Cargo Security
Partnership Program Grants Importers Reduced Scrutiny with Limited Assurance of Improved Security Gao ID: GAO-05-404 March 11, 2005This report is a publicly available version of our report on the Customs-Trade Partnership Against Terrorism (C-TPAT). The Department of Homeland Security (DHS) designated our original report as Limited Official Use because of the sensitive and specific nature of the information it contained. U.S. Customs and Border Protection (CBP), the DHS bureau responsible for protecting the nation's borders at and between the official ports of entry, has the dual goals of preventing terrorists and terrorist weapons from entering the United States and also facilitating the flow of legitimate trade and travel. Approximately 90 percent of the world's cargo moves by container. Addressing the threat posed by the movement of containerized cargo across U.S. borders has traditionally posed many challenges for CBP, in particular balancing the bureau's border protection functions and trade enforcement mission with its goal of facilitating the flow of cargo and persons into the United States. CBP has said that the large volume of imports and its limited resources make it impossible to physically inspect all oceangoing containers without disrupting the flow of commerce, and it is unrealistic to expect that all containers warrant such inspection. To address its responsibility to improve cargo security while facilitating commerce, CBP employs multiple strategies. Among these strategies, CBP has in place an initiative known as C-TPAT, which aims to secure the flow of goods bound for the United States by developing a strong, voluntary antiterrorism partnership with the trade community. C-TPAT members commit to improving the security of their supply chain (flow of goods from manufacturer to retailer) and develop written security profiles that outline the security measures in place for the company's supply chain. In exchange for this commitment, CBP offers C-TPAT members benefits for participating that may reduce the level of scrutiny given to their shipments, potentially resulting in a reduced number of inspections of their cargo at U.S. borders. The program is promising, but previous work has raised concerns about its management and its ability to achieve its ultimate goal of improved cargo security. Given our past concerns about the program's effectiveness and in light of the program's rapid expansion, we examined selected aspects of the program's operation and management. This report addresses the following issues: (1) What benefits does CBP provide to C-TPAT members? (2) Before providing benefits, what approach does CBP take to determine C-TPAT members' eligibility for them? (3) After providing benefits, how does CBP verify that members have implemented their security measures? and (4) To what extent has CBP developed strategies and related management tools for achieving the program's goals?
In return for committing to making improvements to the security of their shipments by joining the program, C-TPAT members receive a range of benefits that reduce the level of scrutiny CBP provides to their shipments bound for the United States. These benefits may change the risk characterization of their shipments, thereby reducing the probability of extensive documentary and physical inspection. Other benefits include access to FAST lanes on the Canadian and Mexican borders, expedited cargo processing at FAST lanes, and an emphasis on self-policing and self-monitoring of security activities. In addition, CBP grants benefits to C-TPAT members that do not directly affect the level of scrutiny given to their shipments. Before providing benefits, CBP uses a two-pronged approach to assess C-TPAT members. First, CBP has a certification process to review the self-reported information contained in applicants' membership agreements and security profiles. Second, CBP has in place a vetting process to try to assess the compliance with customs laws and regulations and violation history of and intelligence data on importers before granting them benefits. CBP believes that this two-pronged approach provides adequate assurance before granting benefits. However, this approach grants benefits to members before they undergo the validation process. After providing benefits, CBP has a validation process to verify that C-TPAT members' security measures have been implemented and that program benefits should continue. However, we found several weaknesses in the validation process that compromise CBP's ability to provide an actual verification that supply chain security measures in C-TPAT members' security profiles are accurate and are being followed. First, the validation process is not rigorous enough to achieve its stated purpose, which is to ensure that the security procedures outlined in members' security profiles are reliable, accurate, and effective. Related to this, CBP has no written guidelines for its supply chain specialists to indicate what scope of effort is adequate for the validation to ensure that the member's measures are reliable, accurate, and effective. In addition, CBP has not determined the extent to which validations are needed. While CBP has recently completed a strategic plan, we found weaknesses in some of the tools it uses to manage the program that could hinder the bureau in achieving the program's dual goals of securing the flow of goods bound for the United States and facilitating the flow of trade. CBP's new strategic plan appears to provide the bureau with a general framework on which to base key decisions, including key strategic planning elements such as strategic goals, objectives, and strategies. However, CBP still lacks a human capital plan, a fact that has impaired its ability to manage its resources. Furthermore, CBP still has not developed a comprehensive set of performance measures and indicators, including outcome-based measures, to monitor the status of program goals. Finally, the C-TPAT program lacks an effective records management system.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-404, Cargo Security: Partnership Program Grants Importers Reduced Scrutiny with Limited Assurance of Improved Security
This is the accessible text file for GAO report number GAO-05-404
entitled 'Cargo Security: Partnership Program Grants Importers Reduced
Scrutiny with Limited Assurance of Improved Security' which was
released on May 25, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
March 2005:
Cargo Security:
Partnership Program Grants Importers Reduced Scrutiny with Limited
Assurance of Improved Security:
GAO-05-404:
Contents:
Letter:
Results in Brief:
Background:
C-TPAT Benefits Reduce Scrutiny of Shipments:
CBP Grants Benefits before Verification of Security Procedures:
Weaknesses in Process for Verifying Security Procedures:
Incomplete Progress in Addressing Management Weaknesses:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Objectives:
Scope and Methodology:
Data Reliability:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Staff Acknowledgments:
Related GAO Products:
Tables:
Table 1: Roles of Trade Community Members in the Supply Chain:
Table 2: Benefits for C-TPAT Members:
Figures:
Figure 1: CBP's Review Process for C-TPAT Membership:
Figure 2: Status of Validating C-TPAT Members, as of November 2, 2004:
Abbreviations:
ATS: Automated Targeting System:
CBP: Customs and Border Protection:
CSI: Container Security Initiative:
C-TPAT: Customs-Trade Partnership Against Terrorism:
DHS: Department of Homeland Security:
FAST: Free and Secure Trade:
United States Government Accountability Office:
Washington, DC 20548:
March 11, 2005:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph Lieberman:
Ranking Minority Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Norm Coleman:
Chairman:
The Honorable Carl Levin:
Ranking Minority Member:
Permanent Subcommittee on Investigations:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable John D. Dingell:
Ranking Minority Member:
Energy and Commerce Committee:
House of Representatives:
This report is a publicly available version of our report on the
Customs-Trade Partnership Against Terrorism (C-TPAT). The Department of
Homeland Security (DHS) designated our original report as Limited
Official Use because of the sensitive and specific nature of the
information it contained.
U.S. Customs and Border Protection (CBP), the DHS bureau responsible
for protecting the nation's borders at and between the official ports
of entry, has the dual goals of preventing terrorists and terrorist
weapons from entering the United States and also facilitating the flow
of legitimate trade and travel. Approximately 90 percent of the world's
cargo moves by container. Addressing the threat posed by the movement
of containerized cargo across U.S. borders has traditionally posed many
challenges for CBP, in particular balancing the bureau's border
protection functions and trade enforcement mission with its goal of
facilitating the flow of cargo and persons into the United States. CBP
has said that the large volume of imports and its limited resources
make it impossible to physically inspect all oceangoing containers
without disrupting the flow of commerce, and it is unrealistic to
expect that all containers warrant such inspection.
To address its responsibility to improve cargo security while
facilitating commerce, CBP employs multiple strategies. Among these
strategies, CBP has in place an initiative known as C-TPAT, which aims
to secure the flow of goods bound for the United States by developing a
strong, voluntary antiterrorism partnership with the trade community. C-
TPAT members commit to improving the security of their supply chain
(flow of goods from manufacturer to retailer) and develop written
security profiles that outline the security measures in place for the
company's supply chain. In exchange for this commitment, CBP offers C-
TPAT members benefits for participating that may reduce the level of
scrutiny given to their shipments, potentially resulting in a reduced
number of inspections of their cargo at U.S. borders.
The program is promising, but previous work has raised concerns about
its management and its ability to achieve its ultimate goal of improved
cargo security. Specifically, in our July 2003 report on this program,
we recommended that the Secretary of Homeland Security work with the
CBP Commissioner to develop (1) a strategic plan that clearly lays out
the program's goals, objectives, and detailed implementation
strategies; (2) performance measures that include outcome-oriented
indicators; and (3) a human capital plan that clearly describes how C-
TPAT will recruit, train, and retain new staff to meet the program's
growing demands as it implements new program elements.[Footnote 1]
Given our past concerns about the program's effectiveness and in light
of the program's rapid expansion, we examined selected aspects of the
program's operation and management. This report addresses the following
issues:
1. What benefits does CBP provide to C-TPAT members?
2. Before providing benefits, what approach does CBP take to determine
C-TPAT members' eligibility for them?
3. After providing benefits, how does CBP verify that members have
implemented their security measures?
4. To what extent has CBP developed strategies and related management
tools for achieving the program's goals?
To address all four objectives, we discussed program operations with
CBP officials in Washington, D.C., with program responsibilities for C-
TPAT and reviewed available data and documentation for the program. To
ascertain the manner in which CBP validates security procedures for
participating companies, we asked CBP to provide us with examples of
participant files, including files of participants with
responsibilities along various parts of the supply chain. While the
files we reviewed were not a representative sample of files, we noted
that in many cases these files were incomplete. We also reviewed CBP's
database for tracking participant status in the program. Initial
reliability testing of this database and interviews of staff with
responsibility for the program led us to conclude that data used to
track participant status had some serious reliability weaknesses.
However, we found the data sufficiently reliable for limited use in
describing the program's status. While we were able to review CBP's
processes, because of the poor condition of member files we were unable
to verify the extent that the bureau followed the processes in
individual cases for individual members. We also examined the status of
the agency's efforts to implement our prior recommendations for the
program.
We conducted our work from February through December 2004 in accordance
with generally accepted government auditing standards. More details
about the scope and methodology of our work are presented in appendix I.
Results in Brief:
In return for committing to making improvements to the security of
their shipments by joining the program, C-TPAT members receive a range
of benefits that reduce the level of scrutiny CBP provides to their
shipments bound for the United States. These benefits may change the
risk characterization of their shipments, thereby reducing the
probability of extensive documentary and physical inspection. Other
benefits include access to FAST lanes on the Canadian and Mexican
borders, expedited cargo processing at FAST lanes, and an emphasis on
self-policing and self-monitoring of security activities.[Footnote 2]
In addition, CBP grants benefits to C-TPAT members that do not directly
affect the level of scrutiny given to their shipments. These additional
benefits include a single point of contact within CBP to serve as a
liaison with the member on issues related to the program, access to the
identities of other companies that have become C-TPAT members, and
eligibility to attend CBP-sponsored antiterrorism training seminars.
Before providing benefits, CBP uses a two-pronged approach to assess C-
TPAT members. First, CBP has a certification process to review the self-
reported information contained in applicants' membership agreements and
security profiles. Second, CBP has in place a vetting process to try to
assess the compliance with customs laws and regulations and violation
history of and intelligence data on importers before granting them
benefits. At the program's inception, CBP began granting benefits to C-
TPAT applicants immediately upon receipt of their agreement to
voluntarily participate in the program without any review of the
security profiles submitted by potential member companies. In February
2004, CBP changed its policy to grant benefits to C-TPAT members only
after CBP's review and certification of their security profiles and
successful completion of the vetting process. CBP believes that this
two-pronged approach provides adequate assurance before granting
benefits. However, this approach grants benefits to members before they
undergo the validation process.
After providing benefits, CBP has a validation process to verify that C-
TPAT members' security measures have been implemented and that program
benefits should continue. However, we found several weaknesses in the
validation process that compromise CBP's ability to provide an actual
verification that supply chain security measures in C-TPAT members'
security profiles are accurate and are being followed. First, the
validation process is not rigorous enough to achieve its stated
purpose, which is to ensure that the security procedures outlined in
members' security profiles are reliable, accurate, and effective. For
example, CBP officials told us that validations are not considered
independent audits, and the objectives, scope, and methodology of
validations are jointly agreed upon with the member company. CBP
officials, as well as our review of case files, indicated that the
validations only examine a few of the security measures outlined in
members' security profiles. Related to this, CBP has no written
guidelines for its supply chain specialists to indicate what scope of
effort is adequate for the validation to ensure that the member's
measures are reliable, accurate, and effective. In addition, CBP has
not determined the extent to which validations are needed. While the
original stated goal of the program was to validate all members within
3 years, CBP decided that it could not do so because of the rapid
growth in membership. In 3 years of C-TPAT operation, CBP has validated
about 10 percent of its certified members. While CBP has given up on
its original goal to validate all members, it has not come up with an
alternative goal for the number or percentage of members that should be
validated. For validations that CBP does conduct, it prioritizes
members for validation based on a variety of factors such as strategic
threat, import volume, and past compliance violations.
While CBP has recently completed a strategic plan, we found weaknesses
in some of the tools it uses to manage the program that could hinder
the bureau in achieving the program's dual goals of securing the flow
of goods bound for the United States and facilitating the flow of
trade. CBP's new strategic plan appears to provide the bureau with a
general framework on which to base key decisions, including key
strategic planning elements such as strategic goals, objectives, and
strategies. However, CBP still lacks a human capital plan, a fact that
has impaired its ability to manage its resources. CBP officials told us
they are in the process of developing an implementation plan that will
address human capital planning elements such as analyzing (1) current
workload, (2) the projected annual growth rate of the program, (3) the
time it takes to complete the average validation, and (4) the number of
validations supply chain specialists can complete annually.
Furthermore, CBP still has not developed a comprehensive set of
performance measures and indicators, including outcome-based measures,
to monitor the status of program goals. CBP officials told us they have
developed some initial measures to capture the program's impact.
Finally, the C-TPAT program lacks an effective records management
system. CBP's record keeping for the program is incomplete, as key
decisions are not always documented and programmatic information is not
updated regularly or accurately. For example, member files we reviewed
contained no documentation of communications between CBP and members
regarding how the scope of a validation was determined, and their
database tracking member status contained errors.
We are making recommendations to the Secretary of the Department of
Homeland Security to direct the U. S. Commissioner of Customs and
Border Protection to improve the program's ability to meet its goals by
providing appropriate guidance to specialists conducting validations,
determining the extent to which members should be validated in lieu of
the original goal to validate all members within 3 years of
certification, and implementing performance measures, a human capital
plan, and a records management system for the program. We provided a
draft of this report to the Secretary of DHS for comment. In its
response, from the Commissioner of U.S. Customs and Border Protection,
CBP generally agreed with our recommendations and cited corrective
actions they either have taken or planned to take.
Notwithstanding its general agreement with our recommendations, CBP
noted that C-TPAT is a voluntary partnership to improve the security of
the United States and not a program to confirm importer compliance with
a regulatory requirement. As such, CBP said our report places too much
emphasis on the validation process without adequately reflecting other
aspects of the program. As a whole, CBP said that as part of its
multilayered approach, C-TPAT identifies companies that take security
seriously, appropriately lowers the risk level of their cargo, and thus
focuses CBP resources on other companies' high-risk cargo, all
consistent with a risk management approach. We believe that having a
multilayered approach to cargo inspection can be effective, provided
that each layer is adequately utilized. Given that C-TPAT members enjoy
benefits that could greatly reduce the likelihood of an inspection of
their cargo, not having full assurance of a reliable, accurate, and
effective validation process potentially weakens the overall
effectiveness of the other control mechanisms in meeting CBP's
fundamental responsibility to ensure security of all cargo entering the
United States. We fully address CBP's comments in the body of the
report.
Background:
CBP maintains two overarching goals: (1) increasing security and (2)
facilitating legitimate trade and travel. Disruptions to the supply
chain could have immediate and significant economic impacts.[Footnote
3] For example, in terms of containers, CBP data indicates that in 2003
about 90 percent of the world's cargo moved by container.[Footnote 4]
In the United States, almost half of all incoming trade (by value)
arrived by containers on board ships. Almost 7 million cargo containers
arrive and are offloaded at U.S. seaports each year. Additionally,
containers arrive via truck and rail. Therefore, it is vital for CBP to
try to strike a balance between its antiterrorism efforts and
facilitating the flow of legitimate international trade and travel.
Vulnerability of the Supply Chain:
The terrorist events of September 11, 2001, raised concerns about
company supply chains, particularly oceangoing cargo containers,
potentially being used to move weapons of mass destruction to the
United States. An extensive body of work on this subject by the Federal
Bureau of Investigation and academic, think tank, and business
organizations concluded that while the likelihood of such use of
containers is considered low, the movement of oceangoing containerized
cargo is vulnerable to some form of terrorist action. Such action,
including attempts to smuggle either fully assembled weapons of mass
destruction or their individual components, could lead to widespread
death and damage.
The supply chain is particularly vulnerable to potential terrorists
because of the number of individual companies handling and moving cargo
through it. To move a container from production facilities overseas to
distribution points in the United States, an importer has multiple
options regarding the logistical process, such as routes and the
selection of freight carriers. For example, some importers might own
and operate key aspects of the overseas supply chain process, such as
warehousing and trucking operations. Alternatively, importers might
contract with logistical service providers, including freight
consolidators and nonvessel-operating common carriers. In addition,
importers must choose among various modes of transportation to use,
such as rail, truck, or barge, to move containers from the
manufacturer's warehouse to the port of lading. As shown in table 1,
there are many players in the trade community, each with a role in the
supply chain.
Table 1: Roles of Trade Community Members in the Supply Chain:
Trade community member: Air/rail/sea carriers;
Role in the supply chain: Carriers transport cargo via air, rail, or
sea.
Trade community member: Border highway carriers;
Role in the supply chain: Highway carriers transport cargo for
scheduled and unscheduled operations via road across the Canadian and
Mexican borders.
Trade community member: Importers;
Role in the supply chain: Importers, in the course of trade, bring
articles of trade from a foreign source into a domestic market.
Trade community member: Licensed customs brokers;
Role in the supply chain: Brokers clear goods through customs. The
responsibilities of a broker include preparing the entry form and
filing it, advising the importer on duties to be paid, and arranging
for delivery to the importer.
Trade community member: Freight consolidators/ocean transportation
intermediaries and nonvessel-operating common carriers;
Role in the supply chain: A freight consolidator is a firm that accepts
partial container shipments from individual shippers and combines the
shipments into a single container for delivery to the carrier. A
transportation intermediary facilitates transactions by bringing buyers
and sellers together. A nonvessel-operating common carrier is a company
that buys shipping space, through a special arrangement with an ocean
carrier, and resells the space to individual shippers.
Trade community member: Port authorities/terminal operators;
Role in the supply chain: A port authority is an entity of state or
local government that owns, operates, or otherwise provides wharf,
dock, and other marine terminal investments at ports. Terminal operator
responsibilities include the overseeing and unloading of cargo from
ship to dock, checking the actual cargo against the ship's manifest
(list of goods), checking documents authorizing a truck to pick up
cargo, overseeing the loading and unloading of railroad cars, and so
forth.
Source: GAO.
[End of table]
According to research initiated by the U.S. Department of
Transportation's Volpe National Transportation Systems Center,
importers who own and operate the entire supply chain route from start
to finish suffer fewer security breaches than others because they have
greater control over their supply chains.[Footnote 5] However,
relatively few importers own and operate all key aspects of the cargo
container transportation process, relying instead on second parties to
move containerized cargo and prepare various transportation documents.
CBP's Layered Enforcement Strategy:
CBP has implemented a layered enforcement strategy to prevent
terrorists and weapons of mass destruction from entering the United
States through the supply chain.[Footnote 6] A key element of this
strategy is CBP's targeting and inspection of cargo that arrives at
U.S. ports. For all arriving cargo containers, CBP uses a targeting
strategy that employs its computerized targeting model, the Automated
Targeting System (ATS). CBP uses ATS to review container documentation
and help select, or target, shipments for additional documentary review
or physical inspection. ATS is operated by CBP's National Targeting
Center and is characterized by CBP as an expert system that uses
hundreds of targeting rules to check available data for every arriving
container, assigning a risk characterization to each container. The
risk characterization helps to determine the type and level of scrutiny
a container will receive. For example, CBP could review the container's
bill of lading, examine the container with nonintrusive inspection
equipment (that is, X-ray), or physically open the container. The
extent of review varies, since according to CBP, the large volume of
imports and CBP's limited resources make it impossible to physically
inspect all containers without disrupting the flow of commerce.
Initiated in November 2001, C-TPAT is another element of CBP's layered
enforcement strategy. C-TPAT is a voluntary program designed to improve
the security of the international supply chain while maintaining an
efficient flow of goods. Under C-TPAT, CBP officials work in
partnership with private companies to review their supply chain
security plans to improve members' overall security. In return for
committing to making improvements to the security of their shipments by
joining the program, C-TPAT members may receive benefits that result in
reduced scrutiny of their shipments (e.g., reduced number of
inspections or shorter border wait times for their shipments). C-TPAT
membership is open to U.S.-based companies in the trade community,
including (1) air/rail/sea carriers, (2) border highway carriers, (3)
importers, (4) licensed customs brokers, (5) air freight consolidators
and ocean transportation intermediaries and nonvessel-operating common
carriers, and (6) port authorities or terminal operators.[Footnote 7]
According to CBP officials, program membership has grown rapidly, and
continued growth is expected, especially as member importers are
requiring their suppliers to become C-TPAT members. For example, as of
January 2003 approximately 1,700 companies had become C-TPAT members.
By May 2003, the number had nearly doubled to 3,355. According to CBP
officials, as of November 2004, the C-TPAT program had 7,312 members.
For fiscal year 2004, the C-TPAT budget was about $18 million, with a
requested budget for fiscal year 2005 of about $38 million for program
expansion efforts. As of August 2004, CBP had hired 40 supply chain
specialists, who are dedicated to serve as the principal advisers and
primary points of contact for C-TPAT members.[Footnote 8] The
specialists are located in Washington, D.C., Miami, Florida, Los
Angeles, California, and New York, New York.
CBP has a multistep review process for the C-TPAT program. As figure 1
shows, applicants first submit signed C-TPAT agreements affirming their
desire to participate in the voluntary program. Applicants must also
submit security profiles--executive summaries of their company's
existing supply chain security procedures--that follow guidelines
jointly developed by CBP and the trade community. These security
profiles are to summarize the applicant's current security procedures
in areas such as physical security, personnel security, and education
and training awareness.[Footnote 9] CBP established a certification
process in which it reviews the applications and profiles by comparing
their contents with the security guidelines jointly developed by CBP
and the industry, looking for any weaknesses or gaps in the
descriptions of security procedures. Once any issues are resolved to
CBP's satisfaction, CBP signs the agreement and the company is
considered to be a certified C-TPAT member, eligible for program
benefits. Members that are not importers begin receiving benefits at
this point, but members that are importers must undergo another layer
of review, as described below. CBP encourages members to conduct self-
assessments of their security profiles each year to determine any
significant changes and to notify CBP. For example, members may be
using new suppliers or new trucking companies and would need to update
their security profiles to reflect these changes.
Figure 1: CBP's Review Process for C-TPAT Membership:
[See PDF for image]
[End of figure]
For certified importers, CBP has an additional layer of review called
the vetting process in which CBP reviews information about an
importer's compliance with customs laws and regulations and violation
history. CBP requires the vetting process for certified importers as a
condition of granting them key program benefits. As part of the vetting
process, CBP obtains trade compliance and intelligence information on
certified importers from several data sources. If CBP gives the
importer a favorable review, benefits are to begin within a few weeks.
If not, benefits are not to be granted until successful completion of
the validation process (see below).
The final step in the review process is validation. CBP's stated
purpose for validations is to ensure that the security measures
outlined in certified members' security profiles and periodic self-
assessments are reliable, accurate, and effective. In the validation
process, CBP staff meet with company representatives to verify the
supply chain security measures contained in the company's security
profile. The validation process is designed to include visits to the
company's domestic and, potentially, foreign sites. The member and CBP
jointly determine which elements of the member's supply chain measures
will be validated, as well as which locations will be visited. Upon
completion of the validation process, CBP prepares a final validation
report it presents to the company that identifies any areas that need
improvement and suggested corrective actions, as well as a
determination if program benefits are still warranted for the member.
We have conducted previous reviews of the C-TPAT program and CBP's
targeting and inspection strategy. In July 2003, we reported that CBP's
management of C-TPAT had not evolved from a short-term focus to a long-
term strategic approach.[Footnote 10] We recommended that the Secretary
of Homeland Security work with the CBP Commissioner to develop (1) a
strategic plan that clearly lays out the program's goals, objectives,
and detailed implementation strategies; (2) performance measures that
include outcome-oriented indicators; and (3) a human capital plan that
clearly describes how C-TPAT will recruit, train, and retain new staff
to meet the program's growing demands as it implements new program
elements. In March 2004, we testified that CBP's targeting system does
not incorporate all key elements of a risk management framework and
recognized modeling practices in assessing the risks posed by
oceangoing cargo containers.[Footnote 11]
C-TPAT Benefits Reduce Scrutiny of Shipments:
CBP officials cite numerous benefits to C-TPAT members. As table 2
shows, these benefits may reduce the scrutiny of members' shipments.
These benefits are emphasized to the trade community through direct
marketing in presentations and via CBP's Web site. Although these
benefits potentially reduce the likelihood of inspection of members'
shipments, CBP officials noted that all shipments entering the United
States are subject to random inspections by CBP officials or
inspections by other agencies.
Table 2: Benefits for C-TPAT Members:
Benefit: A reduced number of inspections and reduced border wait times;
Reduces amount of scrutiny provided for members? Yes.
Benefit: Reduced selection rate for trade-related compliance
examinations;
Reduces amount of scrutiny provided for members? Yes.
Benefit: Self-policing and self-monitoring of security activities;
Reduces amount of scrutiny provided for members? Yes.
Benefit: Access to the expedited cargo processing at designated FAST
lanes (for certified highway carriers and certified importers along the
Canadian and Mexican borders, as well as for certified Mexican
manufacturers); Reduces amount of scrutiny provided for members? Yes.
Benefit: Eligible for the Importer Self-Assessment Program and has
priority access to participate in other selected customs programs (for
certified importers only);
Reduces amount of scrutiny provided for members? Yes.
Benefit: A C-TPAT supply chain specialist to serve as the CBP liaison
for validations;
Reduces amount of scrutiny provided for members? No.
Benefit: Access to the C-TPAT members list;
Reduces amount of scrutiny provided for members? No.
Benefit: Eligible to attend CBP-sponsored antiterrorism training
seminars;
Reduces amount of scrutiny provided for members? No.
Source: CBP's C-TPAT Strategic Plan, January 2005.
[End of table]
CBP Grants Benefits before Verification of Security Procedures:
CBP has in place a two-pronged process to review members'
qualifications for program benefits. First, CBP has a certification
process to review the applications and security profiles submitted by
applicants for any weaknesses or gaps in security procedures. CBP
officials told us that during the certification process, it compares
the members' security profiles against the C-TPAT security guidelines.
Under the process, if there are any missing or unclear items, CBP is
supposed to contact the member for clarification of those items. If the
issues are resolved, CBP considers the member to be certified. However,
if CBP determines that the security profiles contain weaknesses, CBP is
not supposed to certify the member. According to CBP, approximately 20
percent of applications are not immediately certified because of
initial shortcomings with the security profiles. However, CBP has
stated that a company will not be rejected from participating in C-TPAT
if there are problems with its security profile. Instead, CBP says it
will work with companies to try to resolve and overcome any
deficiencies with the profile itself.
Second, CBP has in place a vetting process to assess the compliance and
violation history of importers before granting them benefits. If, in
conducting the vetting process, CBP finds no prior negative compliance,
violation, or intelligence information, it grants certified importers
program benefits. According to CBP, to date most certified members who
have been vetted have proven to have favorable or neutral importing
histories. CBP officials told us that not many members have been denied
benefits.
At the program's inception in November 2001, CBP began granting
benefits to applicants upon receipt of their application for C-TPAT
membership without any review of the applicants' paperwork. In February
2004, CBP changed its policy to retroactively delay granting the
benefits until after CBP reviewed and certified applicants' security
profiles and completed the vetting process. By providing incentives to
members to implement certain security measures and performing various
levels of checks on these measures, the C-TPAT program aims to
encourage the reduction of vulnerability throughout the supply chain.
CBP established a certification process in which it reviews the
applications and profiles by comparing their contents with the security
guidelines jointly developed by CBP and the industry, looking for any
weaknesses or gaps in the descriptions of security procedures. The
vetting process, which is required for importers eligible to receive
benefits, augments the certification process by providing information
about past compliance and violations, which CBP officials told us may
suggest whether members' security practices have historically been
effective at reducing vulnerability to exploitation. In addition, the
vetting process may disclose threat concerns by pulling in information
contained in intelligence databases. Ultimately, however, neither the
certification nor vetting process provides an actual verification that
the supply chain security measures contained in the C-TPAT member's
security profile are accurate and are being followed before CBP grants
the member benefits. A direct examination of selected members security
procedures is conducted later as part of CBP's validation process, as
discussed below.
Weaknesses in Process for Verifying Security Procedures:
After providing benefits, CBP has a validation process to verify C-TPAT
members' security measures have been implemented and that program
benefits should continue. However, we found weaknesses in the
validation process in that CBP has not taken a rigorous approach to
conducting validations and has not determined the extent to which
validations are needed. These weaknesses limit the bureau's ability to
ensure that the program supports the prevention of terrorists and
terrorist weapons from entering the United States.
Validation Process Lacks Rigor to Achieve Stated Purpose:
CBP's validation process is not rigorous enough to achieve its stated
purpose, which is to ensure that the security procedures outlined in
members' security profiles are reliable, accurate, and effective. While
C-TPAT's stated purpose for validations is to ensure that the member's
security measures are reliable, accurate, and effective, CBP officials
told us that validations are not considered independent audits and the
objectives, scope, and methodology of validations are jointly agreed
upon with the member representatives. CBP has indicated that it does
not intend for the validation process to be an exhaustive review of
every security measure at each originating location; rather it selects
specific facets of the members' security profiles to review for their
reliability, accuracy, and effectiveness. For example, the guidance to
ocean carriers for preparing a security profile directs the carriers to
address, at a minimum, three broad areas (security program, personnel
security, and service provider requirements), which contain several
more specific security measures, such as facilities security and pre-
employment screening. According to CBP officials, as well as our review
of selected case files, validations only examine a few facets of
members' security profiles. CBP supply chain specialists, who are
responsible for conducting most of the validations, are supposed to
individually determine which segments of a company's supply chain
security will be suggested to the member for validation. To assist in
this decision, supply chain specialists are supposed to compare a
company's security profile, as well as any self-assessments or other
company materials or information retrievable in national databases,
against the C-TPAT security guidelines to determine which elements of
the profile will be validated. Once the supply chain specialist
determines the level and focus of the validation, the specialist is
supposed to contact the member company with a potential agenda for the
validation. The two parties then jointly reach agreement on which
security elements will be reviewed and which locations will be visited.
CBP has no written guidelines for its supply chain specialist to
indicate what scope of effort is adequate for the validation to ensure
that the member's security measures are reliable, accurate, and
effective, in part because it seeks to emphasize the partnership nature
of the program. Importantly, CBP has no baseline standard for what
minimally constitutes a validation. CBP discourages supply chain
specialists from developing a set checklist of items to address during
the validation, as CBP does not want to give the appearance of
conducting an audit. In addition, as discussed later in the management
section of this report, the validation reports we reviewed did not
consistently document how the elements of members' security profiles
were selected for validation.
CBP Has Not Determined the Extent to Which Validations Are Needed:
CBP has not determined the extent to which it must conduct validations
of members' security profiles to ensure that the operation of C-TPAT is
consistent with its overall approach to managing risk. In 3 years of C-
TPAT operation, CBP has validated about 10 percent of its certified
members. CBP's original goal was to validate all certified members
within 3 years of certification. However, CBP officials told us that
because of rapid growth in program membership, it would not be possible
to meet this goal. In February 2004, CBP indicated that approximately
5,700 companies had submitted signed agreements to participate in the
program. As shown in figure 2, by November 2004, the number of members
had grown to over 7,000, about 4,200 of which had been certified and
thus eligible for validation. According to CBP, as of November 2004,
CBP staff had completed validations of 409 companies, including 147
importers.
Figure 2: Status of Validating C-TPAT Members, as of November 2, 2004:
[See PDF for image]
[End of figure]
CBP has made efforts to hire additional supply chain specialists to
handle validations for the growing membership. As of August 2004, CBP
had hired a total of 40 supply chain specialists to conduct
validations, with 24 field office managers also available to conduct
validations. CBP officials told us the bureau is currently conducting
as many validations as its resources allow. However, CBP has not
determined the number of supply chain specialists it needs or the
extent to which validations are needed to provide reasonable assurance
that it is employing a good risk management approach for the program.
CBP Considers Variety of Factors to Prioritize Validations:
As noted above, CBP officials told us it would not be possible to meet
the goal of validating every member within 3 years of certification.
Instead, CBP is using what it calls a risk-based approach, which
considers a variety of factors to prioritize which members should be
validated as resources allow. CBP has an internal selection process it
is supposed to apply to all certified members. Under this process CBP
officials are supposed to prioritize members for validation based on
established criteria but may also consider other factors.
CBP officials noted that other factors could affect the prioritization
of members for validation. For example, recent seizures involving C-
TPAT members can affect validation priorities. If a member is involved
in a seizure, CBP officials noted that the member is supposed to lose
program benefits and be given top priority for a validation. In
addition, CBP officials told us that an importer that failed CBP's
vetting process would also be given top priority for a validation. CBP
officials have taken this approach because any importer that fails the
vetting process is not supposed to receive program benefits until after
successful completion of the validation process.
In August 2004, CBP began using a risk assessment tool developed for
CBP's regulatory audits to assist in its prioritization of importers
for validation. This tool ranks importers by risk according to factors
such as value of imports, import volume, and method of transportation
used by the importer for its goods.[Footnote 12] CBP tailored the tool
to consider only those factors it deemed relevant to C-TPAT. Applying
the tool with this revised set of factors, CBP officials told us they
produced a list that ranked each certified importer according to its
risk. However, these ranked importers are then re-evaluated, along with
members from other trade sectors, using CBP's internal selection
process criteria. CBP officials told us that the human element provided
by their internal selection process was important in prioritizing
members for validation.
Incomplete Progress in Addressing Management Weaknesses:
CBP continues to expand the C-TPAT program without addressing
management weaknesses that could hinder the bureau from achieving the
program's dual goals of securing the flow of goods bound for the United
States and facilitating the flow of trade. In our July 2003 report, we
recommended that the Secretary of Homeland Security work with the CBP
Commissioner to develop (1) a strategic plan that clearly lays out the
program's goals, objectives, and detailed implementation strategies;
(2) a human capital plan that clearly describes how C-TPAT will
recruit, train, and retain new staff to meet the program's growing
demands as it implements new program elements; and (3) performance
measures that include outcome-oriented indicators. While CBP agreed
with our July 2003 recommendations, to date only one of them--the
development of a strategic plan--has been implemented. According to
CBP, the bureau is continuing to work on the July 2003 recommendations,
which are in different stages of review.
CBP Has Finalized Its Strategic Plan:
While a draft of this report was with DHS for comment, CBP issued a
final strategic plan for C-TPAT on January 13, 2005. Our brief review
of this plan indicates that it appears to clearly articulate the goals
of the program, their relationship to broader CBP goals, and strategies
for achieving them. For example, according to the plan there are five
goals for the C-TPAT program:
1. ensure that C-TPAT partners improve the security of their supply
chains pursuant to C-TPAT security criteria,
2. provide incentives and benefits to include expedited processing of C-
TPAT shipments to C-TPAT partners,
3. internationalize the core principles of C-TPAT through cooperation
and coordination with the international community,
4. support other CBP security and facilitation initiatives, and:
5. improve administration of the C-TPAT program.
While we have not fully reviewed the strategic plan, it is a step in
the right direction, and we encourage CBP to ensure that future plans
include all of the key elements of a strategic plan as described in the
Government Performance and Results Act of 1993. Specifically, the
formal strategic plan should include a description of performance goals
and how they are related to the general goals and objectives of the
program, as well as a description of program evaluations, which are
useful for identifying key factors likely to affect program
performance.
CBP Has Not Completed a Human Capital Plan:
As a companion to developing a strategic plan for C-TPAT, CBP is
developing an implementation plan to address the lower-level strategies
for carrying out the program's goals. CBP told us it is still
developing the implementation plan for the program but that it will
include those elements required in a human capital plan. For example,
CBP said it has developed new positions, training programs and
materials, and a staffing plan. Further, CBP said the C-TPAT program
will continue to refine all aspects of its human capital plan to
include headquarters personnel, additional training requirements,
budget, and future personnel profiles.
CBP Has Not Completed Development of Performance Measures:
CBP has told us that it continues developing a comprehensive set of
performance measures and indicators for C-TPAT. In support of the
department's Future Years Homeland Security Program, CBP officials told
us has identified 21 budget subactivities (programs, including C-TPAT)
and has been tasked to develop two performance measures for each: (1) a
main measure that would reflect program outcomes and (2) an efficiency
measure that would reflect time or cost savings achieved through the
program. CBP's Director, Strategic Planning and Audit Division, Office
of Policy and Planning, noted that developing these measures for C-
TPAT, as well as other programs in the bureau, has been difficult. The
director noted that CBP lacks data necessary to exhibit whether a
program has prevented or deterred terrorist activity. For example, as
noted in the C-TPAT strategic plan, it is difficult to measure program
effectiveness in terms of deterrence because generally the direct
impact on unlawful activity is unknown. The plan also notes that while
traditional workload measures are a valuable indicator, they do not
necessarily reflect the success or failure of the bureau's efforts. CBP
is working to collect more substantive information--related to C-TPAT
activities (i.e., current workflow process)--to develop its performance
measures. In commenting on a draft of this report, CBP indicated it has
developed initial measures for the program but will continue to develop
and refine these measures to ensure program success.
CBP's Records Management Practices for C-TPAT Are Inadequate:
CBP's record keeping for the program is incomplete, as key decisions
are not always documented and programmatic information is not updated
regularly or accurately. Federal regulations require that bureau record-
keeping procedures provide documentation to facilitate review by
Congress and other authorized agencies of government. Further,
standards for internal control in the federal government require that
all transactions be clearly documented in a manner that is complete,
accurate, and useful to managers and others involved in evaluating
operations.
To get a better understanding of the validation process, we asked CBP
to provide us with examples of company files for which validations had
been completed. CBP selected six members' files for us to review for
some of the initial validations the bureau conducted. During our
review, it was not always clear what aspect of the security profile was
being validated and why a particular site was selected at which to
conduct the validation because there was not always documentation of
the decision-making process. The aspects of the security profiles
covered and sites visited did not always appear to be the most
relevant. For example, one validation report we reviewed for a major
retailer--one that imports the vast majority of its goods from Asia--
indicated that the validation team reviewed facilities in Central
America. CBP officials noted that it recently revised its validation
report format to better capture any justification for report
recommendations and best practices identified. CBP then provided us
with eight additional member files with more recently completed
validation reports. After reviewing the more recent validation reports
contained in these files, we noted that there appeared to be a greater
discussion related to the rationale for validating specific aspects of
the security profiles. However, these files did not consistently
contain other documentation of members' application, certification,
vetting, receipt of benefits, or validation. While files contained some
of these elements, they were generally not complete. In fact, most
files did not usually contain anything beyond copies of the member's C-
TPAT agreement, security profiles, and validation report. When we asked
if CBP required its supply chain specialists to document their
communications with C-TPAT members, CBP officials told us there has
been no requirement that communications be documented. For example,
member files we reviewed contained no documentation of communications
between CBP and members regarding how the scope of a validation was
determined. Recently, supply chain specialists located at CBP
headquarters (but not at field offices) have been asked to document all
conversations with member companies on a spreadsheet, so that each
supply chain specialist will be aware of the outcomes of conversations
with member companies.
CBP does not update programmatic information regularly or accurately.
In particular, the reliability of CBP's database to track member status
using key dates in the application through validation processes is
questionable. The database, which is primarily used for documentation
management and workflow tracking, is not updated on a regular basis. In
addition, C-TPAT management told us that earlier data entered into the
database may not be accurate, and CBP has taken no systematic look at
the reliability of the database. CBP officials also told us that there
are no written guidelines for who should enter information into the
database or how frequently the database should be updated. We made
several requests over a period of weeks to review the contents of the
database to analyze workload factors, including the amount of time that
each step in the C-TPAT application and review process was taking. The
database information that CBP ultimately provided to us was incomplete,
as many of the data fields were missing or inaccurate. For example,
more than 33 percent of the entries for validation date were
incomplete. In addition, data on the status of companies undergoing the
validation process was provided in hard copy only and included no date
information. CBP officials told us that they are currently exploring
other data management systems, working to develop a new, single
database that would capture pertinent data, as well as developing a
paperless environment for the program.
Conclusions:
CBP's primary reliance on members' self-reporting about their security
procedures to receive C-TPAT benefits places added importance on the
validation process, which is CBP's method of verifying the
effectiveness, efficiency, and accuracy of the security profile.
However, the weaknesses in the validation process we found raise
questions about its effectiveness. CBP's validation process, the
purpose of which is to ensure that members' security measures are
reliable, accurate, and effective, is not rigorous enough to achieve
CBP's goals because of the bureau's consideration of the process as a
joint, partnership review with the member company. In this vein,
without guidelines for what constitutes a validation, CBP cannot be
sure that it effectively and consistently verifies a standard set of
security measures to ensure some minimally appropriate level of
vulnerability reduction, nor can it apply a methodical approach to
assessing the security procedures. In addition, CBP has not assessed
the extent (in terms of numbers or percentage) to which it must conduct
validations to ensure that the C-TPAT program is consistent with its
overall approach to managing risk. Also, we found a lack of clear
documentation for the validation process. Because of these weaknesses,
CBP's ability to provide assurance that the program prevents terrorists
and terrorist weapons from entering the United States is limited.
Finally, CBP has not completed corrective actions from our July 2003
report, which were meant to change the management of the program from a
short-term focus to a strategic focus. Specifically, CBP has not
completed (1) developing performance measures with which to measure the
program's success in achieving bureau goals and inform decisions for
process improvement and (2) developing a human capital plan to account
for how the program will recruit, train, and retain staff to achieve
program goals. CBP also does not have a basic records management system
to ensure adequate internal controls to manage the program. Because of
these management weaknesses, CBP will have difficulty effectively
planning, executing, and monitoring the program.
Recommendations for Executive Action:
To help CBP achieve C-TPAT objectives and address the challenges
associated with its continued development, we recommend that the
Secretary of Homeland Security direct the Commissioner of U.S. Customs
and Border Protection to take the following five actions:
* strengthen the validation process by providing appropriate guidance
to specialists conducting validations, including what level of review
is adequate to determine whether member security practices are
reliable, accurate, and effective;
* determine the extent (in terms of numbers or percentage) to which
members should be validated in lieu of the original goal to validate
all members within 3 years of certification;
* complete the development of performance measures, to include outcome-
based measures and performance targets, to track the program's status
in meeting its strategic goals;
* complete a human capital plan that clearly describes how the C-TPAT
program will recruit, train, and retain sufficient staff to
successfully conduct the work of the program, including reviewing
security profiles, vetting, and conducting validations to mitigate
program risk; and:
* implement a records management system that accurately and timely
documents key decisions and significant operational events, including a
reliable system for (1) documenting and maintaining records of all
decisions in the application through validation processes, including
but not limited to documentation of the objectives, scope,
methodologies, and limitations of validations, and (2) tracking member
status.
Agency Comments and Our Evaluation:
We provided a draft of this report to the Secretary of DHS for comment.
We received comments from the Commissioner of U.S. Customs and Border
Protection that are reprinted in appendix II. CBP generally agreed with
our recommendations and outlined actions it either had taken or was
planning to take to implement them.
CBP agreed with our two recommendations on validations and said it will
readdress the validation process. Specifically, CBP said that it was
developing standard operating procedures, guidance, and written
baseline criteria for the validation process, as well as an automated
validation tool to document validations. CBP also agreed to determine
the extent to which C-TPAT members should be validated, stating that it
will develop member selection criteria and an automated system to
standardize and assist in the selection of companies for validation. If
properly implemented, these actions should address the intent of these
recommendations.
Our draft report also included a recommendation to complete a formal
strategic plan that clearly articulates goals, linkages, and
strategies. While our draft report was with DHS for comment, CBP issued
its final strategic plan on January 13, 2005. Our brief review of this
strategic plan indicates that it appears to address the intent of our
recommendation. Therefore, we removed the recommendation from this
report. Nevertheless, as CBP further refines its strategic plan in the
future, we encourage CBP to include all of the key elements of a
strategic plan as described in the Government Performance and Results
Act of 1993. Specifically, the formal strategic plan should include a
description of performance goals and how they are related to the
general goals and objectives of the program, as well as a description
of program evaluations, which are useful for identifying key factors
likely to affect program performance.
CBP agreed with our recommendation on developing performance measures,
and has developed initial measures relating to membership, inspection
percentages, and validation effectiveness. CBP has developed new
performance measures for use in the FY 2006 Fiscal Year Homeland
Security Plan and plans to enlist the help of a contractor to develop
other outcome-based performance measures and targets. If properly
implemented, these plans should help address the intent of this
recommendation.
In addressing our recommendation to complete a human capital plan for
the C-TPAT program, CBP told us it is still developing an
implementation plan for the program that will include those elements
required in a human capital plan. For example, CBP said it has
developed new positions, training programs and materials, and a
staffing plan. Further, CBP said the C-TPAT program will continue to
refine all aspects of its human capital plan to include headquarters
personnel, additional training requirements, budget, and future
personnel profiles. If the final implementation plan contains these
elements, the plan should address the intent of the recommendation.
CBP agreed with our recommendation on implementing a records management
system that accurately and timely documents key decisions and
significant operational events. While its comments did not specify the
nature or capabilities of a new system, CBP indicated that in the near
future, it plans to automate every aspect of the C-TPAT program, both
internally and externally. In automating its system, to fully meet the
intent of this recommendation, CBP needs to ensure that the system
addresses all aspects of C-TPAT operations and that tracking member
status is done timely, accurately, and reliably.
Notwithstanding its general agreement with the recommendations, CBP
expressed some concerns regarding the report. In its general comments,
CBP said that C-TPAT is a voluntary program that is not designed to
confirm company compliance with regulatory requirements. Further, CBP
said it is very difficult for the U.S. government to regulate supply
chain security procedures outside the country. CBP also noted that it
is looking to establish more broadly applicable minimum security
standards that may build on C-TPAT requirements. Our report clearly
notes that the program is of a voluntary nature, designed around
security guidelines jointly developed by CBP and the trade community.
The cooperation envisioned by the C-TPAT program can build productive
relationships and encourage supply chain security. However, in
accepting members into the program, CBP still has the responsibility
for verifying that security measures planned or claimed by C-TPAT
members are properly implemented and effective. This program goes
beyond trade facilitation in that it awards benefits that can reduce
the scrutiny given cargo containers arriving in the United States. This
is not a matter of regulating supply chain security in other countries.
Rather, it is a matter of providing a security benefit for containers
arriving at our nation's ports. If CBP does not ensure that this
important security-related benefit is deserved, it runs the risk of
overlooking potentially dangerous cargo during the inspection process.
CBP also said that the report's title is misleading, asserting that it
creates the improper impression that only the validation process
ensures adequate security for containerized cargo and does not place
enough emphasis on the certification and vetting processes, as well as
omits that C-TPAT cargo is not exempt from advance reporting
requirements or enforcement and security inspections, such as random
inspections and nonintrusive screening technology. Our report clearly
describes the various steps CBP takes in the overall cargo inspection
process and how the C-TPAT program fits into that process. The report
also clearly describes the purpose of each process within the C-TPAT
program, including the validation process that is to determine whether
C-TPAT members' security procedures are accurate, reliable, and
effective. We did modify the report's title and, where appropriate, the
text to better reflect the report's focus on C-TPAT versus other
programs in CBP's layered enforcement strategy for cargo security.
However, any weakness in C-TPAT could weaken CBP's layered approach.
Given that C-TPAT members enjoy benefits that reduce the likelihood of
an inspection of their cargo, not having an effective validation
process could serve to defeat the purposes of the other enforcement
layers.
Finally, CBP noted many benefits achieved under the C-TPAT program,
including that thousands of companies working as part of C-TPAT have
taken concrete steps to improve their security procedures and that C-
TPAT has fostered an expanding international dialogue on best security
practices. We agree that actions on the part of program members to
shore up supply chain security are valuable and desirable. Again, with
the threat of terrorism present in the global supply chain, we believe
that verifying that planned improvements are actually implemented and
ensuring that security controls are effective are important
responsibilities that cannot be achieved only with members self-
reporting about their security procedures.
CBP also offered technical comments and clarifications, which we
considered and incorporated where appropriate.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will provide copies of this
report to appropriate departments and interested congressional
committees. We will also make copies available to others upon request.
In addition, the report will be available on GAO's Web site
http://www.gao.gov.
If you or your staff have any questions about this report, please
contact me at (202) 512-8777 or at stanar@gao.gov. Key contributors to
this report are listed in appendix III.
Signed by:
Richard M. Stana:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Objectives:
We addressed the following questions regarding the U.S. Customs and
Border Protection's (CBP, formerly the U.S. Customs Service) Customs-
Trade Partnership Against Terrorism (C-TPAT):
* What benefits does CBP provide to C-TPAT members?
* Before providing benefits, what approach does CBP take to determine C-
TPAT members' eligibility for them?
* After providing benefits, how does CBP verify that members have
implemented their security measures?
* To what extent has CBP developed strategies and related management
tools for achieving the program's goals?
Scope and Methodology:
To address these questions, we visited CBP's headquarters in
Washington, D.C., which manages the C-TPAT program. We interviewed CBP
officials and reviewed available data and documentation for the
program. We reviewed individual CBP files for a subset of C-TPAT
members, including members with responsibilities along various parts of
the supply chain. We also reviewed CBP's database for tracking member
status in the program from the program's inception through July 2004.
All records in this database were reviewed. We intended to use these
data to select a random set of files to review and to conduct analyses
of workloads, but the data were not reliable enough to do so (see
below). Given the weaknesses in the files as well as the data
reliability issues, our review focused on identifying C-TPAT's
processes. Because of deficiencies in the files and database, we were
unable to verify the extent CBP actually follows these processes for
individual members. We also obtained the status of the agency's efforts
to implement our prior recommendations for the program, including the
completion of a strategic plan, a human capital plan, and performance
measures.
We conducted our work from February through December 2004 in accordance
with generally accepted government auditing standards.
Data Reliability:
To assess the reliability of CBP's database for tracking member status
in C-TPAT, we (1) reviewed existing documentation related to the data
sources, (2) electronically tested the data to identify obvious
problems with completeness or accuracy, and (3) interviewed
knowledgeable bureau officials about the data. Initial reliability
testing of this database and interviews of staff with responsibility
for the program led us to conclude that data used to track participant
status had some serious reliability weaknesses. We determined that
using the data in certain cases, for example, to calculate average
times for phases of the membership process, might have led to an
incorrect or misleading message. However, we determined that the data
were sufficiently reliable for limited use in descriptions of the
program status, such as the approximate numbers of participants,
because our analysis and discussions with CBP officials assured us that
those data fields were reasonably complete and accurate.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
This version of our report is unrestricted based on a security review
by CBP.
[End of section]
Appendix III GAO Contacts and Staff Acknowledgments:
U.S. Department of Homeland Security:
Washington, DC 20229:
U.S. Customs and Border Protection:
Commissioner:
Mr. Richard M. Stana:
Director, Homeland Security and Justice:
Government Accountability Office:
441 G Street, N.W.:
Washington, D.C. 20548:
Dear Mr. Stana:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report related to the Customs-Trade
Partnership Against Terrorism (C-TPAT) program. U.S. Customs and Border
Protection (CBP) and the Department of Homeland Security (DHS)
appreciate the work done in this review to identify areas where actions
can be taken by CBP to improve the C-TPAT program. Technical comments
were provided to GAO under a separate cover; however, there are a few
areas of the report that deserve comment.
When C-TPAT was established in response to the attacks of September 11,
the intent was to build a partnership to leverage the resources of the
private sector so that the limited resources of the government could be
focused on inspecting high-risk cargo shipments. Any evaluation of C-
TPAT must recognize that it is a voluntary partnership to improve the
security of the United States and not a program to confirm importer
compliance with a regulatory requirement. The C-TPAT participants
voluntarily share with the government details of sensitive corporate
security plans and again, voluntarily, agree to allow government
representatives access to their facilities to confirm that they are
following their own security plans and that these plans meet or exceed
C-TPAT supply chain security criteria. DHS believes that to date,
thousands of companies working under the auspices of this partnership
have taken concrete steps to improve their security procedures, thereby
increasing global supply chain security and the security of the United
States.
The supply chain that facilitates the shipment of cargo to the United
States is global. It is very difficult for our government to regulate
the security procedures outside our country. However, C-TPAT importers
are willing to use their business leverage over their foreign suppliers
throughout the world to require their suppliers to improve security at
the beginning of the supply chain.
This free and open communication with industry has allowed Customs and
Border Protection to further identify security baseline practices and
best practices. This has been a leaming experience for all involved,
and through this exchange C-TPAT has fostered an expanding
international dialogue on best security practices. This has created an
opportunity for DHS to work internationally to promote supply chain
security.
C-TPAT is a partnership program that has benefits for both the
government and the industry participants. The title of the draft
report, "DHS Grants Importers Reduced Scrutiny with Limited Assurance
of Adequate Security", is misleading. The title creates the improper
impression that only the validation process assures adequate security
for containerized cargo. The report places excessive emphasis on the
validation process without adequately reflecting the certification and
vetting process within C-TPAT and the other layers of security put in
place since the terrorist attacks three years ago. However, as noted
below, we believe the shipments of a company which has committed to C-
TPAT security levels represent less risk. That lessened risk is taken
into account in our risk targeting rules. That said, C-TPAT cargo is
not exempt from advance reporting requirements, enforcement and
security inspections, random inspections, or non-intrusive screening
technology such as radiation portals where we are moving to 100%
screening of all in-bound cargo for WMD threats. The DHS cargo security
strategy clearly identifies the screening of all containers for WMD's
as its highest priority.
The discussion of the benefits of C-TPAT, including the section "C-TPAT
Benefits Designed to Reduce Scrutiny of Shipments" would be more
accurate if it reflected that the benefits of the program were designed
to create incentives for industry to improve supply chain security.
Eligibility for the Importer Self-Assessment Program (ISA) for example,
is included as a benefit that reduces the level of scrutiny.
Further, CBP, in the context of the DHS cargo security strategy, is
looking to establish more broadly applicable minimum security standards
that may in some cases build on C-TPAT requirements. For example, CBP
is currently working on a proposed regulatory standard that would
require 100 percent of all loaded in-bound maritime containers to be
outfitted with a high-security seal that would be verified before the
cargo is loaded at the foreign port. The C-TPAT program currently
includes guidelines for high security seals that meet or exceed this
regulatory requirement. The movement of a C-TPAT guideline to a more
broadly regulated minimum standard is another way to transition
industry towards a stricter security framework.
Finally, C-TPAT is part of our overall risk management approach. C-TPAT
helps identify the importers that take security seriously. This
information is factored into the risk assessment and lower risk cargo
receives less scrutiny. That is how risk management works. The
resources used to validate that low risk importers are truly low risk
must be reasonable when balanced against the greater threat presented
by higher risk cargo. That is not to say that the C-TPAT program cannot
be improved. On the contrary, DHS concurs with the final
recommendations in the report.
As part of their corrective action plan, CBP will readdress the
validation process, including establishing policies and procedures
related to the extent to which C-TPAT members are validated. Actions
that CBP plans to take regarding specific recommendations are below:
Recommendation 1: Strengthen the validation process by providing
appropriate guidance to specialists conducting validations, including
what level of review is adequate to determine whether member security
practices are reliable, accurate, and effective.
Response: CBP has provided all Supply Chain Specialists (SCS) with a
comprehensive training program developed by CBP's Office of Training
and Development. SCS training includes specific instruction on
validation scope and methodology, conducting pre-validation research,
supply chain identification/selection, and report writing. CBP is
developing Standard Operating Procedures and directives to provide
further clarification and guidance for all SCS personnel conducting
validations. This will include the need for appropriate documentation
of the validation process. CBP will also develop an automated
validation tool for SCS.
Recognizing that no two international supply chains or validations are
exactly the same, and that C-TPAT must remain flexible to meet the
complex challenges of international trade, CBP will develop written
baseline criteria for assisting the SCS in determining if member's
security practices and processes are adequate and effective.
Recommendation 2: Determine the extent (in terms of numbers or
percentage) to which members should be validated in lieu of the
original goal to validate all members within three years of
certification.
Response: Overwhelming response by the trade community forced CBP to
reconsider its original goal to validate all certified members within a
three-year period. Selection for validations were initially based upon
risk management principles, i.e., strategic threat geographically,
import volume/value, security related incidents, history of compliance/
violations, etc. CBP will further refine the risk management process
and develop member selection methodology/criteria and an automated
system to standardize and assist in the selection process. C-TPAT will
determine and prioritize which sectors of membership will be selected
for validations, select individual companies based upon a standardized
risk assessment, and identify "company specific" high-risk supply
chains to better focus our efforts and resources. The resource needs to
support this approach will be reflected in the human capital plan.
Recommendation 3: Complete a formal strategic plan that clearly
articulates the goals of the C-TPAT program, their relationship to
broader CBP goals, and strategies for achieving them.
Response: As part of its ongoing industry outreach effort, C-TPAT has
developed a strategic plan that was shared with the public during CBP's
Trade Symposium on January 13 and 14, 2005 and is attached to this
response. CBP is continuing its efforts to strategically strengthen C-
TPAT and is working with the Department of Homeland Security to draft
an implementation plan for the program. This implementation plan will
build on the public dialogue associated with the strategic plan and
specifically focus on developing performance metrics to adequately
assess security and trade facilitation aspects, human resource
requirements and a plan for transitioning C-TPAT requirements to
minimum baseline standards (as may be appropriate), consistent with
GAO's recommendations."
Recommendation 4: Complete the development of performance measures, to
include outcome-based measures and performance targets, to track the
program's status in meeting its strategic goals.
Response: C-TPAT has developed initial measures to determine the scope
of the program (i.e., membership), measures to gauge the realization of
benefits by certified members (i.e., inspection percentages), and
measures to gauge the effectiveness of validations. C-TPAT has refined
its measures in coordination with the Department. New measures have
been developed for use in the FY 2006 Fiscal Year Homeland Security
Plan. They include: compliance rate for C-TPAT members with the
established C-TPAT security guidelines, C-TPAT validation labor
efficiency rate, average CBP exam reduction ratio for C-TPAT member
importers compared to non-C-TPAT importers, and time savings to process
U.S./Mexico Border FAST lane transactions. In addition, CBP will be
identifying a contractor to assist with the development of outcome-
based measures and performance targets for the C-TPAT program. CBP will
continue to develop and refine these and other measures as may be
required to ensure program success.
Recommendation 5: Complete a formal human capital plan that clearly
describes how the C-TPAT program will recruit, train, and retain
sufficient staff to successfully conduct the work of the program,
including reviewing security profiles, vetting, and conducting
validations to mitigate program risk.
Response: To date, C-TPAT has developed the new SCS position, developed
an official 2 week training program, developed a formalized SCS
training manual, conducted two rounds of SCS selections, conducted two
formal training programs, established four C-TPAT field offices, and
developed a future continuing education program for C-TPAT personnel.
In addition, CBP produced a detailed SCS staffing plan which analyzed
current SCS workload, annual program growth rate, actual duties being
performed by SCS, time to complete average validation, and the number
of validations an SCS can complete in 1 year. C-TPAT will continue to
refine all aspects of the human capital plan to include Headquarters
personnel, additional training requirements, budget, and future
personnel profiles.
Recommendation 6: Implement a records management system that accurately
and timely documents key decisions and significant operational events,
including a reliable system for (1) documenting and maintaining records
of all decisions in the application through validation processes,
including but not limited to documentation of the objectives, scope,
methodologies, and limitation of validations, and (2) tracking member
status.
Response: CBP's goal is to automate every aspect of the C-TPAT program,
both internally and externally. In the near future, only electronic
submissions will be accepted by C-TPAT. Trade partners will submit
information through a web application. The information will be
processed against internal risk criteria and accepted or denied
immediate responses generated and validation time frames established.
Internally, information will be easily stored, reports generated and
risk analysis conducted. Externally, response times will decrease and
more information will be readily available.
Thank you for the opportunity to review and provide comments to the
draft report. Our expectation is that this report will be handled
appropriately as a "Limited Official Use Only" document due to the
sensitivity of the information contained in the report.
Yours truly,
Signed by:
Robert C. Bonner:
Commissioner:
Attachment:
[End of section]
GAO Contacts:
Richard M. Stana (202) 512-8777;
Stephen L. Caldwell (202) 512-9610:
Staff Acknowledgments:
In addition to those named above, Kristy N. Brown, Kathryn E. Godfrey,
Wilfred B. Holloway, Stanley J. Kostyla, Shakira O'Neil, and Deena D.
Richart made key contributions to this report.
[End of section]
Related GAO Products:
Homeland Security: Process for Reporting Lessons Learned from Seaport
Exercises Needs Further Attention. GAO-05-170. Washington, D.C.:
January 14, 2005.
Port Security: Planning Needed to Develop and Operate Maritime Worker
Identification Card Program. GAO-05-106. Washington, D.C.: December 10,
2004.
Maritime Security: Better Planning Needed to Help Ensure an Effective
Port Security Assessment Program. GAO-04-1062. Washington, D.C.:
September 30, 2004.
Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security. GAO-04-838. Washington,
D.C.: June 30, 2004.
Border Security: Agencies Need to Better Coordinate Their Strategies
and Operations on Federal Lands. GAO-04-590. Washington, D.C.: June
2004.
Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March
31, 2004.
Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail
Security, but Significant Challenges Remain. GAO-04-598T. Washington,
D.C.: March 23, 2004.
Department of Homeland Security, Bureau of Customs and Border
Protection: Required Advance Electronic Presentation of Cargo
Information. GAO-04-319R. Washington, D.C.: December 18, 2003.
Homeland Security: Preliminary Observations on Efforts to Target
Security Inspections of Cargo Containers. GAO-04-325T. Washington,
D.C.: December 16, 2003.
Posthearing Questions Related to Aviation and Port Security. GAO-04-
315R. Washington, D.C.: December 12, 2003.
Homeland Security: Risks Facing Key Border and Transportation Security
Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September
19, 2003.
Maritime Security: Progress Made in Implementing Maritime
Transportation Security Act, but Concerns Remain. GAO-03-1155T.
Washington, D.C.: September 9, 2003.
Container Security: Expansion of Key Customs Programs Will Require
Greater Attention to Critical Success Factors. GAO-03-770. Washington,
D.C.: July 25, 2003.
Homeland Security: Challenges Facing the Department of Homeland
Security in Balancing Its Border Security and Trade Facilitation
Missions. GAO-03-902T. Washington, D.C.: June 16, 2003.
Transportation Security: Federal Action Needed to Address Security
Challenges. GAO-03-843. Washington, D.C.: June 30, 2003.
Transportation Security: Post-September 11th Initiatives and Long-Term
Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003.
Border Security: Challenges in Implementing Border Technology. GAO-03-
546T. Washington, D.C.: March 12, 2003.
Customs Service: Acquisition and Deployment of Radiation Detection
Equipment. GAO-03-235T. Washington, D.C.: October 17, 2002.
Port Security: Nation Faces Formidable Challenges in Making New
Initiatives Successful. GAO-02-993T. Washington, D.C.: August 5, 2002.
FOOTNOTES
[1] GAO, Container Security: Expansion of Key Customs Programs Will
Require Greater Attention to Critical Success Factors, GAO-03-770,
Washington, D.C.: July 25, 2003.
[2] The Free and Secure Trade (FAST) program is a CBP program that
allows Canadian and Mexican companies expedited processing of their
commercial shipments at the border.
[3] A supply chain consists of all stages involved in fulfilling a
customer request, including the manufacturer, suppliers, transporters,
warehouses, and retailers.
[4] A container is a van, open-top trailer, or other similar trailer
body on or into which cargo is loaded and transported.
[5] Department of Transportation Volpe National Transportation Systems
Center, Intermodal Cargo Transportation: Industry Best Security
Practices (Cambridge, Mass.: June 2002).
[6] The layered enforcement strategy encompasses CBP programs including
C-TPAT (addressed in this report), as well as the Container Security
Initiative (CSI). CSI is an initiative whereby CBP places staff at
designated foreign seaports to work with foreign counterparts to
identify and inspect high-risk containers for weapons of mass
destruction before they are shipped to the United States. We are
currently reviewing the CSI program and a report is forthcoming.
[7] In addition, there are hundreds of foreign-based air, rail, sea,
and truck carriers certified in C-TPAT.
[8] For fiscal year 2004, CBP had authorization for 157 positions for
supply chain specialists and support staff, but as of August 2004 had
hired only 40 specialists. CBP officials noted that the bureau
recognizes the need for additional permanent positions, and CBP plans
to hire, train, and have in place an additional 30 to 50 supply chain
specialists by the end of calendar year 2004.
[9] CBP established security guidelines to assist companies in
completing their security profiles. Each set of security guidelines is
tailored according to member type.
[10] GAO, Container Security: Expansion of Key Customs Programs Will
Require Greater Attention to Critical Success Factors, GAO-03-770,
Washington, D.C.: July 25, 2003.
[11] GAO, Homeland Security: Summary of Challenges Faced in the
Targeting of Oceangoing Cargo Containers for Inspection, GAO-04-557T,
Washington, D.C.: March 2004.
[12] CBP officials told us they are currently working to adapt the risk
assessment tool so that it can be applied to C-TPAT members from
additional trade sectors, such as brokers and carriers.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
