Supply Chain Risk Management Standard: A Compilation of Best Practices

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex F

(Informative)

F. Examples of Elements of Supply-Chain Security Contract Language for External and Third-Party Logistics Service Providers

A. For those goods which are distributed, handled, warehoused, transported, or shipped by Service Provider to (your company), Service Provider agrees to:

1. Comply with the provisions of this section. For purposes of this section, external and third-party logistic providers means any outsourced Service Provider that provides services (e.g., distribution, handling, warehousing, transportation, or shipping) for (your company) shipments.

2. Ensure that Subcontractors comply with the terms of this section and should include these terms and conditions in any Subcontractor contracts. For purposes of this section, Subcontractors should be defined as those sub-tier service providers of Service Provider which are involved in the distribution, handling, warehousing, transportation, and shipping of (your company) shipments (including but not limited to freight forwarders, third party logistic companies, packagers, and local trucking/transport companies).

3. Be responsible for any breach of this section by its Subcontractors.

B. Supply Chain Security Compliance: Service Provider should ensure that all Service Provider and applicable Subcontractor facilities involved in the distribution, handling, warehousing, transporting, or shipping of (your company) goods meet all security standards documented below and all applicable local regulations. Service Provider should maintain certification in an official supply chain security program (C-TPAT, AEO, etc.) and comply with those respective security standards throughout the period of this Agreement. Service Provider's loss of certification or failure to sustain appropriate security standards or breach of this section will be grounds for termination of this Agreement.

C. Supply Chain Security Program Status: Prior to execution of this Agreement, Service Provider will send a letter verifying its supply chain security certification in any official program in which it participates. Service Provider will immediately notify (your company) of any change to its certification status.

If not certified, Service Provider should complete a Security Questionnaire to confirm that its procedures and security measures comply with minimum supply chain security criteria. Service Provider will send copies of the aforementioned Security Questionnaire to (your company).

D. C-TPAT Certification: Service Provider agrees to use certified Subcontractors to the extent available. In the absence of certified Subcontractor, Service Provider may use companies (including local cartage companies) that have agreed in writing to follow these supply chain security guidelines and will promptly notify (your company) of such usage. If no certified transport and handling providers or companies that have agreed to follow these security guidelines are available to move (your company) shipments, Service Provider will contact (your company) immediately for direction.

E. Service Provider will maintain adequate security controls and procedures as further described in this section.

1. Supply Chain Security Program: Service Providers are encouraged to participate in and will advise (your company) of its participation in national supply chain security programs including, but not limited to, Partners in Protection (“PIP”) and Authorized Economic Operator (“AEO”) and should list the countries and extent of participation. Service Provider should provide prompt notice of any changes to its supply chain security program status.

2. Service Provider Subcontractor Selection Process: Service Provider should have documented processes for the selection of its Subcontractors. The process should ensure that such Subcontractors maintain adequate security controls and procedures.

3. Physical Security: Facilities should be protected against unauthorized access including but not limited to cargo handling and storage facilities which should have physical security deterrents.

4. Access controls: Prevent unauthorized entry into facilities using access controls which may include but are not limited to badge readers, locks, key cards, or security personnel.

   • Positively identify all persons at all points of entry to facilities.

   • Maintain adequate controls for the issuance and removal of employee, visitor, and vendor identification badges, if utilized.

   • Upon arrival, photo identification should be required for all non-employee visitors.

5. Personnel Security and Verification: Screen prospective persons working on behalf of the organization consistent with local regulations. Verify employment application information prior to employment.

6. Ocean Container and Truck Trailer Security: Maintain container and trailer security to protect against the introduction of unauthorized material and/or persons into shipments. In the event containers are stuffed, inspections should be made of all ocean containers or truck trailers prior to stuffing, including but not limited to the inspection of the reliability of the locking mechanisms of all doors.

   • Ocean Container and Truck Trailer Seals: Properly seal and secure shipping containers and trailers at the point of stuffing. Affix a high security seal to all access doors on truck trailers and ocean containers. Such seals should meet or exceed the current PAS ISO 17712 standard for high security seals.

   • Ocean Container and Truck Trailer Storage: Empty or stuffed ocean containers and truck trailers should be stored in a secure area to prevent unauthorized access and/or manipulation.

7. Information Technology (IT) Security: maintain IT security measures to ensure all automated systems are protected from unauthorized access.

   • Use individually assigned accounts that require a periodic change of password for all automated systems.

   • Maintain a system to identify the abuse of IT resources, including but not limited to improper access, tampering, or altering of business data and discipline of violators.

8. Procedural Security: maintain, document, implement, and communicate the following security procedures to ensure the security measures in this clause are followed and should include procedures:

   • For the issuance, removal, and changing of access devices.

   • To identify and challenge unauthorized or unidentified persons

   • To remove identification, facility, and system access for terminated individuals.

   • For IT security and standards.

   • To verify application information for potential persons working on behalf of the organization.

   • For persons working on behalf of the organization to report security incidents and/or suspicious behavior.

   • For the inspection of ocean containers or truck trailers prior to stuffing.

   • To control, manage, and record the issuance and use of high security bolt seals for ocean containers and truck trailers. Such procedures should stipulate how seals are to be controlled and affixed to loaded containers and should include procedures for recognizing and reporting compromised seals or containers to Customs or the appropriate authority and (your company).

9. Security Awareness Program: A Security Awareness Program will be implemented by Service Provider and provided to persons working on behalf of the organization including awareness and understanding of the supply chain security program, recognizing internal conspiracies, maintaining cargo integrity, and determining and addressing unauthorized access. The Security Awareness Program should encourage active participation in security controls. Service Provider should ensure that key personnel receive regular training which should be no less than once per year on security procedures and requirements. Service Provider should submit evidence of such Security Awareness training upon request.

F. Questionnaire: Service Provider will, upon request, complete a Supply Chain Security Questionnaire provided to Service Provider by (your company).

G. Detailed Mapping: Service Provider will, upon request, promptly provide a detailed mapping for planned routings and any Subcontractors involved in the transport of (your company) shipments.

H. Site Visits: Service Provider and its subcontractors should be subject to periodic site visits during normal operating hours to confirm compliance with supply chain security standards.

I. Breach of Security: Service Provider and its subcontractors should immediately notify (your company) of any actual or suspected breach of security involving (your company) cargo. This may include cargo theft, tampering, unauthorized access, or other activities that involve suspicious actions or circumstances related to (your company) cargo.

Next: Annex G