Cargo Security: Partnership Program Grants Importers Reduced	 
Scrutiny with Limited Assurance of Improved Security (11-MAR-05, 
GAO-05-404).							 
                                                                 
This report is a publicly available version of our report on the 
Customs-Trade Partnership Against Terrorism (C-TPAT). The	 
Department of Homeland Security (DHS) designated our original	 
report as Limited Official Use because of the sensitive and	 
specific nature of the information it contained. U.S. Customs and
Border Protection (CBP), the DHS bureau responsible for 	 
protecting the nation's borders at and between the official ports
of entry, has the dual goals of preventing terrorists and	 
terrorist weapons from entering the United States and also	 
facilitating the flow of legitimate trade and travel.		 
Approximately 90 percent of the world's cargo moves by container.
Addressing the threat posed by the movement of containerized	 
cargo across U.S. borders has traditionally posed many challenges
for CBP, in particular balancing the bureau's border protection  
functions and trade enforcement mission with its goal of	 
facilitating the flow of cargo and persons into the United	 
States. CBP has said that the large volume of imports and its	 
limited resources make it impossible to physically inspect all	 
oceangoing containers without disrupting the flow of commerce,	 
and it is unrealistic to expect that all containers warrant such 
inspection. To address its responsibility to improve cargo	 
security while facilitating commerce, CBP employs multiple	 
strategies. Among these strategies, CBP has in place an 	 
initiative known as C-TPAT, which aims to secure the flow of	 
goods bound for the United States by developing a strong,	 
voluntary antiterrorism partnership with the trade community.	 
C-TPAT members commit to improving the security of their supply  
chain (flow of goods from manufacturer to retailer) and develop  
written security profiles that outline the security measures in  
place for the company's supply chain. In exchange for this	 
commitment, CBP offers C-TPAT members benefits for participating 
that may reduce the level of scrutiny given to their shipments,  
potentially resulting in a reduced number of inspections of their
cargo at U.S. borders. The program is promising, but previous	 
work has raised concerns about its management and its ability to 
achieve its ultimate goal of improved cargo security. Given our  
past concerns about the program's effectiveness and in light of  
the program's rapid expansion, we examined selected aspects of	 
the program's operation and management. This report addresses the
following issues: (1) What benefits does CBP provide to C-TPAT	 
members? (2) Before providing benefits, what approach does CBP	 
take to determine C-TPAT members' eligibility for them? (3) After
providing benefits, how does CBP verify that members have	 
implemented their security measures? and (4) To what extent has  
CBP developed strategies and related management tools for	 
achieving the program's goals?					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-05-404 					        
    ACCNO:   A19158						        
  TITLE:     Cargo Security: Partnership Program Grants Importers     
Reduced Scrutiny with Limited Assurance of Improved Security	 
     DATE:   03/11/2005 
  SUBJECT:   Counterterrorism					 
	     Human capital planning				 
	     Importing						 
	     Inspection 					 
	     International trade				 
	     International trade regulation			 
	     Homeland security					 
	     Performance measures				 
	     Program management 				 
	     Strategic planning 				 
	     Terrorism						 
	     Border security					 
	     Program goals or objectives			 
	     Customs Service Trade Partnership			 
	     Against Terrorism Program				 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-05-404

United States Government Accountability Office

GAO

                       Report to Congressional Requesters

March 2005

CARGO SECURITY

Partnership Program Grants Importers Reduced Scrutiny with Limited Assurance of
                               Improved Security

GAO-05-404

Contents

  Letter

Results in Brief
Background
C-TPAT Benefits Reduce Scrutiny of Shipments
CBP Grants Benefits before Verification of Security Procedures
Weaknesses in Process for Verifying Security Procedures
Incomplete Progress in Addressing Management Weaknesses
Conclusions
Recommendations for Executive Action
Agency Comments and Our Evaluation

1

3

6 12 13 14 18 21 22 22

       Appendix I           Objectives, Scope, and Methodology             27 
                                        Objectives                         27 
                                  Scope and Methodology                    27 
                                     Data Reliability                      27 
      Appendix II     Comments from the Department of Homeland       
                                         Security                    

Appendix III GAO Contacts and Staff Acknowledgments 34

GAO Contacts 34 Staff Acknowledgments 34

Related GAO Products

  Tables

Table 1: Roles of Trade Community Members in the Supply Chain 8 Table 2:
Benefits for C-TPAT Members 13

  Figures

Figure 1: CBP's Review Process for C-TPAT Membership 11 Figure 2: Status
of Validating C-TPAT Members, as of November 2, 2004 16

Abbreviations

ATS Automated Targeting System

CBP Customs and Border Protection

CSI Container Security Initiative
C-TPAT Customs-Trade Partnership Against Terrorism
DHS Department of Homeland Security
FAST Free and Secure Trade

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office Washington, DC 20548

March 11, 2005

The Honorable Susan M. Collins
Chairman
The Honorable Joseph Lieberman
Ranking Minority Member
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable Norm Coleman
Chairman
The Honorable Carl Levin
Ranking Minority Member
Permanent Subcommittee on Investigations
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable John D. Dingell
Ranking Minority Member
Energy and Commerce Committee
House of Representatives

This report is a publicly available version of our report on the Customs-
Trade Partnership Against Terrorism (C-TPAT). The Department of
Homeland Security (DHS) designated our original report as Limited
Official Use because of the sensitive and specific nature of the
information
it contained.

U.S. Customs and Border Protection (CBP), the DHS bureau responsible
for protecting the nation's borders at and between the official ports of
entry, has the dual goals of preventing terrorists and terrorist weapons
from entering the United States and also facilitating the flow of
legitimate
trade and travel. Approximately 90 percent of the world's cargo moves by
container. Addressing the threat posed by the movement of containerized
cargo across U.S. borders has traditionally posed many challenges for
CBP, in particular balancing the bureau's border protection functions and
trade enforcement mission with its goal of facilitating the flow of cargo
and persons into the United States. CBP has said that the large volume of
imports and its limited resources make it impossible to physically inspect
all oceangoing containers without disrupting the flow of commerce, and it
is unrealistic to expect that all containers warrant such inspection.

To address its responsibility to improve cargo security while facilitating
commerce, CBP employs multiple strategies. Among these strategies, CBP has
in place an initiative known as C-TPAT, which aims to secure the flow of
goods bound for the United States by developing a strong, voluntary
antiterrorism partnership with the trade community. C-TPAT members commit
to improving the security of their supply chain (flow of goods from
manufacturer to retailer) and develop written security profiles that
outline the security measures in place for the company's supply chain. In
exchange for this commitment, CBP offers C-TPAT members benefits for
participating that may reduce the level of scrutiny given to their
shipments, potentially resulting in a reduced number of inspections of
their cargo at U.S. borders.

The program is promising, but previous work has raised concerns about its
management and its ability to achieve its ultimate goal of improved cargo
security. Specifically, in our July 2003 report on this program, we
recommended that the Secretary of Homeland Security work with the CBP
Commissioner to develop (1) a strategic plan that clearly lays out the
program's goals, objectives, and detailed implementation strategies; (2)
performance measures that include outcome-oriented indicators; and (3) a
human capital plan that clearly describes how C-TPAT will recruit, train,
and retain new staff to meet the program's growing demands as it
implements new program elements.1

Given our past concerns about the program's effectiveness and in light of
the program's rapid expansion, we examined selected aspects of the
program's operation and management. This report addresses the following
issues:

1. What benefits does CBP provide to C-TPAT members?

2. 	Before providing benefits, what approach does CBP take to determine
C-TPAT members' eligibility for them?

3. 	After providing benefits, how does CBP verify that members have
implemented their security measures?

4. 	To what extent has CBP developed strategies and related management
tools for achieving the program's goals?

1GAO, Container Security: Expansion of Key Customs Programs Will Require
Greater Attention to Critical Success Factors, GAO-03-770, Washington,
D.C.: July 25, 2003.

To address all four objectives, we discussed program operations with CBP
officials in Washington, D.C., with program responsibilities for C-TPAT
and reviewed available data and documentation for the program. To
ascertain the manner in which CBP validates security procedures for
participating companies, we asked CBP to provide us with examples of
participant files, including files of participants with responsibilities
along various parts of the supply chain. While the files we reviewed were
not a representative sample of files, we noted that in many cases these
files were incomplete. We also reviewed CBP's database for tracking
participant status in the program. Initial reliability testing of this
database and interviews of staff with responsibility for the program led
us to conclude that data used to track participant status had some serious
reliability weaknesses. However, we found the data sufficiently reliable
for limited use in describing the program's status. While we were able to
review CBP's processes, because of the poor condition of member files we
were unable to verify the extent that the bureau followed the processes in
individual cases for individual members. We also examined the status of
the agency's efforts to implement our prior recommendations for the
program.

We conducted our work from February through December 2004 in accordance
with generally accepted government auditing standards. More details about
the scope and methodology of our work are presented in appendix I.

In return for committing to making improvements to the security of their
shipments by joining the program, C-TPAT members receive a range of
benefits that reduce the level of scrutiny CBP provides to their shipments
bound for the United States. These benefits may change the risk
characterization of their shipments, thereby reducing the probability of
extensive documentary and physical inspection. Other benefits include
access to FAST lanes on the Canadian and Mexican borders, expedited cargo
processing at FAST lanes, and an emphasis on self-policing and
selfmonitoring of security activities.2 In addition, CBP grants benefits
to C-TPAT members that do not directly affect the level of scrutiny given
to their shipments. These additional benefits include a single point of
contact within CBP to serve as a liaison with the member on issues related
to the

2The Free and Secure Trade (FAST) program is a CBP program that allows
Canadian and Mexican companies expedited processing of their commercial
shipments at the border.

  Results in Brief

program, access to the identities of other companies that have become
C-TPAT members, and eligibility to attend CBP-sponsored antiterrorism
training seminars.

Before providing benefits, CBP uses a two-pronged approach to assess
C-TPAT members. First, CBP has a certification process to review the
selfreported information contained in applicants' membership agreements
and security profiles. Second, CBP has in place a vetting process to try
to assess the compliance with customs laws and regulations and violation
history of and intelligence data on importers before granting them
benefits. At the program's inception, CBP began granting benefits to
C-TPAT applicants immediately upon receipt of their agreement to
voluntarily participate in the program without any review of the security
profiles submitted by potential member companies. In February 2004, CBP
changed its policy to grant benefits to C-TPAT members only after CBP's
review and certification of their security profiles and successful
completion of the vetting process. CBP believes that this two-pronged
approach provides adequate assurance before granting benefits. However,
this approach grants benefits to members before they undergo the
validation process.

After providing benefits, CBP has a validation process to verify that
C-TPAT members' security measures have been implemented and that program
benefits should continue. However, we found several weaknesses in the
validation process that compromise CBP's ability to provide an actual
verification that supply chain security measures in C-TPAT members'
security profiles are accurate and are being followed. First, the
validation process is not rigorous enough to achieve its stated purpose,
which is to ensure that the security procedures outlined in members'
security profiles are reliable, accurate, and effective. For example, CBP
officials told us that validations are not considered independent audits,
and the objectives, scope, and methodology of validations are jointly
agreed upon with the member company. CBP officials, as well as our review
of case files, indicated that the validations only examine a few of the
security measures outlined in members' security profiles. Related to this,
CBP has no written guidelines for its supply chain specialists to indicate
what scope of effort is adequate for the validation to ensure that the
member's measures are reliable, accurate, and effective. In addition, CBP
has not determined the extent to which validations are needed. While the
original stated goal of the program was to validate all members within 3
years, CBP decided that it could not do so because of the rapid growth in
membership. In 3 years of C-TPAT operation, CBP has validated about 10
percent of its certified members. While CBP has given up on its original

goal to validate all members, it has not come up with an alternative goal
for the number or percentage of members that should be validated. For
validations that CBP does conduct, it prioritizes members for validation
based on a variety of factors such as strategic threat, import volume, and
past compliance violations.

While CBP has recently completed a strategic plan, we found weaknesses in
some of the tools it uses to manage the program that could hinder the
bureau in achieving the program's dual goals of securing the flow of goods
bound for the United States and facilitating the flow of trade. CBP's new
strategic plan appears to provide the bureau with a general framework on
which to base key decisions, including key strategic planning elements
such as strategic goals, objectives, and strategies. However, CBP still
lacks a human capital plan, a fact that has impaired its ability to manage
its resources. CBP officials told us they are in the process of developing
an implementation plan that will address human capital planning elements
such as analyzing (1) current workload, (2) the projected annual growth
rate of the program, (3) the time it takes to complete the average
validation, and (4) the number of validations supply chain specialists can
complete annually. Furthermore, CBP still has not developed a
comprehensive set of performance measures and indicators, including
outcome-based measures, to monitor the status of program goals. CBP
officials told us they have developed some initial measures to capture the
program's impact. Finally, the C-TPAT program lacks an effective records
management system. CBP's record keeping for the program is incomplete, as
key decisions are not always documented and programmatic information is
not updated regularly or accurately. For example, member files we reviewed
contained no documentation of communications between CBP and members
regarding how the scope of a validation was determined, and their database
tracking member status contained errors.

We are making recommendations to the Secretary of the Department of
Homeland Security to direct the U. S. Commissioner of Customs and Border
Protection to improve the program's ability to meet its goals by providing
appropriate guidance to specialists conducting validations, determining
the extent to which members should be validated in lieu of the original
goal to validate all members within 3 years of certification, and
implementing performance measures, a human capital plan, and a records
management system for the program. We provided a draft of this report to
the Secretary of DHS for comment. In its response, from the Commissioner
of U.S. Customs and Border Protection, CBP generally agreed with our
recommendations and cited corrective actions they either have taken or
planned to take.

Notwithstanding its general agreement with our recommendations, CBP noted
that C-TPAT is a voluntary partnership to improve the security of the
United States and not a program to confirm importer compliance with a
regulatory requirement. As such, CBP said our report places too much
emphasis on the validation process without adequately reflecting other
aspects of the program. As a whole, CBP said that as part of its
multilayered approach, C-TPAT identifies companies that take security
seriously, appropriately lowers the risk level of their cargo, and thus
focuses CBP resources on other companies' high-risk cargo, all consistent
with a risk management approach. We believe that having a multilayered
approach to cargo inspection can be effective, provided that each layer is
adequately utilized. Given that C-TPAT members enjoy benefits that could
greatly reduce the likelihood of an inspection of their cargo, not having
full assurance of a reliable, accurate, and effective validation process
potentially weakens the overall effectiveness of the other control
mechanisms in meeting CBP's fundamental responsibility to ensure security
of all cargo entering the United States. We fully address CBP's comments
in the body of the report.

CBP maintains two overarching goals: (1) increasing security and (2)
facilitating legitimate trade and travel. Disruptions to the supply chain
could have immediate and significant economic impacts.3 For example, in
terms of containers, CBP data indicates that in 2003 about 90 percent of
the world's cargo moved by container.4 In the United States, almost half
of all incoming trade (by value) arrived by containers on board ships.
Almost 7 million cargo containers arrive and are offloaded at U.S.
seaports each year. Additionally, containers arrive via truck and rail.
Therefore, it is vital for CBP to try to strike a balance between its
antiterrorism efforts and facilitating the flow of legitimate
international trade and travel.

Background

    Vulnerability of the Supply Chain

The terrorist events of September 11, 2001, raised concerns about company
supply chains, particularly oceangoing cargo containers, potentially being
used to move weapons of mass destruction to the United States. An
extensive body of work on this subject by the Federal Bureau of

3A supply chain consists of all stages involved in fulfilling a customer
request, including the manufacturer, suppliers, transporters, warehouses,
and retailers.

4A container is a van, open-top trailer, or other similar trailer body on
or into which cargo is loaded and transported.

Investigation and academic, think tank, and business organizations
concluded that while the likelihood of such use of containers is
considered low, the movement of oceangoing containerized cargo is
vulnerable to some form of terrorist action. Such action, including
attempts to smuggle either fully assembled weapons of mass destruction or
their individual components, could lead to widespread death and damage.

The supply chain is particularly vulnerable to potential terrorists
because of the number of individual companies handling and moving cargo
through it. To move a container from production facilities overseas to
distribution points in the United States, an importer has multiple options
regarding the logistical process, such as routes and the selection of
freight carriers. For example, some importers might own and operate key
aspects of the overseas supply chain process, such as warehousing and
trucking operations. Alternatively, importers might contract with
logistical service providers, including freight consolidators and
nonvessel-operating common carriers. In addition, importers must choose
among various modes of transportation to use, such as rail, truck, or
barge, to move containers from the manufacturer's warehouse to the port of
lading. As shown in table 1, there are many players in the trade
community, each with a role in the supply chain.

Table 1: Roles of Trade Community Members in the Supply Chain

Trade community member Role in the supply chain

Air/rail/sea carriers Carriers transport cargo via air, rail, or sea.

Border highway carriers 	Highway carriers transport cargo for scheduled
and unscheduled operations via road across the Canadian and Mexican
borders.

Importers 	Importers, in the course of trade, bring articles of trade from
a foreign source into a domestic market.

Licensed customs brokers 	Brokers clear goods through customs. The
responsibilities of a broker include preparing the entry form and filing
it, advising the importer on duties to be paid, and arranging for delivery
to the importer.

Freight consolidators/ocean transportation A freight consolidator is a
firm that accepts partial container shipments from intermediaries and
nonvessel-operating common individual shippers and combines the shipments
into a single container for carriers delivery to the carrier. A
transportation intermediary facilitates transactions by

bringing buyers and sellers together. A nonvessel-operating common carrier
is a company that buys shipping space, through a special arrangement with
an ocean carrier, and resells the space to individual shippers.

Port authorities/terminal operators 	A port authority is an entity of
state or local government that owns, operates, or otherwise provides
wharf, dock, and other marine terminal investments at ports. Terminal
operator responsibilities include the overseeing and unloading of cargo
from ship to dock, checking the actual cargo against the ship's manifest
(list of goods), checking documents authorizing a truck to pick up cargo,
overseeing the loading and unloading of railroad cars, and so forth.

Source: GAO.

According to research initiated by the U.S. Department of Transportation's
Volpe National Transportation Systems Center, importers who own and
operate the entire supply chain route from start to finish suffer fewer
security breaches than others because they have greater control over their
supply chains.5 However, relatively few importers own and operate all key
aspects of the cargo container transportation process, relying instead on
second parties to move containerized cargo and prepare various
transportation documents.

5Department of Transportation Volpe National Transportation Systems
Center, Intermodal Cargo Transportation: Industry Best Security Practices
(Cambridge, Mass.: June 2002).

    CBP's Layered Enforcement Strategy

CBP has implemented a layered enforcement strategy to prevent terrorists
and weapons of mass destruction from entering the United States through
the supply chain.6 A key element of this strategy is CBP's targeting and
inspection of cargo that arrives at U.S. ports. For all arriving cargo
containers, CBP uses a targeting strategy that employs its computerized
targeting model, the Automated Targeting System (ATS). CBP uses ATS to
review container documentation and help select, or target, shipments for
additional documentary review or physical inspection. ATS is operated by
CBP's National Targeting Center and is characterized by CBP as an expert
system that uses hundreds of targeting rules to check available data for
every arriving container, assigning a risk characterization to each
container. The risk characterization helps to determine the type and level
of scrutiny a container will receive. For example, CBP could review the
container's bill of lading, examine the container with nonintrusive
inspection equipment (that is, X-ray), or physically open the container.
The extent of review varies, since according to CBP, the large volume of
imports and CBP's limited resources make it impossible to physically
inspect all containers without disrupting the flow of commerce.

Initiated in November 2001, C-TPAT is another element of CBP's layered
enforcement strategy. C-TPAT is a voluntary program designed to improve
the security of the international supply chain while maintaining an
efficient flow of goods. Under C-TPAT, CBP officials work in partnership
with private companies to review their supply chain security plans to
improve members' overall security. In return for committing to making
improvements to the security of their shipments by joining the program,
C-TPAT members may receive benefits that result in reduced scrutiny of
their shipments (e.g., reduced number of inspections or shorter border
wait times for their shipments). C-TPAT membership is open to U.S.-based
companies in the trade community, including (1) air/rail/sea carriers, (2)
border highway carriers, (3) importers, (4) licensed customs brokers, (5)
air freight consolidators and ocean transportation intermediaries and
nonvessel-operating common carriers, and (6) port authorities or terminal
operators.7 According to CBP officials, program membership has grown

6The layered enforcement strategy encompasses CBP programs including
C-TPAT (addressed in this report), as well as the Container Security
Initiative (CSI). CSI is an initiative whereby CBP places staff at
designated foreign seaports to work with foreign counterparts to identify
and inspect high-risk containers for weapons of mass destruction before
they are shipped to the United States. We are currently reviewing the CSI
program and a report is forthcoming.

7In addition, there are hundreds of foreign-based air, rail, sea, and
truck carriers certified in C-TPAT.

rapidly, and continued growth is expected, especially as member importers
are requiring their suppliers to become C-TPAT members. For example, as of
January 2003 approximately 1,700 companies had become C-TPAT members. By
May 2003, the number had nearly doubled to 3,355. According to CBP
officials, as of November 2004, the C-TPAT program had 7,312 members. For
fiscal year 2004, the C-TPAT budget was about $18 million, with a
requested budget for fiscal year 2005 of about $38 million for program
expansion efforts. As of August 2004, CBP had hired 40 supply chain
specialists, who are dedicated to serve as the principal advisers and
primary points of contact for C-TPAT members.8 The specialists are located
in Washington, D.C., Miami, Florida, Los Angeles, California, and New
York, New York.

CBP has a multistep review process for the C-TPAT program. As figure 1
shows, applicants first submit signed C-TPAT agreements affirming their
desire to participate in the voluntary program. Applicants must also
submit security profiles-executive summaries of their company's existing
supply chain security procedures-that follow guidelines jointly developed
by CBP and the trade community. These security profiles are to summarize
the applicant's current security procedures in areas such as physical
security, personnel security, and education and training awareness.9 CBP
established a certification process in which it reviews the applications
and profiles by comparing their contents with the security guidelines
jointly developed by CBP and the industry, looking for any weaknesses or
gaps in the descriptions of security procedures. Once any issues are
resolved to CBP's satisfaction, CBP signs the agreement and the company is
considered to be a certified C-TPAT member, eligible for program benefits.
Members that are not importers begin receiving benefits at this point, but
members that are importers must undergo another layer of review, as
described below. CBP encourages members to conduct self-assessments of
their security profiles each year to determine any significant changes and
to notify CBP. For example, members may be using new suppliers or new
trucking companies and would need to update their security profiles to
reflect these changes.

8For fiscal year 2004, CBP had authorization for 157 positions for supply
chain specialists and support staff, but as of August 2004 had hired only
40 specialists. CBP officials noted that the bureau recognizes the need
for additional permanent positions, and CBP plans to hire, train, and have
in place an additional 30 to 50 supply chain specialists by the end of
calendar year 2004.

9CBP established security guidelines to assist companies in completing
their security profiles. Each set of security guidelines is tailored
according to member type.

Figure 1: CBP's Review Process for C-TPAT Membership

Source: GAO and Nova Development Corporation.

For certified importers, CBP has an additional layer of review called the
vetting process in which CBP reviews information about an importer's
compliance with customs laws and regulations and violation history. CBP
requires the vetting process for certified importers as a condition of
granting them key program benefits. As part of the vetting process, CBP
obtains trade compliance and intelligence information on certified
importers from several data sources. If CBP gives the importer a favorable
review, benefits are to begin within a few weeks. If not, benefits are not
to be granted until successful completion of the validation process (see
below).

The final step in the review process is validation. CBP's stated purpose
for validations is to ensure that the security measures outlined in
certified members' security profiles and periodic self-assessments are
reliable, accurate, and effective. In the validation process, CBP staff
meet with company representatives to verify the supply chain security
measures contained in the company's security profile. The validation
process is designed to include visits to the company's domestic and,
potentially, foreign sites. The member and CBP jointly determine which
elements of the member's supply chain measures will be validated, as well
as which locations will be visited. Upon completion of the validation
process, CBP prepares a final validation report it presents to the company
that identifies any areas that need improvement and suggested corrective
actions, as well as a determination if program benefits are still
warranted for the member.

We have conducted previous reviews of the C-TPAT program and CBP's
targeting and inspection strategy. In July 2003, we reported that CBP's
management of C-TPAT had not evolved from a short-term focus to a longterm
strategic approach.10 We recommended that the Secretary of Homeland
Security work with the CBP Commissioner to develop (1) a strategic plan
that clearly lays out the program's goals, objectives, and detailed
implementation strategies; (2) performance measures that include
outcome-oriented indicators; and (3) a human capital plan that clearly
describes how C-TPAT will recruit, train, and retain new staff to meet the
program's growing demands as it implements new program elements. In March
2004, we testified that CBP's targeting system does not incorporate all
key elements of a risk management framework and recognized modeling
practices in assessing the risks posed by oceangoing cargo containers.11

  C-TPAT Benefits Reduce Scrutiny of Shipments

CBP officials cite numerous benefits to C-TPAT members. As table 2 shows,
these benefits may reduce the scrutiny of members' shipments. These
benefits are emphasized to the trade community through direct marketing in
presentations and via CBP's Web site. Although these benefits potentially
reduce the likelihood of inspection of members'

10GAO, Container Security: Expansion of Key Customs Programs Will Require
Greater Attention to Critical Success Factors, GAO-03-770, Washington,
D.C.: July 25, 2003.

11GAO, Homeland Security: Summary of Challenges Faced in the Targeting of
Oceangoing Cargo Containers for Inspection, GAO-04-557T, Washington, D.C.:
March 2004.

shipments, CBP officials noted that all shipments entering the United
States are subject to random inspections by CBP officials or inspections
by other agencies.

                      Table 2: Benefits for C-TPAT Members

Reduces amount of scrutiny provided for

Benefit members?

A reduced number of inspections and reduced border wait times Yes

Reduced selection rate for trade-related compliance Yes examinations

Self-policing and self-monitoring of security activities Yes

Access to the expedited cargo processing at designated FAST Yes
lanes (for certified highway carriers and certified importers along
the Canadian and Mexican borders, as well as for certified
Mexican manufacturers)

Eligible for the Importer Self-Assessment Program and has Yes
priority access to participate in other selected customs programs
(for certified importers only)

A C-TPAT supply chain specialist to serve as the CBP liaison for No
validations

Access to the C-TPAT members list No

Eligible to attend CBP-sponsored antiterrorism training seminars No

  CBP Grants Benefits before Verification of Security Procedures

Source: CBP's C-TPAT Strategic Plan, January 2005.

CBP has in place a two-pronged process to review members' qualifications
for program benefits. First, CBP has a certification process to review the
applications and security profiles submitted by applicants for any
weaknesses or gaps in security procedures. CBP officials told us that
during the certification process, it compares the members' security
profiles against the C-TPAT security guidelines. Under the process, if
there are any missing or unclear items, CBP is supposed to contact the
member for clarification of those items. If the issues are resolved, CBP
considers the member to be certified. However, if CBP determines that the
security profiles contain weaknesses, CBP is not supposed to certify the
member. According to CBP, approximately 20 percent of applications are not
immediately certified because of initial shortcomings with the security
profiles. However, CBP has stated that a company will not be rejected from
participating in C-TPAT if there are problems with its security profile.
Instead, CBP says it will work with companies to try to resolve and
overcome any deficiencies with the profile itself.

Second, CBP has in place a vetting process to assess the compliance and
violation history of importers before granting them benefits. If, in
conducting the vetting process, CBP finds no prior negative compliance,
violation, or intelligence information, it grants certified importers
program benefits. According to CBP, to date most certified members who
have been vetted have proven to have favorable or neutral importing
histories. CBP officials told us that not many members have been denied
benefits.

At the program's inception in November 2001, CBP began granting benefits
to applicants upon receipt of their application for C-TPAT membership
without any review of the applicants' paperwork. In February 2004, CBP
changed its policy to retroactively delay granting the benefits until
after CBP reviewed and certified applicants' security profiles and
completed the vetting process. By providing incentives to members to
implement certain security measures and performing various levels of
checks on these measures, the C-TPAT program aims to encourage the
reduction of vulnerability throughout the supply chain. CBP established a
certification process in which it reviews the applications and profiles by
comparing their contents with the security guidelines jointly developed by
CBP and the industry, looking for any weaknesses or gaps in the
descriptions of security procedures. The vetting process, which is
required for importers eligible to receive benefits, augments the
certification process by providing information about past compliance and
violations, which CBP officials told us may suggest whether members'
security practices have historically been effective at reducing
vulnerability to exploitation. In addition, the vetting process may
disclose threat concerns by pulling in information contained in
intelligence databases. Ultimately, however, neither the certification nor
vetting process provides an actual verification that the supply chain
security measures contained in the C-TPAT member's security profile are
accurate and are being followed before CBP grants the member benefits. A
direct examination of selected members security procedures is conducted
later as part of CBP's validation process, as discussed below.

After providing benefits, CBP has a validation process to verify C-TPAT
members' security measures have been implemented and that program benefits
should continue. However, we found weaknesses in the validation process in
that CBP has not taken a rigorous approach to conducting validations and
has not determined the extent to which validations are needed. These
weaknesses limit the bureau's ability to ensure that the program supports
the prevention of terrorists and terrorist weapons from entering the
United States.

  Weaknesses in Process for Verifying Security Procedures

    Validation Process Lacks Rigor to Achieve Stated Purpose

CBP's validation process is not rigorous enough to achieve its stated
purpose, which is to ensure that the security procedures outlined in
members' security profiles are reliable, accurate, and effective. While
C-TPAT's stated purpose for validations is to ensure that the member's
security measures are reliable, accurate, and effective, CBP officials
told us that validations are not considered independent audits and the
objectives, scope, and methodology of validations are jointly agreed upon
with the member representatives. CBP has indicated that it does not intend
for the validation process to be an exhaustive review of every security
measure at each originating location; rather it selects specific facets of
the members' security profiles to review for their reliability, accuracy,
and effectiveness. For example, the guidance to ocean carriers for
preparing a security profile directs the carriers to address, at a
minimum, three broad areas (security program, personnel security, and
service provider requirements), which contain several more specific
security measures, such as facilities security and pre-employment
screening. According to CBP officials, as well as our review of selected
case files, validations only examine a few facets of members' security
profiles. CBP supply chain specialists, who are responsible for conducting
most of the validations, are supposed to individually determine which
segments of a company's supply chain security will be suggested to the
member for validation. To assist in this decision, supply chain
specialists are supposed to compare a company's security profile, as well
as any selfassessments or other company materials or information
retrievable in national databases, against the C-TPAT security guidelines
to determine which elements of the profile will be validated. Once the
supply chain specialist determines the level and focus of the validation,
the specialist is supposed to contact the member company with a potential
agenda for the validation. The two parties then jointly reach agreement on
which security elements will be reviewed and which locations will be
visited.

CBP has no written guidelines for its supply chain specialist to indicate
what scope of effort is adequate for the validation to ensure that the
member's security measures are reliable, accurate, and effective, in part
because it seeks to emphasize the partnership nature of the program.
Importantly, CBP has no baseline standard for what minimally constitutes a
validation. CBP discourages supply chain specialists from developing a set
checklist of items to address during the validation, as CBP does not want
to give the appearance of conducting an audit. In addition, as discussed
later in the management section of this report, the validation reports we
reviewed did not consistently document how the elements of members'
security profiles were selected for validation.

    CBP Has Not Determined the Extent to Which Validations Are Needed

CBP has not determined the extent to which it must conduct validations of
members' security profiles to ensure that the operation of C-TPAT is
consistent with its overall approach to managing risk. In 3 years of
C-TPAT operation, CBP has validated about 10 percent of its certified
members. CBP's original goal was to validate all certified members within
3 years of certification. However, CBP officials told us that because of
rapid growth in program membership, it would not be possible to meet this
goal. In February 2004, CBP indicated that approximately 5,700 companies
had submitted signed agreements to participate in the program. As shown in
figure 2, by November 2004, the number of members had grown to over 7,000,
about 4,200 of which had been certified and thus eligible for validation.
According to CBP, as of November 2004, CBP staff had completed validations
of 409 companies, including 147 importers.

Figure 2: Status of Validating C-TPAT Members, as of November 2, 2004

Source: GAO analysis of CBP data.

CBP has made efforts to hire additional supply chain specialists to handle
validations for the growing membership. As of August 2004, CBP had hired a
total of 40 supply chain specialists to conduct validations, with 24 field
office managers also available to conduct validations. CBP officials told
us the bureau is currently conducting as many validations as its resources
allow. However, CBP has not determined the number of supply chain
specialists it needs or the extent to which validations are needed to
provide reasonable assurance that it is employing a good risk management
approach for the program.

    CBP Considers Variety of Factors to Prioritize Validations

As noted above, CBP officials told us it would not be possible to meet the
goal of validating every member within 3 years of certification. Instead,
CBP is using what it calls a risk-based approach, which considers a
variety of factors to prioritize which members should be validated as
resources allow. CBP has an internal selection process it is supposed to
apply to all certified members. Under this process CBP officials are
supposed to prioritize members for validation based on established
criteria but may also consider other factors.

CBP officials noted that other factors could affect the prioritization of
members for validation. For example, recent seizures involving C-TPAT
members can affect validation priorities. If a member is involved in a
seizure, CBP officials noted that the member is supposed to lose program
benefits and be given top priority for a validation. In addition, CBP
officials told us that an importer that failed CBP's vetting process would
also be given top priority for a validation. CBP officials have taken this
approach because any importer that fails the vetting process is not
supposed to receive program benefits until after successful completion of
the validation process.

In August 2004, CBP began using a risk assessment tool developed for CBP's
regulatory audits to assist in its prioritization of importers for
validation. This tool ranks importers by risk according to factors such as
value of imports, import volume, and method of transportation used by the
importer for its goods.12 CBP tailored the tool to consider only those
factors it deemed relevant to C-TPAT. Applying the tool with this revised
set of factors, CBP officials told us they produced a list that ranked
each certified importer according to its risk. However, these ranked
importers are then re-evaluated, along with members from other trade
sectors, using CBP's internal selection process criteria. CBP officials
told us that the human element provided by their internal selection
process was important in prioritizing members for validation.

12CBP officials told us they are currently working to adapt the risk
assessment tool so that it can be applied to C-TPAT members from
additional trade sectors, such as brokers and carriers.

  Incomplete Progress in Addressing Management Weaknesses

CBP continues to expand the C-TPAT program without addressing management
weaknesses that could hinder the bureau from achieving the program's dual
goals of securing the flow of goods bound for the United States and
facilitating the flow of trade. In our July 2003 report, we recommended
that the Secretary of Homeland Security work with the CBP Commissioner to
develop (1) a strategic plan that clearly lays out the program's goals,
objectives, and detailed implementation strategies; (2) a human capital
plan that clearly describes how C-TPAT will recruit, train, and retain new
staff to meet the program's growing demands as it implements new program
elements; and (3) performance measures that include outcome-oriented
indicators. While CBP agreed with our July 2003 recommendations, to date
only one of them-the development of a strategic plan-has been implemented.
According to CBP, the bureau is continuing to work on the July 2003
recommendations, which are in different stages of review.

    CBP Has Finalized Its Strategic Plan

While a draft of this report was with DHS for comment, CBP issued a final
strategic plan for C-TPAT on January 13, 2005. Our brief review of this
plan indicates that it appears to clearly articulate the goals of the
program, their relationship to broader CBP goals, and strategies for
achieving them. For example, according to the plan there are five goals
for the C-TPAT program:

1. 	ensure that C-TPAT partners improve the security of their supply
chains pursuant to C-TPAT security criteria,

2. 	provide incentives and benefits to include expedited processing of
C-TPAT shipments to C-TPAT partners,

3. 	internationalize the core principles of C-TPAT through cooperation and
coordination with the international community,

4. support other CBP security and facilitation initiatives, and

5. improve administration of the C-TPAT program.

While we have not fully reviewed the strategic plan, it is a step in the
right direction, and we encourage CBP to ensure that future plans include
all of the key elements of a strategic plan as described in the Government
Performance and Results Act of 1993. Specifically, the formal strategic
plan should include a description of performance goals and how they are
related to the general goals and objectives of the program, as well as a

description of program evaluations, which are useful for identifying key
factors likely to affect program performance.

    CBP Has Not Completed a Human Capital Plan

As a companion to developing a strategic plan for C-TPAT, CBP is
developing an implementation plan to address the lower-level strategies
for carrying out the program's goals. CBP told us it is still developing
the implementation plan for the program but that it will include those
elements required in a human capital plan. For example, CBP said it has
developed new positions, training programs and materials, and a staffing
plan. Further, CBP said the C-TPAT program will continue to refine all
aspects of its human capital plan to include headquarters personnel,
additional training requirements, budget, and future personnel profiles.

    CBP Has Not Completed Development of Performance Measures

CBP has told us that it continues developing a comprehensive set of
performance measures and indicators for C-TPAT. In support of the
department's Future Years Homeland Security Program, CBP officials told us
has identified 21 budget subactivities (programs, including C-TPAT) and
has been tasked to develop two performance measures for each: (1) a main
measure that would reflect program outcomes and (2) an efficiency measure
that would reflect time or cost savings achieved through the program.
CBP's Director, Strategic Planning and Audit Division, Office of Policy
and Planning, noted that developing these measures for C-TPAT, as well as
other programs in the bureau, has been difficult. The director noted that
CBP lacks data necessary to exhibit whether a program has prevented or
deterred terrorist activity. For example, as noted in the C-TPAT strategic
plan, it is difficult to measure program effectiveness in terms of
deterrence because generally the direct impact on unlawful activity is
unknown. The plan also notes that while traditional workload measures are
a valuable indicator, they do not necessarily reflect the success or
failure of the bureau's efforts. CBP is working to collect more
substantive information-related to C-TPAT activities (i.e., current
workflow process)-to develop its performance measures. In commenting on a
draft of this report, CBP indicated it has developed initial measures for
the program but will continue to develop and refine these measures to
ensure program success.

CBP's Records CBP's record keeping for the program is incomplete, as key
decisions are Management Practices for not always documented and
programmatic information is not updated C-TPAT Are Inadequate regularly or
accurately. Federal regulations require that bureau record

keeping procedures provide documentation to facilitate review by

Congress and other authorized agencies of government. Further, standards
for internal control in the federal government require that all
transactions be clearly documented in a manner that is complete, accurate,
and useful to managers and others involved in evaluating operations.

To get a better understanding of the validation process, we asked CBP to
provide us with examples of company files for which validations had been
completed. CBP selected six members' files for us to review for some of
the initial validations the bureau conducted. During our review, it was
not always clear what aspect of the security profile was being validated
and why a particular site was selected at which to conduct the validation
because there was not always documentation of the decision-making process.
The aspects of the security profiles covered and sites visited did not
always appear to be the most relevant. For example, one validation report
we reviewed for a major retailer-one that imports the vast majority of its
goods from Asia-indicated that the validation team reviewed facilities in
Central America. CBP officials noted that it recently revised its
validation report format to better capture any justification for report
recommendations and best practices identified. CBP then provided us with
eight additional member files with more recently completed validation
reports. After reviewing the more recent validation reports contained in
these files, we noted that there appeared to be a greater discussion
related to the rationale for validating specific aspects of the security
profiles. However, these files did not consistently contain other
documentation of members' application, certification, vetting, receipt of
benefits, or validation. While files contained some of these elements,
they were generally not complete. In fact, most files did not usually
contain anything beyond copies of the member's C-TPAT agreement, security
profiles, and validation report. When we asked if CBP required its supply
chain specialists to document their communications with C-TPAT members,
CBP officials told us there has been no requirement that communications be
documented. For example, member files we reviewed contained no
documentation of communications between CBP and members regarding how the
scope of a validation was determined. Recently, supply chain specialists
located at CBP headquarters (but not at field offices) have been asked to
document all conversations with member companies on a spreadsheet, so that
each supply chain specialist will be aware of the outcomes of
conversations with member companies.

CBP does not update programmatic information regularly or accurately. In
particular, the reliability of CBP's database to track member status using
key dates in the application through validation processes is questionable.
The database, which is primarily used for documentation management and

Conclusions

workflow tracking, is not updated on a regular basis. In addition, C-TPAT
management told us that earlier data entered into the database may not be
accurate, and CBP has taken no systematic look at the reliability of the
database. CBP officials also told us that there are no written guidelines
for who should enter information into the database or how frequently the
database should be updated. We made several requests over a period of
weeks to review the contents of the database to analyze workload factors,
including the amount of time that each step in the C-TPAT application and
review process was taking. The database information that CBP ultimately
provided to us was incomplete, as many of the data fields were missing or
inaccurate. For example, more than 33 percent of the entries for
validation date were incomplete. In addition, data on the status of
companies undergoing the validation process was provided in hard copy only
and included no date information. CBP officials told us that they are
currently exploring other data management systems, working to develop a
new, single database that would capture pertinent data, as well as
developing a paperless environment for the program.

CBP's primary reliance on members' self-reporting about their security
procedures to receive C-TPAT benefits places added importance on the
validation process, which is CBP's method of verifying the effectiveness,
efficiency, and accuracy of the security profile. However, the weaknesses
in the validation process we found raise questions about its
effectiveness. CBP's validation process, the purpose of which is to ensure
that members' security measures are reliable, accurate, and effective, is
not rigorous enough to achieve CBP's goals because of the bureau's
consideration of the process as a joint, partnership review with the
member company. In this vein, without guidelines for what constitutes a
validation, CBP cannot be sure that it effectively and consistently
verifies a standard set of security measures to ensure some minimally
appropriate level of vulnerability reduction, nor can it apply a
methodical approach to assessing the security procedures. In addition, CBP
has not assessed the extent (in terms of numbers or percentage) to which
it must conduct validations to ensure that the C-TPAT program is
consistent with its overall approach to managing risk. Also, we found a
lack of clear documentation for the validation process. Because of these
weaknesses, CBP's ability to provide assurance that the program prevents
terrorists and terrorist weapons from entering the United States is
limited.

Finally, CBP has not completed corrective actions from our July 2003
report, which were meant to change the management of the program from a
short-term focus to a strategic focus. Specifically, CBP has not

completed (1) developing performance measures with which to measure the
program's success in achieving bureau goals and inform decisions for
process improvement and (2) developing a human capital plan to account for
how the program will recruit, train, and retain staff to achieve program
goals. CBP also does not have a basic records management system to ensure
adequate internal controls to manage the program. Because of these
management weaknesses, CBP will have difficulty effectively planning,
executing, and monitoring the program.

  Recommendations for Executive Action

Agency Comments and Our Evaluation

To help CBP achieve C-TPAT objectives and address the challenges
associated with its continued development, we recommend that the Secretary
of Homeland Security direct the Commissioner of U.S. Customs and Border
Protection to take the following five actions:

o  	strengthen the validation process by providing appropriate guidance to
specialists conducting validations, including what level of review is
adequate to determine whether member security practices are reliable,
accurate, and effective;

o  	determine the extent (in terms of numbers or percentage) to which
members should be validated in lieu of the original goal to validate all
members within 3 years of certification;

o  	complete the development of performance measures, to include
outcome-based measures and performance targets, to track the program's
status in meeting its strategic goals;

o  	complete a human capital plan that clearly describes how the C-TPAT
program will recruit, train, and retain sufficient staff to successfully
conduct the work of the program, including reviewing security profiles,
vetting, and conducting validations to mitigate program risk; and

o  	implement a records management system that accurately and timely
documents key decisions and significant operational events, including a
reliable system for (1) documenting and maintaining records of all
decisions in the application through validation processes, including but
not limited to documentation of the objectives, scope, methodologies, and
limitations of validations, and (2) tracking member status.

We provided a draft of this report to the Secretary of DHS for comment. We
received comments from the Commissioner of U.S. Customs and Border
Protection that are reprinted in appendix II. CBP generally agreed with
our recommendations and outlined actions it either had taken or was
planning to take to implement them.

CBP agreed with our two recommendations on validations and said it will
readdress the validation process. Specifically, CBP said that it was
developing standard operating procedures, guidance, and written baseline
criteria for the validation process, as well as an automated validation
tool to document validations. CBP also agreed to determine the extent to
which C-TPAT members should be validated, stating that it will develop
member selection criteria and an automated system to standardize and
assist in the selection of companies for validation. If properly
implemented, these actions should address the intent of these
recommendations.

Our draft report also included a recommendation to complete a formal
strategic plan that clearly articulates goals, linkages, and strategies.
While our draft report was with DHS for comment, CBP issued its final
strategic plan on January 13, 2005. Our brief review of this strategic
plan indicates that it appears to address the intent of our
recommendation. Therefore, we removed the recommendation from this report.
Nevertheless, as CBP further refines its strategic plan in the future, we
encourage CBP to include all of the key elements of a strategic plan as
described in the Government Performance and Results Act of 1993.
Specifically, the formal strategic plan should include a description of
performance goals and how they are related to the general goals and
objectives of the program, as well as a description of program
evaluations, which are useful for identifying key factors likely to affect
program performance.

CBP agreed with our recommendation on developing performance measures, and
has developed initial measures relating to membership, inspection
percentages, and validation effectiveness. CBP has developed new
performance measures for use in the FY 2006 Fiscal Year Homeland Security
Plan and plans to enlist the help of a contractor to develop other
outcome-based performance measures and targets. If properly implemented,
these plans should help address the intent of this recommendation.

In addressing our recommendation to complete a human capital plan for the
C-TPAT program, CBP told us it is still developing an implementation plan
for the program that will include those elements required in a human
capital plan. For example, CBP said it has developed new positions,
training programs and materials, and a staffing plan. Further, CBP said
the C-TPAT program will continue to refine all aspects of its human
capital plan to include headquarters personnel, additional training
requirements, budget, and future personnel profiles. If the final
implementation plan

contains these elements, the plan should address the intent of the
recommendation.

CBP agreed with our recommendation on implementing a records management
system that accurately and timely documents key decisions and significant
operational events. While its comments did not specify the nature or
capabilities of a new system, CBP indicated that in the near future, it
plans to automate every aspect of the C-TPAT program, both internally and
externally. In automating its system, to fully meet the intent of this
recommendation, CBP needs to ensure that the system addresses all aspects
of C-TPAT operations and that tracking member status is done timely,
accurately, and reliably.

Notwithstanding its general agreement with the recommendations, CBP
expressed some concerns regarding the report. In its general comments, CBP
said that C-TPAT is a voluntary program that is not designed to confirm
company compliance with regulatory requirements. Further, CBP said it is
very difficult for the U.S. government to regulate supply chain security
procedures outside the country. CBP also noted that it is looking to
establish more broadly applicable minimum security standards that may
build on C-TPAT requirements. Our report clearly notes that the program is
of a voluntary nature, designed around security guidelines jointly
developed by CBP and the trade community. The cooperation envisioned by
the C-TPAT program can build productive relationships and encourage supply
chain security. However, in accepting members into the program, CBP still
has the responsibility for verifying that security measures planned or
claimed by C-TPAT members are properly implemented and effective. This
program goes beyond trade facilitation in that it awards benefits that can
reduce the scrutiny given cargo containers arriving in the United States.
This is not a matter of regulating supply chain security in other
countries. Rather, it is a matter of providing a security benefit for
containers arriving at our nation's ports. If CBP does not ensure that
this important security-related benefit is deserved, it runs the risk of
overlooking potentially dangerous cargo during the inspection process.

CBP also said that the report's title is misleading, asserting that it
creates the improper impression that only the validation process ensures
adequate security for containerized cargo and does not place enough
emphasis on the certification and vetting processes, as well as omits that
C-TPAT cargo is not exempt from advance reporting requirements or
enforcement and security inspections, such as random inspections and
nonintrusive screening technology. Our report clearly describes the
various steps CBP takes in the overall cargo inspection process and how
the C-TPAT

program fits into that process. The report also clearly describes the
purpose of each process within the C-TPAT program, including the
validation process that is to determine whether C-TPAT members' security
procedures are accurate, reliable, and effective. We did modify the
report's title and, where appropriate, the text to better reflect the
report's focus on C-TPAT versus other programs in CBP's layered
enforcement strategy for cargo security. However, any weakness in C-TPAT
could weaken CBP's layered approach. Given that C-TPAT members enjoy
benefits that reduce the likelihood of an inspection of their cargo, not
having an effective validation process could serve to defeat the purposes
of the other enforcement layers.

Finally, CBP noted many benefits achieved under the C-TPAT program,
including that thousands of companies working as part of C-TPAT have taken
concrete steps to improve their security procedures and that C-TPAT has
fostered an expanding international dialogue on best security practices.
We agree that actions on the part of program members to shore up supply
chain security are valuable and desirable. Again, with the threat of
terrorism present in the global supply chain, we believe that verifying
that planned improvements are actually implemented and ensuring that
security controls are effective are important responsibilities that cannot
be achieved only with members self-reporting about their security
procedures.

CBP also offered technical comments and clarifications, which we
considered and incorporated where appropriate.

As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will provide copies of this report
to appropriate departments and interested congressional committees. We
will also make copies available to others upon request. In addition, the
report will be available on GAO's Web site http://www.gao.gov.

If you or your staff have any questions about this report, please contact
me
at (202) 512-8777 or at [email protected]. Key contributors to this report
are
listed in appendix III.

Richard M. Stana
Director, Homeland Security and Justice Issues

Appendix I: Objectives, Scope, and Methodology

  Objectives

Scope and Methodology

Data Reliability

We addressed the following questions regarding the U.S. Customs and Border
Protection's (CBP, formerly the U.S. Customs Service) Customs-Trade
Partnership Against Terrorism (C-TPAT):

o  What benefits does CBP provide to C-TPAT members?

o  	Before providing benefits, what approach does CBP take to determine
C-TPAT members' eligibility for them?

o  	After providing benefits, how does CBP verify that members have
implemented their security measures?

o  	To what extent has CBP developed strategies and related management
tools for achieving the program's goals?

To address these questions, we visited CBP's headquarters in Washington,
D.C., which manages the C-TPAT program. We interviewed CBP officials and
reviewed available data and documentation for the program. We reviewed
individual CBP files for a subset of C-TPAT members, including members
with responsibilities along various parts of the supply chain. We also
reviewed CBP's database for tracking member status in the program from the
program's inception through July 2004. All records in this database were
reviewed. We intended to use these data to select a random set of files to
review and to conduct analyses of workloads, but the data were not
reliable enough to do so (see below). Given the weaknesses in the files as
well as the data reliability issues, our review focused on identifying
C-TPAT's processes. Because of deficiencies in the files and database, we
were unable to verify the extent CBP actually follows these processes for
individual members. We also obtained the status of the agency's efforts to
implement our prior recommendations for the program, including the
completion of a strategic plan, a human capital plan, and performance
measures.

We conducted our work from February through December 2004 in accordance
with generally accepted government auditing standards.

To assess the reliability of CBP's database for tracking member status in
C-TPAT, we (1) reviewed existing documentation related to the data
sources, (2) electronically tested the data to identify obvious problems
with completeness or accuracy, and (3) interviewed knowledgeable bureau
officials about the data. Initial reliability testing of this database and
interviews of staff with responsibility for the program led us to conclude
that data used to track participant status had some serious reliability
weaknesses. We determined that using the data in certain cases, for
example, to calculate average times for phases of the membership

Appendix I: Objectives, Scope, and Methodology

process, might have led to an incorrect or misleading message. However, we
determined that the data were sufficiently reliable for limited use in
descriptions of the program status, such as the approximate numbers of
participants, because our analysis and discussions with CBP officials
assured us that those data fields were reasonably complete and accurate.

Appendix II: Comments from the Department of Homeland Security

Appendix II: Comments from the Department of Homeland Security

Appendix II: Comments from the Department of Homeland Security

Appendix II: Comments from the Department of Homeland Security

Appendix II: Comments from the Department of Homeland Security

This version of our report is unrestricted based on a security review by
CBP.

Appendix III: GAO Contacts and Staff Acknowledgments

GAO Contacts 	Richard M. Stana (202) 512-8777 Stephen L. Caldwell (202)
512-9610

Staff In addition to those named above, Kristy N. Brown, Kathryn E.
Godfrey, Wilfred B. Holloway, Stanley J. Kostyla, Shakira O'Neil, and
Deena D. Acknowledgments Richart made key contributions to this report.

Related GAO Products

Homeland Security: Process for Reporting Lessons Learned from Seaport
Exercises Needs Further Attention. GAO-05-170. Washington, D.C.: January
14, 2005.

Port Security: Planning Needed to Develop and Operate Maritime Worker
Identification Card Program. GAO-05-106. Washington, D.C.: December 10,
2004.

Maritime Security: Better Planning Needed to Help Ensure an Effective Port
Security Assessment Program. GAO-04-1062. Washington, D.C.: September 30,
2004.

Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security. GAO-04-838. Washington, D.C.:
June 30, 2004.

Border Security: Agencies Need to Better Coordinate Their Strategies and
Operations on Federal Lands. GAO-04-590. Washington, D.C.: June 2004.

Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 31,
2004.

Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail
Security, but Significant Challenges Remain. GAO-04-598T. Washington,
D.C.: March 23, 2004.

Department of Homeland Security, Bureau of Customs and Border Protection:
Required Advance Electronic Presentation of Cargo Information.
GAO-04-319R. Washington, D.C.: December 18, 2003.

Homeland Security: Preliminary Observations on Efforts to Target Security
Inspections of Cargo Containers. GAO-04-325T. Washington, D.C.: December
16, 2003.

Posthearing Questions Related to Aviation and Port Security. GAO-04-315R.
Washington, D.C.: December 12, 2003.

Homeland Security: Risks Facing Key Border and Transportation Security
Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September 19,
2003.

Related GAO Products

Maritime Security: Progress Made in Implementing Maritime Transportation
Security Act, but Concerns Remain. GAO-03-1155T. Washington, D.C.:
September 9, 2003.

Container Security: Expansion of Key Customs Programs Will Require Greater
Attention to Critical Success Factors. GAO-03-770. Washington, D.C.: July
25, 2003.

Homeland Security: Challenges Facing the Department of Homeland Security
in Balancing Its Border Security and Trade Facilitation Missions.
GAO-03-902T. Washington, D.C.: June 16, 2003.

Transportation Security: Federal Action Needed to Address Security
Challenges. GAO-03-843. Washington, D.C.: June 30, 2003.

Transportation Security: Post-September 11th Initiatives and Long-Term
Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003.

Border Security: Challenges in Implementing Border Technology.
GAO-03-546T. Washington, D.C.: March 12, 2003.

Customs Service: Acquisition and Deployment of Radiation Detection
Equipment. GAO-03-235T. Washington, D.C.: October 17, 2002.

Port Security: Nation Faces Formidable Challenges in Making New
Initiatives Successful. GAO-02-993T. Washington, D.C.: August 5, 2002.

  GAO's Mission

Obtaining Copies of GAO Reports and Testimony

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone 	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:

Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470

Gloria Jarmon, Managing Director, [email protected] (202)
512-4400Congressional U.S. Government Accountability Office, 441 G Street
NW, Room 7125 Relations Washington, D.C. 20548

Public Affairs 	Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

                           PRINTED ON RECYCLED PAPER
*** End of document. ***