​

Companies can enroll in the Customs-Trade Partnership Against Terrorism (C-TPAT) program, under which they pledge to meet certain security standards in return for smoother sailing through Customs’ security inspections process. But getting accepted into the program isn’t as easy as it used to be, because U.S. Customs and Border Protection officials have issued new security rules that raise the bar.

The new rules, developed over a six-month period, went through five drafts. “The major change is that the ‘shoulds’ went to ‘musts’,” says Barry Wilkins, vice president for Pinkerton’s supply chain security practice.

Three deadlines for meeting the new requirements have been established. In May, importers had to meet container security, physical security, and physical access control criteria. The biggest change in this section was the introduction of a seven-point inspection on containers that importers must perform before loading.

The trouble for shippers could be “convincing their trade partners to actually search the containers to make sure they haven’t been tampered with,” says Sue Ross, an attorney with Rodriguez, O’Donnell, Ross and Fuerst in Los Angeles.

Importers must also supervise the loading of containers and secure them with an ISO-compliant safety lock, such as a bolt seal.

The agency is also recommending that RFID tags be placed inside the containers to tell whether the container is compromised during shipment. That’s called the smart-box approach. The secondary devices are becoming necessities because “it’s not that difficult to take the doors off a container and leave the bolt seal intact,” Ross says.

But there are problems with the smart-box approach. For example, users of the devices have discovered high rates of false positives caused by the rock and roll of a ship in bad weather, Ross says. That has created a huge amount of concern, she says.

A second deadline in late July will require C-TPAT members to strengthen their internal practices for employee background checks, access controls at facilities, and information technology security.

And in September, CTPAT members must ensure that their overseas vendors meet the same security standards. That means member companies must perform assessments of vendor facilities and security procedures and make sure that vendor employees have been adequately scrutinized.

Background checks are especially difficult for businesses to run on employees outside of the UnitedStates, because some countries have no concept of the practice or limit what can be checked. One way to meet the C-TPAT requirements in those situations is to require personal references from applicants and to have multiple investigators verify information.

Small shippers could have more difficulty meeting all of these new requirements than will larger companies because of limited resources and less influence on the supply chain, Ross says.

Not every company takes issue with the tough guidelines, however. “Some companies right from the very beginning took a thorough approach to C-TPAT. They sent out self-assessments, they changed contracts with their vendors, and they went out and actually assessed their vendors’ compliance,” says Wilkins.

Those are likely the larger companies. “Frankly, it’s not surprising because these companies have the most to protect in terms of brand name, integrity, and reputation,” Ross says.

The new standards took effect March 25. Companies applying for enrollment any time after that date must meet those requirements to be admitted into the program. Companies that had applications on file before March 25 do not have to meet the new guidelines to be accepted into the program. Their applications will be judged based on previous guidelines, but they have to come up to the new standards during the three-year validation of their security processes, Ross says.

—By Eric Grasser, assistant editor