CTPAT Minimum Security Criteria Revision

Part One – Security Vision & Responsibility and Cybersecurity

As part of our ongoing coverage of the CTPAT Minimum Security Criteria Revision, the BSI intelligence team, partnered with BSI Senior Supply Chain Risk Consultant Tony Pelli, will be providing detailed reporting and analysis of the revision through a multi-part series in SCREEN. This blog post contains the first parts in the series and covers the new MSC categories “Security Vision and Responsibility” and “Cybersecurity.”

Companies certified under the U.S. Customs and Border Protection’s (CBP) Customs Trade Partnership Against Terrorism (CTPAT) have enjoyed various trade benefits by meeting select security criteria that have remained unchanged for almost the last 15 years. However, noting the changing landscape of threats to supply chains around the world, CBP initiated a review of the Minimum Security

Criteria (MSC) companies need to meet to obtain certification under the CTPAT program. Now, after conducting the review of the MSC in partnership with industry leading professionals, CBP is releasing a new version of the MSC, presenting both prospective and existing certified companies with new criteria for pursuing CTPAT certification and supply chain security.

CBP incorporated the input of supply chain professionals to the MSC revision. Throughout this process, while there were comments related to more prescriptive categories of the revision, such as on physical security, there was likely very little critique concerning “Security Vision and Responsibility,” as it is key to CTPAT.

Security Vision and Responsibility requires that a cross-functional team, including representatives of all relevant departments, help prepare the organization in the event of personnel turnover. “The Security Vision and Responsibility category boils down to management [making the] commitment to maintaining CTPAT certification and all of the maintenance that entails” says BSI Senior Supply Chain Risk Consultant Tony Pelli. Because of the nature of supply chain security, generally, it’s rare for one individual to be able to maintain a company’s CTPAT certification. “Typically, the process involves trade compliance, logistics, supply chain, procurement, and a host of other possible departments such as IT and human resources” says Pelli. Security Vision and Responsibility asks for one entity to bring together elements of the CTPAT certification effort and develop internalized policies and procedures meant for addressing CTPAT criteria.

Prior to the revision, companies were used to gearing up every four years for CTPAT certification or revalidation and not necessarily having an ongoing management commitment or ongoing management of supply chain security in the intervening years between validations. “CTPAT wants to see more structure around the supply chain security program so that it is a year-round, 24-7 endeavor and not an ‘every four years’ endeavor. While this may sound daunting, many companies already have some of these policies and procedures in place” says Pelli. Companies have departments that vet suppliers, vet business partners, and might already audit the security of suppliers and business partners, have pre-determined intervals for auditing, and conduct overall risk assessments. “The CTPAT criteria aligns well with ISO 28000, the supply chain security standard, and ISO structure in general by incorporating planning for security, risk assessment/developing policies procedures/assigning responsibilities, implementing physical safeguards and training for personnel, auditing and checking relevant security protocols when there are changes to the supply chain, and ensuring security in place is still best fit for organization size and shape as the organization grows and develops” says Pelli.

CTPAT asks companies to take individual departments, tasks, and duties with security functions and combine the relevant supply chain security functions from each one into an easily identifiable structure. CTPAT wants to see those disparate roles united into a complete system for security instead of a one-off initiative that develops for the purposes of certification validation. As discussed previously, the overall goal for the Security Vision and Responsibility category is to incorporate CTPAT into day-to-day activities and make those activities more systematic so if someone leaves the company, there is continuity. From the outside, Security Vision and Responsibility may seem like a daunting initiative. The establishment of any sort of new initiative within a company can always seem harrowing; however, most companies likely already have the required pieces and just need to connect and shift them into one cohesive management structure. For example, procurement typically evaluates suppliers when first onboarded, with typical financial and quality checks. With the CTPAT revision, procurement would potentially also incorporate security into those onboarding checks, slightly modifying the role of procurement to orient it more to CTPAT, and then doing that same modification to roles throughout the company and adding a structure to make it clear that those roles are part of an overall supply chain security program.

Cybersecurity is a developing area for supply chain security. The go-to example of the importance of cybersecurity for supply chains is the NotPetya attack that infected container terminals in Rotterdam and Newark with ransomware, causing an estimated $300 million USD in losses to shippers. Cybersecurity is an increasingly important area and it’s an area where some felt that CTPAT had not emphasized enough. The original Minimum Security Criteria had basic cybersecurity provisions, such as requirements to change passwords. The new criteria, however, are much more “beefed up” and prescriptive than the original iteration. Specifically, companies need a written policy for cybersecurity. Thankfully, most companies already have a written cybersecurity policy. In the previous discussion on Security Vision and Responsibility, we highlighted that the major issue was finding the small security components and policies from each department and bringing them together.  For cybersecurity, most companies already have a unified cybersecurity policy, but it will be challenging to discern who within the company is responsible for enforcing that policy and what type or flavor of cybersecurity standards are in place. The IT policies at the corporate level could be different from the IT policies at a facility level and under the new criteria, in conjunction with Security Vision Responsibility, someone will need to identify those policies, examine what standards those policies are based upon, and isolate which elements of each policy corresponds to the new cybersecurity criteria.

CTPAT recommends basing your policies and standards on a NIST Framework for Cybersecurity, a common cybersecurity standard.  However, IT professionals frequently remark that those standards change quickly, not just NIST, but generally any cybersecurity standards.  When internal auditors conduct annual reviews for CTPAT, and companies should be doing annual reviews, Pelli recommends that “auditors should consider the newest cybersecurity standards and evaluate as to whether there are any changes that can be made and pushed out to the supply chain.”

A core element of CTPAT was a requirement to establish an information sharing mechanism with Customs should a violation or incident were to occur. The cybersecurity criteria require that similar mechanism is in place in the event of a cybersecurity breach, moving toward a partnership approach with Customs & Border Protection on cybersecurity which may not have existed before. Pelli says that “Other elements of the cybersecurity category are common best practices such as the ability to monitor the network for unauthorized access or tampering, maintain individually assigned accounts with strong passwords that are frequently changed, ensure personnel with access to core systems use virtual private network (VPN) connections, etc. Many companies already adopt these practices but thinking about these practices when employed through a supply chain adds an additional component since so many companies share systems with vendors and supply chain partners.” An excellent method to ensure cybersecurity throughout the supply chain is to conduct miniature risk assessment and audit of the entire supply chain to determine who within the chain has access to what types of information and then breakdown from there the necessary security practices. For example, if it’s an original equipment manufacturer, they likely have plans or schematics for your products. They may also have shipping information in terms of destinations and if they arrange transportation from their factory, they may have even more specific shipping information.  Doing a quick data audit as to which suppliers could hold what types of information and conducting risk assessments and technology control plans from that standpoint can be extraordinarily beneficial.

The BSI intelligence team asked Mr. Pelli to answer two common questions about the cybersecurity category and give us his thoughts:

“Given the nebulous nature of cybersecurity, is CTPAT moving toward more reporting requirements, i.e. requiring more documentation to prove that cybersecurity standards are met and updated?”

It can be seen how the CTPAT revision is more focused on generating evidence of implementation.  For cybersecurity, that’s an interesting question. If a company makes sure all its suppliers are certified to ISO27001 or adhere to a NIST Framework, then the next question is ‘How do you know?’ they are abiding by the requirements on a day-to-day basis and if there are multiple business units within the supply chain, ‘How do you ensure they adhere to the same standards?’ That’s where the additional information and reporting throughout the supply chain may come into play.  For cybersecurity, the same way a company proves it uses seals on the containers. If you have a copy of the seal number, then you can confirm the seal number. You need to implement an overarching verification mechanism that your suppliers are using your IT security standards to secure their own IT.

“Would that cover all subsidiaries throughout the business?”

Yes, although sometimes it’s just not possible or it’s extremely difficult to ensure that every supplier is complying. That said, there are ways to build that evidence into your supply chain. We talked prior about teams from different departments, so one way you could do that is say procurement requires partners hold CTPAT certification or may also require they be ISO27001 certified or adhere to the NIST standard and build that in as a criterion for purchasing decisions.  A second way is to do risk assessments and map out suppliers, then targeting and auditing the riskiest locations or facilities or targeting and auditing the suppliers that hold the most data or the most sensitive data to the business. Going deeper with those and sticking to the surface level with others. Both of those are approaches that would please CTPAT.

In our next blog post, BSI SCREEN and Mr. Pelli will cover the new “Agriculture” category before moving into a discussion regarding the changes to the other categories such as Physical Security and Conveyance Security.