CTPAT Minimum Security Criteria Revision – Part Two

Part Two – Agricultural Security and Reasons for Revision

As part of our ongoing coverage of the CTPAT Minimum Security Criteria revision, the BSI intelligence team, partnered with BSI Senior Supply Chain Risk Consultant Mr. Tony Pelli, will be providing detailed reporting and analysis of the revision through a multi-part series in SCREEN. This blog post contains the second part in the series and covers the new MSC category “Agricultural Security” as well as a discussion of the fundamental differences between the new and legacy MSC categories, the possible reasoning for instituting these new categories and for conducting the overall MSC revision, and how this revision will impact supply chains globally. For the first part in our series, covering the "Security Vision and Responsibility" and "Cybersecurity" categories, see our "CTPAT MSC Revision - Part One" feature.


Agricultural Security


The agriculture section is a small part of the overall Minimum Security Criteria, but many industry insiders were surprised by its inclusion in the revised criteria given how different the requirement was from the other categories. However, the addition of the Agricultural Security category starts to make sense in the context of how some industries, such as food and pharmaceuticals, view the CTPAT program.

Companies in these industries may believe that they do not derive much additional benefit from the CTPAT program. In addition to CBP, there are several different agencies that can stop and enforce requirements on shipments at the border, such as the U.S. Department of Agriculture (USDA), the Food and Drug Administration (FDA), and the U.S. Fish and Wildlife Service.  A food or pharmaceutical company may ask how CTPAT helps them given that CTPAT certification does not help to avoid a USDA, FDA, or other type of inspection or hold. By including an agriculture category and requirements for CTPAT certification, CBP is driving at alleviating this complaint from the food and pharmaceutical industries in addition to more generally addressing the important problem of agricultural and invasive species contamination.

The inclusion of the Agricultural Security category is also likely an attempt by CBP to align the CTPAT program with other existing trade regulatory programs. Evidence already exists of CBP and other agencies that touch international trade within the U.S. government combining some of the elements that they are looking for within their respective programs or criteria. For example, CBP has piloted doing assessments with TSA. As the new criteria come into play, a very long-term possibility is that there may be more joint USDA-CTPAT or FDA-CTPAT activities enabling faster throughput with multiple agencies. In that spirit, the agriculture CTPAT requirement is related to some of the existing USDA requirements.

In most cases, it should be easy for companies to implement the agriculture requirements. Many companies, especially within the food, food packaging, and pharmaceutical industry, are already meeting these requirements because they must ensure their containers are free from pests, simply from a contamination aspect. For other companies outside these industries, the requirements in the agriculture category are activities that can be integrated into a seven-point container inspection. For example, while doing the inspection, check the corners of the container for pests, sweep out the container, and ensure the container does not have debris or contamination from other people.

Aside from making additions to a seven-point container inspection, another recommendation is incorporating an additional inspection of any wooden pallets. Transportation often damage and wear down wooden pallets, and it is not uncommon in a warehouse to see parts of pallets missing or knocked off. The pallet itself may be structurally sound, but damage allows pests to infiltrate the pallet or hidden mold to build up within the pallet. It is the reason why many pharmaceutical or other industries requiring sterile environments use plastic pallets. Agricultural checks for infiltrations should include searching for soil, manure, seeds, and other plant and animal material. It should be relatively easy to train dockworkers or warehouse workers to include this additional check of pallets as they conduct the seven-point container inspection. A follow-up suggestion is incorporating a policy that if a pallet is damaged, it is discarded. If someone is checking a pallet for damage, they should also check the pallet for insects, such as termites. Companies can also consider acquiring pallets from certain suppliers that use special treatments to the wood that prevent mold and pests. These types of pallets should be stamped with the “wheat stamp,” which indicates it is compliant with the International Standard for Phytosanitary Measures No. 15, an international wood treatment standard. 

The agriculture category has limited requirements in scope but it’s a microcosm of where CBP and CTPAT wants to move in terms of generating overlap with other U.S. government requirements and standards. It’s an interesting category from that perspective, even if it is a relatively minor point in the whole criteria.

The BSI intelligence team asked Mr. Pelli to answer a few common questions about the agricultural security category and give us his thoughts:


“It sounds like the agriculture requirement comes directly out of industry feedback?”

“I do not know if that is the exact causal mechanism, but that would be my guess. I think CBP probably gets pushback because some companies still must deal with the USDA and FDA and so CTPAT seems like an additional layer of requirements. CBP may not be able to do anything about that and so their response is to include it in the criteria, so companies can start incorporating it into their practices and getting credit for it through at least the CTPAT channel. The desired ultimate endpoint would be to have one possible inspection and one possible hold across all relevant agencies.”

 “Are you foreseeing industry pushback on this agriculture category?”

“In the pharmaceutical industry, they must maintain good manufacturing practice, so they already do many of these things. Sterile environments and quality environments are essential for the manufacture of pharmaceuticals and those requirements extend out, by law in Europe and by practice in the United States, to transportation as well. Sterile and hygienic environments are a necessity in these industries, and it is likely that both food and pharmaceutical companies are already fulfilling most of these requirements, but other sectors, such as the fast-moving consumer goods industry, may need to implement new practices.

In my opinion, in terms of something not related to an actual security requirement, this is the most ‘out-there’ requirement. But it is something that may be easily integrated into an existing process that you are required to do anyway, such as a seven-point container inspection, which may be why they included it. It is just the next logical step.”

“It sounds like a health and safety requirement intersecting with security”

“Yes, and for a lot of industries, you want a clean container. In clothing and footwear, for example, there can be mold and contamination, so having a clean and dry container is something they would want to investigate regardless.”


Reasons for Revision


One of the major drivers for the MSC revision is that companies became accustomed to gearing up for re-certification and validation every four years as opposed to having an integrated ongoing commitment to supply chain security in the way that companies should and the way that CBP now expects. There are several excellent tier three certified companies with robust supply chain security teams that are well-staffed, active, and continuously redoing risk assessments and entering said risk assessments into the CTPAT portal every year. However, there are many more companies, several of which are tier two certified, that scramble every four years in preparation for CTPAT recertification and essentially do the minimum on a yearly basis to maintain certification.

CBP is wanting to see more of an ongoing commitment to supply chain security over time, with companies demonstrating that their organization is changing and adapting to new supply chain security challenges based on their individual risk profiles. To run a consistent and continually improving supply chain security apparatus, there needs to be management commitment and a management structure built to adapt to changes in risk and circumstances and push those adaptive measures throughout the entire supply chain. Because of that, in our view, Security Vision and Responsibility is the most important of the new CTPAT categories.

The cybersecurity category is more of a response to CBP’s views on subjects that are posing an increasing risk to supply chains. There have been several excellent examples of attacks that have not necessarily targeted a supply chain but instead greatly impacted a supply chain as many companies were and are not prepared. The cybersecurity category is a direct response to this rising threat. 

The agriculture category lines up with where, in our opinion, CBP and CTPAT would like to take the program over the long-term in terms of integrating inputs and requirements from other government programs, creating overlap with other agencies’ requirements for increased buy-in.

Essentially, there are three different reasons for the three new categories. For Security Vision and Responsibility, to give a more holistic approach to supply chain security and to solve an issue with the existing program.  Cybersecurity is a response to an increasing risk. Agriculture fits with the overall vision of where trade-related programs are moving.

As we move to discuss the changes to the legacy categories such as physical security, physical access controls, personnel security, etc.…many of the changes are simply due to advancements in technology. Cameras that were once quite expensive and difficult to implement are now cheaper and easier to place, allowing more companies to adopt camera technology. While there is still cost, and infrastructure associated with placing cameras is required to be in place, it is a less onerous request than it once was, hence the addition of new camera requirements.

CBP and CTPAT are mandated to an extent to review and improve upon the program, and the organization has felt for some time that this revision was necessary to simply remain current with the advancements in supply chain security. If you look at the past several years, the existence of CTPAT fundamentally changed the way that companies secure their facilities. Cameras did not used to be as common as they are now, logs for facilities were not nearly as widespread, and individual corporate policies and procedures for supply chain security were not nearly as comprehensive, enforced, or dynamic as they are now. CTPAT and its members feel like they have raised the bar for supply chain security globally and raised the baseline for supply chain security expectations for hundreds of thousands of companies in China, Vietnam, and elsewhere. CBP is now able to raise that bar again with this revision.

The difficult question for CTPAT is whether the program can demonstrate that there is additional benefit to certification for smaller companies with smaller supply chains that may not have the scale or ability to implement the revised criteria. Such companies may struggle with the implementation, which may be part of the reason why CTPAT scaled back some of the more prescriptive requirements in the legacy areas from the draft criteria, changing “musts” to “shoulds” and implementing this distinction for the first time.

The BSI intelligence team asked Mr. Pelli about the frequency and broad goals of revising the MSC and to give us his thoughts:


 “Will this revision be stationary for five or ten or fifteen years or can we expect more revisions with greater frequency as technology progresses and circumstances change?”

“CBP is recommending that companies roll out, over the course of 2019 and likely 2020, a phase-in of the MSC criteria. Cybersecurity will likely be the first to be rolled out as it is a pressing need and some companies likely already have some policies in place. The other new categories will likely roll out over time and slowly. It would be great if they were planning to change these categories or requirements in cycles, but it is difficult for them to do so because it would lead to a lot of uncertainty for companies as to which criteria to use for which certification. 

Another key reason to not expect frequent changes is that it takes a long time to get agreement on revisions. CBP/CTPAT worked on this revision for 2-3 years as getting agreement from the advisory boards, companies involved, and others is a time-consuming endeavor, especially because CTPAT is ultimately a voluntary program. The Safe Ports Act says CBP should re-examine CTPAT every year, but it would likely be impossible to do so at this point, especially with over 10,000 companies in the program and the complexity involved with rolling out requirements and garnering agreement on any modifications. Instead, it is more likely that CBP will more strictly enforce the criteria over time. It would make sense from 2020 to 2021 as re-validations come up, CTPAT will be more lenient upfront and then stricter down the line.”

 “One overarching theme of these new categories is that companies are already doing many of these activities and CTPAT is asking them to consolidate, standardize, or put structure around what they’re already doing. Can you give us a preview for how much of that is in play for the legacy categories like physical security?”

“Many aspects appear as ‘should’ instead of ‘must’ in the new criteria. For example, having a pre-alert where the carrier notifies a facility that a specific driver with a particular trailer number is picking up a shipment can be difficult to do in practice, as some shipping companies are tight on capacity and send whoever is available without confirming with the site. While a pre-alert is a good thing to do as an anti-theft measure and just overall awareness regarding your cargo, it is the type of requirement that will require effort to implement. Another possibility discussed was reviews of camera footage and I am not aware of any facilities where they review camera footage for irregularities without cause. It is possible that a company would say that someone is watching the footage live and the question becomes as to whether that counts for CTPAT purposes. If a company has a security guard checking footage occasionally, does that count? All of this is to say that in the legacy categories, it is less focused on requirements that capitalize on what companies are already doing but more focused on requirements that establish the bare minimum versus ‘best practice,’ i.e. what companies ‘must’ do versus what companies ‘should’ do and there is a much larger gap between what companies are already doing in the legacy categories versus the new beefed up requirements in the revision.”

In our next blog post, the BSI intelligence team and Mr. Pelli will cover the revisions made to the legacy categories of physical security and conveyance security before moving into a broader discussion about the future and benefits of CTPAT.