Consider

Foreign Manufacturer

Trailer storage, trailer loading

ABC Manufacturer, 123 Chavez, Tijuana, Baja California, provides 53% of shipments we move to US.

C-TPAT Certified, Physical security around truck and trailer (fences, gates, guards); restricted access to loading dock; secure overnight storage

Transport to border

Movement of cargo from manufacturer to border. Loaded trailers never taken to our storage yard.

This is our company. Internal procedures, especially as related to tracking and monitoring, must address vulnerabilities.

Tight and overlapping tracking and monitoring of trucks must be in place, with direct management oversight and written procedures for when things go wrong.

Export broker

Company that provides border crossing paperwork and may transmit data to government agencies.

Mexico broker. Knows about shipment and details in advance.

Are Personnel and IT security at a high level?

Port of Entry to US

Wait time

What is typical wait and release time at each port of entry?

How exposed is conveyance while waiting in line?

US Import broker

Company that provides border crossing paperwork and may transmit data to CBP.

US broker. Knows about shipment and details in advance.

Are Personnel and IT security at a high level?

Transport to destination in US

Movement of cargo from border to destination/transfer yard.

This is our company. Internal procedures, especially as related to tracking and monitoring, must address vulnerabilities. Reporting delays and suspicious activities critical for driver.

Tight and overlapping tracking and monitoring of trucks must be in place, with direct management oversight and written procedures for when things go wrong.

U.S. CUSTOMS AND BORDER PROTECTION

Chapter Four â&#x20AC;&#x201D; Highway Carriers

HIGHWAY CARRIERS

33 33


34

HIGHWAY CARRIERS

Chapter Four — Highway Carriers

Once locations and movements are identified, the regional Threat Assessment can be applied against these steps in the carrier’s daily activities to determine where weaknesses and vulnerabilities exist. Once these vulnerabilities are identified, an Action Plan to address such issues can be documented. A highway carrier’s risk assessment will have more to do with addressing internal processes and vulnerabilities at points of loading, as opposed to correcting weaknesses in clients’ internal processes, as the highway carrier is the service provider. Nevertheless, there may come a time when a client’s processes are so high risk the highway carrier may determine for its own safety to stop conducting business with that client. Highway carriers that handle less than trailer load freight and a spoke and hub consolidation network will have a different set of issues to address than in the example above. Similarly, carriers using a pick up and deliver (“milk run”) business model will have a more complex series of issues to consider.

Risk factors for Highway Carriers The history of highway carriers in the C-TPAT Program has demonstrated the issues below as being repetitive contributors to security breaches. Therefore, each step in a carrier’s supply chain and business model should be analyzed for weaknesses in these areas: ■■ Loose

tracking and monitoring of conveyances in transit;

■■ No

overlapping or layered verifications of conveyance monitoring (e.g. no GPS to go with radio communications with drivers, no unannounced following of conveyances by managers, no escorts or convoys in use, etc.);

■■ Weak

oversight at office of tracking and monitoring procedures (e.g. dispatcher over-burdened, improperly trained, not rotated randomly to avoid collusion with drivers)

■■ Use ■■ No

of subcontractors; direct management oversight in day-to-day operations;

■■ Inappropriate

delegation of authority to employees (e.g. allowing dispatchers to choose or approve clients and other business partners);

■■ No

or weak use of GPS and geo-fencing;

■■ Infrequent ■■ Security ■■ If

visits to business partners at point of loading to discuss and inspect security;

where loaded and empty conveyances and tractors are stored overnight;

drivers must leave vehicle to pick up paperwork en route;

■■ Time

elapsed since last full investigation/check of driver (not simply DOT drug tests)

■■ Employee ■■ No

turnover rate at business partners; and

C-TPAT/PIP/NEEC participation, even though eligible.

U.S. CUSTOMS AND BORDER PROTECTION


35

U.S. CUSTOMS AND BORDER PROTECTION


Chapter Five

U.S. CUSTOMS AND BORDER PROTECTION


W

here a manufacturer outsources or contracts elements of their supply chain, such as another facility, warehouse, or other elements, to include transportation, the manufacturer must work with these business partners to ensure pertinent security measures are in place and are adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin through to point of distribution. Manufacturers and exporters are often responsible for selecting the carriers for freight destined to the port of export, and frequently across the border to destination as well. Other partners in the export chain might also be selected by the manufacturer or exporter, such as freight forwarders, brokers, consolidators, etc. As selecting these service providers is the responsibility of manufacturers and exporters, so too is screening these business partners to ensure such partners are meeting the C-TPAT minimum security criteria. The easiest method, of course, is to select partners who are C-TPAT Partners and/or members of other governmentsâ&#x20AC;&#x2122; supply chain security programs. If a business partner has no such certification, then the manufacturer or exporter must conduct security assessments of all such business partners in the supply chain. The table on the following pages is an example of how a manufacturer exporting to the U.S. might document their supply chain.

Compartment in Trailer Floor U.S. CUSTOMS AND BORDER PROTECTION

Chapter Five â&#x20AC;&#x201D; Foreign Manufacturers and U.S. Exporters

FOREIGN MANUFACTURERS AND U.S. EXPORTERS

37 37


Chapter Five â&#x20AC;&#x201D; Foreign Manufacturers and U.S. Exporters

38

FOREIGN MANUFACTURERS AND U.S. EXPORTERS Supply Chain Step

Type of Service Provided

Details About Business Partner

Issues to Consider

Manufacturer

Manufacturing/Exporter

This is our company, Francisco Javier Clavijero

C-TPAT Certified

Highway Carrier (for both FCL and LCL)

Moves cargo from factory to port of export

Pedro Thomas Ruiz de Velasco

C-TPAT Status Verified in Portal

Export Broker

Processes paperwork for cargo export

JosĂŠ Guadalupe Posada

NEEC Eligible, application in process

U.S. Port of Entry

Wait time

What is typical wait and release time?

How exposed is conveyance while waiting in line?

U.S. Broker

Files import documentation at destination

Jose Mendoza Brokers

Not C-TPAT, but eligible. Why not C-TPAT? Investigation and Security Assessment must be conducted. Are Personnel and IT security at a high level?

Transport to destination in U.S.

Movement of cargo from border to destination/ transfer yard.

This is our company. Internal procedures, especially as related to tracking and monitoring, must address vulnerabilities. Reporting delays and suspicious activities critical for driver.

Tight and overlapping tracking and monitoring of trucks must be in place, with direct management oversight and written procedures for when things go wrong.

Importer/Consignee

U.S. Importer client

Agerholm Importers 524 Mesquite Drive, Laredo, Texas

C-TPAT Status Verified in Portal

Export Examination U.S. CUSTOMS AND BORDER PROTECTION


Below is an example of how a U.S. exporter might document their supply chain. Supply Chain Step

Type of Service Provided

Details About Business Partner

Issues to Consider

Manufacturer

Exporter

This is our company, Henderson Manufacturers

C-TPAT Status Verified in Portal

Highway Carrier (for both FCL and LCL)

Moves cargo from factory to port of export

Wilson Trucking, 231 Dean Forest Rd., Savannah, GA

Not eligible. Security Assessment for this year on file. Working with company to activate five minute pings and geofencing on GPS system.

Freight Forwarder

Processes paperwork for cargo export

Global Freight Coordinators, 21 Bay St., Savannah, GA

Not eligible, but could be if they obtained CBP bond. Outreach to partner should be conducted to encourage C-TPAT participation.

Port of Export

Stores and handles cargo prior to lading

Georgia Port Authority

C-TPAT Status Verified in Portal

Ocean Carrier

Moves cargo from port to port

Excellent Ocean Carriers

C-TPAT Status Verified in Portal

Transhipment Port

Stores and handles cargo in between vessel movements

Izmir, Turkey

No, but could apply to C-TPAT

Ocean Carrier

Moves cargo from port to port

Mersin Carriers

Not eligible

Port of Entry at Foreign

Location of unlading

Constanta, Romania

No, but could apply to AEO. Romanian client asked to conduct outreach and encourage membership.

Foreign Broker

Files import documentation at destination

Torenescu Brothers

No, but could apply to AEO. Romanian client asked to conduct outreach and encourage membership.

Terminal Operator

Handles and stores cargo after unlading

Constanta Government Terminal

No, but could apply to AEO. Romanian client asked to conduct outreach and encourage membership.

Foreign Drayage

Trucks cargo from ocean terminal to destination

Ponta Transport

Not eligible, completed security questionnaire for this year on file

Foreign Consignee

This is our client.

Basescu Importers

AEO Certified, Certificate on file in Document Exchange U.S. CUSTOMS AND BORDER PROTECTION

Chapter Five â&#x20AC;&#x201D; Foreign Manufacturers and U.S. Exporters

FOREIGN MANUFACTURERS AND U.S. EXPORTERS

39 39


U.S. CUSTOMS AND BORDER PROTECTION


41

U.S. CUSTOMS AND BORDER PROTECTION


U.S. Customs and Border Protection Office of Field Operations C-TPAT Program 1300 Pennsylvania Avenue, NW Washington, DC 20229 (202) 344-1180 industry.partnership@dhs.gov Please visit the CBP and C-TPAT Web sites at www.cbp.gov www.cbp.gov/ctpat CBP Publication No. 0206-0814 August 2014

C-TPAT  

c-tpat, Customs Trade Partnership Against Terrorism, c-tpat training, c-tpat manual support, c-tpat audit, c-tpat risk, clement key, c-tpat...

C-TPAT  

c-tpat, Customs Trade Partnership Against Terrorism, c-tpat training, c-tpat manual support, c-tpat audit, c-tpat risk, clement key, c-tpat...