Q:

We use a business partner that is already C-TPAT certified and validated. We have requested and obtained Status Verification Interface number(s) and/or Web Portal ID tokens to confirm their C-TPAT status. Is there anything else we must do to ensure this business partner is C-TPAT compliant?

A:

No. If a business partner has been certified and validated in C-TPAT, you do not need to obtain further information from that partner in terms of their compliance with C-TPAT security criteria or guidelines. CBP will work directly with that business partner on its supply chain security improvement plan by means of their confidential Supply Chain Security Profile on file with CBP. You should monitor your business partner’s on-going status within C-TPAT to ensure it continues to be certified.

Q:

As an Importer, we are aiming for or have already achieved tiered status within C-TPAT. We already require our business partners to be C-TPAT certified, if eligible. In connection with Tier Three status, should we also require our C-TPAT validated business partners to complete detailed security questionnaires?

A:

No. The C-TPAT program does not require that C-TPAT certified and validated business partners complete security surveys, disclose internal security audit results, or fill-out other questionnaires regarding implementation of the C-TPAT security criteria or guidelines. Such programs may be appropriate for non-C-TPAT business partners, but are not appropriate for C-TPAT certified and validated business partners. C-TPAT members should aim to achieve an open dialogue with all business partners, C-TPAT certified and non-C-TPAT certified alike, on ways to improve supply chain security.

Q:

The Self-Assessments section of the Best Practices Catalog mentions conducting periodic security audits and holding foreign business partners accountable by various means such as conducting unannounced security inspections, hiring a third-party firm to inspect suppliers and conducting risk-based audits. Does this apply to C-TPAT certified and validated business partners?

A:

CBP encourages all business partners to conduct self-assessments. However, where a business partner has already been validated by CBP, it is not a requirement that a C-TPAT member share the results of its self-assessments with other business partners, or complete assessment questionnaires prepared by another C-TPAT business partner. In addition, the Best Practices Catalog is not designed as a master check-list of security practices which must be adopted to achieve tiered-benefit status. From its inception, C-TPAT has recognized the need for flexibility in the adoption of security practices, based on customization to the C-TPAT participant’s business model and based on risk. As such, it is difficult, if not impossible, to reduce the C-TPAT criteria to a checklist of "yes/no" requirements that would apply to all participants in all locations all of the time. Most criteria will logically require a qualified assessment reflecting a layered approach to security, based on risk, in keeping with each C-TPAT member’s Supply Chain Security Profile and continuous improvement plan. C-TPAT members should foster an open dialogue with all business partners, C-TPAT certified and non-certified alike, on ways to enhance supply chain security.