Supply Chain Security: U.S. Customs and Border Protection Has	 
Enhanced Its Partnership with Import Trade Sectors, but 	 
Challenges Remain in Verifying Security Practices (25-APR-08,	 
GAO-08-240).							 
                                                                 
U.S. Customs and Border Protection (CBP) is responsible for	 
ensuring the security of cargo containers shipped into the United
States. To strike a balance between security and commerce, CBP	 
oversees the Customs-Trade Partnership Against Terrorism, or	 
C-TPAT program. As part of this program, CBP aims to secure the  
supply chain--the flow of goods from manufacturers to		 
retailers--through partnerships with international trade	 
companies. Member companies agree to allow CBP to validate their 
security practices and, in exchange, they are awarded benefits,  
such as reduced scrutiny of their cargo. In 2005, GAO reviewed	 
the C-TPAT program and noted operational challenges. For this	 
report, GAO was asked to assess the progress CBP has made since  
2005 in (1) improving its benefit award policies for C-TPAT	 
members, (2) addressing challenges in validating members'	 
security practices, and (3) addressing management and staffing	 
challenges. To perform this work, GAO analyzed a nonprobability  
sample of completed validations; reviewed annual, human capital, 
and strategic plans; and held discussions with CBP officials.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-240 					        
    ACCNO:   A81896						        
  TITLE:     Supply Chain Security: U.S. Customs and Border Protection
Has Enhanced Its Partnership with Import Trade Sectors, but	 
Challenges Remain in Verifying Security Practices		 
     DATE:   04/25/2008 
  SUBJECT:   Border control					 
	     Border security					 
	     Cargo security					 
	     Entry security					 
	     Homeland security					 
	     Human capital management				 
	     Import regulation					 
	     Import restriction 				 
	     International relations				 
	     International trade				 
	     International trade regulation			 
	     International trade restriction			 
	     Performance measures				 
	     Policy evaluation					 
	     Port security					 
	     Port security assessment program			 
	     Program evaluation 				 
	     Program management 				 
	     Records management 				 
	     Risk assessment					 
	     Risk factors					 
	     Risk management					 
	     Security assessments				 
	     Security policies					 
	     Security regulations				 
	     Security threats					 
	     Staff utilization					 
	     Supply chain management				 
	     Customs-Trade Partnership Against			 
	     Terrorism						 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-240

This is the accessible text file for GAO report number GAO-08-240 
entitled 'Supply Chain Security: U.S. Customs and Border Protection Has 
Enhanced Its Partnership with Important Trade Sectors, but Challenges 
Remain in Verifying Security Practices' which was released on May 27, 
2008. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

April 2008: 

Supply Chain Security: 

U.S. Customs and Border Protection Has Enhanced Its Partnership with 
Import Trade Sectors, but Challenges Remain in Verifying Security 
Practices: 

Supply Chain Security: 

GAO-08-240: 

GAO Highlights: 

Highlights of GAO-08-240, a report to congressional requesters. 

Why GAO Did This Study: 

U.S. Customs and Border Protection (CBP) is responsible for ensuring 
the security of cargo containers shipped into the United States. To 
strike a balance between security and commerce, CBP oversees the 
Customs-Trade Partnership Against Terrorism, or C-TPAT program. As part 
of this program, CBP aims to secure the supply chainï¿½the flow of goods 
from manufacturers to retailersï¿½through partnerships with international 
trade companies. Member companies agree to allow CBP to validate their 
security practices and, in exchange, they are awarded benefits, such as 
reduced scrutiny of their cargo. In 2005, GAO reviewed the C-TPAT 
program and noted operational challenges. For this report, GAO was 
asked to assess the progress CBP has made since 2005 in (1) improving 
its benefit award policies for C-TPAT members, (2) addressing 
challenges in validating membersï¿½ security practices, and (3) 
addressing management and staffing challenges. To perform this work, 
GAO analyzed a nonprobability sample of completed validations; reviewed 
annual, human capital, and strategic plans; and held discussions with 
CBP officials. 

What GAO Found: 

CBP has strengthened its policies for granting benefits to importers, C-
TPATï¿½s largest member sector, and is working to improve its policies 
for members in other trade sectors. For example, starting in March 
2005, CBP began requiring members in 9 out of the 10 trade sectors to 
meet minimum security criteria and it plans to finalize criteria for 
the tenth trade sector by mid-2008. CBP has also introduced a process 
that awards benefits for C-TPAT importers on a three-tiered basis, 
depending on validation of their security practices. CBP officials told 
us that they interpret the benefit tiering provisions of the Security 
and Accountability for Every Port Act of 2006 to apply mainly to 
importers. Nevertheless, CBP considered implementing tiered benefits 
for other trade sectors, but it has not been able to identify 
additional benefits to offer nonimporters in a tiered structure. 

CBP has taken steps to improve the security validation process, but 
still faces challenges in verifying that C-TPAT membersï¿½ security 
practices meet minimum criteria. CBP has sought to strengthen the 
validation process by providing appropriate guidance and developing a 
portable, electronic instrument to help ensure that validation 
information is consistently collected, documented, and uniformly 
applied to decisions regarding the awarding of benefits to C-TPAT 
members. However, the usefulness of the instrument is limited due to 
its default ï¿½noï¿½ responses. Specifically, if a response is marked ï¿½no,ï¿½ 
it is unclear whether a security specialist, who has the discretion to 
answer or not answer individual questions, intentionally answered the 
question or if the response was an automatic default. This factor 
limits the ability of CBP to validate security practices at member 
companies. 

CBP has taken actions to address C-TPAT management and staffing 
challenges, such as implementing a human capital plan, a records 
management system, and performance measures. While these actions have 
addressed a number of challenges, others remain. In particular, CBPï¿½s 
records management system does not include interim processing 
datesï¿½such as the date that security specialists send companies the 30-
day validation notification letterï¿½to enable management or others to 
determine CBPï¿½s compliance with program requirements. Further, although 
CBP has developed performance measures for facilitating the flow of 
commerce, it has not developed performance measures to assess the 
effectiveness of C-TPAT's efforts to improve supply chain security. 

What GAO Recommends: 

GAO is recommending that CBP improve its electronic validation 
instrument, improve the validation process, enhance its records 
management system, and establish performance measures for improving 
supply chain security. CBP concurred with each of the recommendations. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-240]. For more 
information, contact Stephen Caldwell at (202) 512-8777 or 
[email protected]. 

[End of section] 

Contents: 

Letter1: 

Results in Brief: 

Background: 

CBP Has Strengthened C-TPAT by Establishing Minimum Security Criteria 
and a Tiered Approach to Awarding Benefits to Importers: 

CBP Has Taken Steps to Improve Data Collected for Validation, but Still 
Faces Limitations to Assure Consistent Program Decisions and Effective 
Security: 

CBP Has Improved C-TPAT Management with Better Human Capital Planning 
and Record Keeping, but Establishing C-TPAT Program Performance 
Measures for Security Enhancement Remains a Challenge: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: CBP's Implementation of C-TPAT Third Party Validation 
Pilot: 

Appendix III: Comments from the Department of Homeland Security: 

Appendix IV: Data on C-TPAT Members Receiving Tiered Benefits: 

Appendix V: GAO Contacts and Staff Acknowledgments: 

Related GAO Products: 

Tables: 

Table 1: Roles of Trade Community Members in the Supply Chain: 

Table 2: Examples of Minimum Security Criteria That Trade Sectors Must 
Meet for C-TPAT Participation: 

Table 3: Summary of C-TPAT Tiered Benefits Structure from the SAFE Port 
Act: 

Table 4: CBP's Projected C-TPAT Staffing and Validation Workload for 
2007-2009: 

Table 5: Performance Measures Identified in the C-TPAT 2004 Strategic 
Plan: 

Table 6: Performance Measures Tracked for Evolving C-TPAT Strategic 
Plan Used by CBP, as of October 1, 2007: 

Table 7: Analysis of C-TPAT Member Status as of December 31, 2007: 

Figures: 

Figure 1: Key Points in the International Supply Chain Using Oceangoing 
Cargo Containers: 

Figure 2: Percent of C-TPAT Members by Trade Sector, as of September 
30, 2007: 

Figure 3: Overview of the C-TPAT Member Acceptance Process: 

Figure 4: C-TPAT Validation Overview--Key Processing Steps Used by 
Supply Chain Security Specialists (SCSS): 

Abbreviations: 

ATS: Automated Targeting System: 

CBP: Customs and Border Protection: 

CSI: Container Security Initiative: 

C-TPAT: Customs-Trade Partnership Against Terrorism: 

DHS: Department of Homeland Security: 

FAST: Free and Secure Trade: 

GPRA: Government Performance and Results Act: 

NII: nonintrusive inspection: 

SAFE Port Act: Security and Accountability for Every Port Act: 

SCSS: supply chain security specialist: 

VSAT: Validation Security Assessment Tool: 

WMD: weapon of mass destruction: 

United States Government Accountability Office: 

Washington, DC 20548: 

April 25, 2008: 

Congressional Requesters: 

In fiscal year 2007, more than 11 million oceangoing cargo containers 
carrying goods were offloaded at U.S. seaports. Facilitating the free 
flow of these goods while ensuring that the containers do not pose a 
threat to homeland security--whether by carrying weapons of mass 
destruction (WMD) or other dangerous materials--remains one of many 
challenges facing the Department of Homeland Security (DHS). 

In an effort to strike a balance between the need for security and free-
flowing maritime commerce, U.S. Customs and Border Protection (CBP)--a 
component of DHS responsible for protecting the nation's borders at and 
between official ports of entry--oversees the Customs- Trade 
Partnership Against Terrorism program, known as C-TPAT.[Footnote 1] 
CBP's port of entry responsibilities encompass 326 airports, seaports, 
and designated land borders. C-TPAT, which applies across all 
transportation modes, is a component of CBP's multifaceted approach for 
overseeing the security of containerized cargo and the international 
supply chain--the flow of goods from foreign manufacturers, suppliers, 
or vendors where such shipments originate to retailers. CBP's strategy 
also includes the following: 

* Advance information: Under its "24-hour Rule," CBP requires that 
carriers present complete vessel containerized cargo declarations to 
CBP 24 hours before loading such cargo aboard a vessel at foreign ports 
bound for the United States. 

* Automated advanced targeting: CBP officers evaluate cargo information 
forwarded from carriers before its arrival in the United States using 
the Automated Targeting System (ATS). The system, using a rules-based 
program, allows for uniform review of cargo shipments to identify the 
highest risk shipments, and presents data in a format to permit CBP 
officers to address specific intelligence threats and trends. 

* Use of non-intrusive inspection (NII) technology and mandatory exams 
for all high-risk shipments: CBP has deployed detection technologies to 
our nation's sea, air, and land border ports of entry that include 
large-scale X-ray and gamma-imaging systems as well as a variety of 
portable and hand-held technologies to enable CBP to inspect a larger 
portion of commercial traffic. 

* Container Security Initiative (CSI): Through CSI, CBP places staff at 
designated foreign seaports to work with its foreign counterparts to 
inspect high-risk cargo for WMD before the cargo is shipped to the 
United States.[Footnote 2] 

CBP initiated C-TPAT as part of its strategy in November 2001. C-TPAT 
aims to secure the flow of goods bound for the United States by 
developing a voluntary antiterrorism partnership with stakeholders of 
the international trade community comprised of importers; customs 
brokers; air, sea, and land carriers; and other logistics service 
providers such as freight consolidators and nonvessel common carriers. 
To join C-TPAT, a company submits a narrative security profile which 
CBP compares to its minimum security requirements for the company's 
trade sector. In what is referred to as vetting, CBP then reviews the 
company's compliance with customs laws and regulations and reviews any 
violation history to identify information that might preclude approval 
of benefits. Once any omissions, such as failure to address criteria, 
or other issues are resolved to CBP's satisfaction, CBP accepts the 
company's agreement to voluntarily participate in C-TPAT and the 
company becomes a certified C-TPAT member. Companies that join the 
program commit to improving the security of their supply chain and 
agree to provide CBP with information on their specific security 
measures. In addition, the companies agree to allow CBP to validate or 
verify, among other things, that their security measures meet or exceed 
the agency's minimum security requirements. The purpose of this latter 
step, referred to as validation, is to help CBP ensure that the 
security measures outlined in a member's security profile are actually 
in place and effective.[Footnote 3] In return, C-TPAT members are 
entitled to various benefits--chief among them, a reduced likelihood of 
scrutiny of their cargo. As of the end of 2007, CBP had awarded initial 
C-TPAT certification to 7,948 companies that accounted for 
approximately 30 percent of all U.S. imports.[Footnote 4] In addition, 
by the end of 2007, CBP had validated the security of 79 percent of 
certified C-TPAT members. 

In October 2006, the Security and Accountability for Every Port (or 
SAFE Port) Act of 2006 established a statutory framework for the C-TPAT 
program.[Footnote 5] In addition to formally establishing C-TPAT as a 
voluntary government-private sector program to strengthen and improve 
the overall security of the international supply chain, the act 
codified existing membership processes for C-TPAT and added new 
components, such as time frames for certifying, validating, and 
revalidating members' security practices. In addition, CBP--in 
recognition of the growing interdependence of nations that requires 
policymakers to work in partnerships across boundaries to achieve vital 
national goals--has engaged in outreach efforts through the World 
Customs Organization to improve the security of international trade by 
promoting an international framework of standards governing customs and 
related business relationships.[Footnote 6] These efforts have made C- 
TPAT a focal point for other countries wanting to establish similar 
customs-to-business partnership programs or, having programs, seeking 
reciprocal arrangements whereby one country can attain a certain level 
of assurance about and accept the customs security standards and 
practices and business partnership programs of another country. This 
attention places an added responsibility on CBP to effectively manage 
the C-TPAT program. 

Our prior work on C-TPAT has acknowledged that while the C-TPAT program 
holds promise as part of a maritime security strategy, it has faced 
management and operational challenges. In March 2005, for instance, we 
reported on weaknesses in CBP's approach to validating C-TPAT members 
seeking to take advantage of the program's benefits.[Footnote 7] In 
particular, we reported that these weaknesses compromised CBP's ability 
to verify that supply chain security measures, described in security 
information submitted by program members, were accurately reported and 
followed. In our July 2003 report, we identified other challenges with 
C-TPAT, including that the program lacked adequate performance measures 
and a human capital plan indicating how CBP intended to develop new 
staff to meet the program's growing demands.[Footnote 8] 

Recognizing the importance of the C-TPAT program, you asked us to 
conduct another review. For this report, we updated information from 
our 2005 report and addressed the following questions: 

* What has CBP done to strengthen its policies for awarding benefits to 
companies that participate in C-TPAT in response to our 2005 report? 

* What progress has CBP made in addressing challenges in its processes 
for validating C-TPAT companies' security processes that we identified 
in our 2005 report? 

* What actions has CBP taken since 2005 to address overall management 
and staffing challenges of the C-TPAT program and ensure that the 
program operates as intended? 

To address the first objective, we reviewed CBP's minimum security 
criteria and discussed its development with CBP and C-TPAT program 
officials. We also reviewed CBP's benefits for C-TPAT importers and 
subsequent requirements under the SAFE Port Act for granting benefits 
to C-TPAT participants. To address the second objective, we reviewed a 
nonprobability sample of 25 validations completed from March 1, 2006, 
through September 30, 2006. Our review included examining hard copy 
records and other data, such as comments or observations made by 
security specialists. The results of this review are not generalizable. 
However, because we selected the validation cases based on the variety 
of their field office location, role in the supply chain, use and 
nonuse of CBP's automated validation instrument, and type of validation 
questionnaire used, they provided us an overall understanding of the 
validation activities and documents that are collected during 
validation site visits. In CBP field locations where we performed the 
reviews, we also discussed the validation process with 11 supply chain 
security specialists who conduct C-TPAT validations. These specialists 
were selected based on their availability and their views are not 
generalizable beyond the group. Nonetheless, because the specialists 
were selected nonsystematically and by chance and included a wide range 
of experience in the specialist position, their interview statements 
provided broad-based, realistic personal descriptions of what occurs in 
CBP's validation process for C-TPAT members. We also obtained 
information on and reviewed CBP's application of an automated 
instrument that CBP developed for use in the validation process. In 
addition, we compared the criteria for importers to the three 
questionnaires used in the validation process. To address the third 
objective, we reviewed documentation on C-TPAT Portal--CBP's newly 
implemented records management system---and C-TPAT's 2007 annual plan, 
2005 human capital plan, and 2004 strategic plan. We supplemented our 
document reviews with discussions, as appropriate, with agency 
officials. 

We conducted this performance audit from May 2006 to April 2008 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. A more detailed discussion 
of our scope and methodology is contained in appendix I. 

Results in Brief: 

In response to our March 2005 recommendations and in accordance with 
the SAFE Port Act, CBP has strengthened its policies for granting 
benefits to importers--C-TPAT's largest member sector--and has efforts 
underway to improve its policies for granting benefits to C-TPAT 
members in other sectors. For example, between March 2005 and November 
2007, CBP established requirements for C-TPAT members in nine trade 
sectors to meet minimum security criteria for their specific trade 
sector, including importers and C-TPAT members in eight trade sectors 
other than importers: sea carriers; highway carriers; rail carriers; 
air carriers; foreign manufacturers; U.S. customs brokers; U.S. and 
foreign maritime port authorities and terminal operators; and long haul 
highway carriers in Mexico. In addition, CBP is finalizing criteria for 
the one remaining trade sector--freight consolidators/ocean 
transportation intermediaries and nonvessel operating common carriers-
-and plans to issue the criteria by mid-2008. CBP has also introduced a 
"tiered" benefits process, as provided in the SAFE Port Act, for C-TPAT 
importers, which account for about 48 percent of C-TPAT's members. CBP 
awards importers benefits on a three-tiered basis, depending in part on 
CBP's validation of the importers' sustained commitment to implementing 
certain supply chain security practices. CBP has not established the 
tiered benefits structure for the other C-TPAT trade sectors--about 52 
percent of C-TPAT's members. Rather, it grants these trade sectors 
certain benefits such as access to other C-TPAT members and attendance 
at CBP-sponsored security training upon their certification into the 
program. CBP officials told us that they interpret the benefit tiering 
provisions of the Safe Port Act to apply mainly to importers. 
Nevertheless, CBP has considered implementing tiered benefits for these 
other trade sectors, but it has not been able to identify additional 
benefits to offer nonimporters in a tiered structure. 

CBP has taken steps to improve the C-TPAT security validation process, 
but remains challenged to verify that C-TPAT members have security 
practices consistent with the minimum security criteria established for 
their particular trade sector. First, there are problems with the 
portable, personal computer-based data-gathering instrument that CBP 
has provided to its security specialists to help ensure that validation 
information is consistently collected, documented, and uniformly 
applied to decisions regarding the awarding of benefits to C-TPAT 
members. The SAFE Port Act requires that CBP have internal controls to 
provide a standardized work program for executing validations and other 
C-TPAT processes; however, we found that the instrument's design does 
not result in a consistent validation process. In particular, we found 
that the usefulness of the instrument is limited by the fact that it 
provides default "no" responses. For example, if a response is marked 
"no," it is unclear whether a security specialist, who has the 
discretion to answer or not answer individual questions, intentionally 
answered the question or if the response was an automatic default. 
Second, while the validation instrument allows specialists an 
opportunity to collect data on the results of members' internal or 
third-party audits and inspections of their supply chain security 
practices, CBP does not require security specialists to use these data 
in validating members' security practices as an alternative to direct 
testing, even though CBP views direct testing as impractical. Third, 
our work shows that CBP lacks a systematic process to ensure 
appropriate actions are taken in response to security specialists' 
recommendations in validation reports. Without such a key internal 
control, CBP does not have reasonable assurance that companies 
implement its recommendations to enhance supply chain security 
practices in accordance with CBP criteria. Until CBP overcomes these 
collective challenges, CBP will be unable to assure Congress and others 
that C-TPAT member companies that have been granted reduced scrutiny of 
their U.S.-bound containerized shipments actually employ adequate 
security practices. 

CBP has taken a number of actions to address C-TPAT management and 
staffing challenges, but continues to confront issues in effectively 
managing the program. To strengthen C-TPAT program management, CBP, 
among other things, developed a human capital plan, implemented a 
records management system for documenting program decisions, and put 
additional performance measures in place. In addition to developing a 
human capital plan to address C-TPAT staffing challenges, CBP increased 
the number of supply chain security specialists, and projected its 
resource needs in light of additional workload requirements included in 
the SAFE Port Act. CBP believes its current staffing level will allow 
it to meet the act's requirements through 2009. CBP also developed and 
implemented C-TPAT Portal--a centralized electronic records management 
system to facilitate information storage and sharing and communication 
with C-TPAT members. This system provides CBP capability to track the 
status of C-TPAT applicants and members to ensure that they are 
certified, validated, and revalidated in accordance with SAFE Port Act 
requirements. However, certain data are missing from Portal, including 
interim processing dates, such as the date the security specialist 
sends members the 30-day validation notification letter, and this 
inhibits management's ability to determine compliance with its 
requirements for managing and operating the C-TPAT program. This lack 
of data also precluded us from fully assessing a sample of C-TPAT 
members' records to determine compliance with the program's 
requirements, thus not meeting internal control standards that 
documentation should be readily available for examination. Finally, 
CBP's efforts to develop C-TPAT program performance measures have 
focused on program administration and participation, and the 
internationalization of C-TPAT principles. However, the difficulty of 
determining the deterrent effect of security practices continues to 
challenge CBP in seeking outcome-based performance measures for the 
effectiveness of C-TPAT's efforts to ensure improved supply chain 
security. For example, CBP has not collected data on the results of C- 
TPAT members' actions to enhance supply chain security. Moreover, the 
lack of security-specific performance measures limits CBP's ability to 
evaluate progress for this program goal. Nevertheless, CBP remains 
subject to the requirement that federal agencies develop outcome-based 
performance measures to assess program results. 

We are making recommendations to the Secretary of Homeland Security to 
direct the Commissioner of U.S. Customs and Border Protection to 
improve CBP's implementation of SAFE Port Act provisions and its 
ability to meet C-TPAT program goals by: (1) revising the electronic 
instrument used in validations to include appropriate response options 
and eliminate the use of default "no " responses; (2) requiring 
validations to include the review and assessment of any available 
results from audits, inspections, or other reviews of a member's supply 
chain security; (3) ensuring that C-TPAT validation report 
recommendations are implemented by establishing a policy for security 
specialists to follow up with member companies when CBP requires them 
to make security enhancements to ensure that the necessary steps are 
taken; (4) enhancing the C-TPAT records management system to completely 
document key data elements needed to track compliance with SAFE Port 
Act and other CBP internal requirements; and (5) identify and pursue 
opportunities in information collected during C-TPAT member processing 
activities that may provide direction for developing performance 
measures of enhanced supply chain security. 

We provided a draft of this report to the Secretary of Homeland 
Security for review and comment. We received comments from DHS and CBP 
that are reprinted in appendix III. DHS and CBP agreed with our 
recommendations and outlined actions that CBP plans to take to 
implement them. CBP also provided technical comments, which we have 
incorporated into the report as appropriate. 

Background: 

Vulnerability of the Supply Chain: 

Supply chain security is a principal element in the U.S. layered 
strategy to protect maritime commerce. In the post 9/11 environment, 
the movement of cargo containers in a supply chain from foreign 
manufacturers, suppliers, or vendors to retailers in the United States 
is vulnerable to terrorist action. Several studies of maritime security 
conducted by federal, academic, nonprofit, and business organizations 
have identified vulnerability in the movement of oceangoing cargo in 
containers. Every time responsibility for cargo in containers changes 
hands along the supply chain there is the potential for a security 
breach; thus, vulnerabilities exist that terrorists could exploit by, 
for example, placing a WMD into a container for shipment to the United 
States or elsewhere. While there have been no known incidents of 
containers being used to transport WMD, criminals have exploited 
containers for other illegal purposes, such as smuggling weapons, 
people, and illicit substances. Finally, while CBP has noted that the 
likelihood of terrorists smuggling WMD into the United States in cargo 
containers is low, the nation's vulnerability to this activity and the 
consequences of such an attack are potentially high. For example, in 
2002, Booz Allen Hamilton sponsored a simulated scenario in which the 
detonation of weapons smuggled in cargo containers shut down all U.S. 
seaports for 12 days. The results of the simulation estimated that the 
seaport closures could result in a loss of $58 billion in revenue to 
the U.S. economy along with significant disruptions to the movement of 
trade. 

According to research initiated by the U.S. Department of 
Transportation's Volpe National Transportation Systems Center, cargo 
security is affected by the number of individual companies contracted 
to facilitate the movement of cargo through its supply chain.[Footnote 
9] The National Strategy for Maritime Security stated that the 
complexity of the process for handling containerized shipments makes it 
more difficult to embed security practices and reduce vulnerabilities 
than for other types of cargo.[Footnote 10] Container ships carry cargo 
for thousands of companies and the containers are loaded individually 
away from the port. Each transfer of a container from one party to the 
next is a point of vulnerability in the supply chain. The security of 
each transfer facility and the trustworthiness of each company are, 
therefore, critical to the overall security of the shipment. Cargo must 
be loaded in containers at secure facilities and the integrity of the 
container must be maintained to its final destination. In addition, 
supply chain personnel need to employ various methods to prevent the 
misuse of containers and conveyances for transporting WMD and other 
illegal commodities, as well as to detect tampering. Further, supply 
chain personnel are to report any unlawful incidents to DHS and, when 
appropriate, resolve such incidents prior to the arrival of the 
identified containers in the United States. Therefore, embedding 
security practices and vulnerability reduction efforts into commercial 
practices for all key points in the international supply chain using 
oceangoing cargo containers--shown in figure 1--rests upon 
implementing, among other things, customs-to-business partnerships, 
such as C-TPAT. 

Figure 1: Key Points in the International Supply Chain Using Oceangoing 
Cargo Containers: 

This figure is a combination of photographs showing key points in the 
international supply chain using oceangoing cargo containers. 

[See PDF for image] 

Source: GAO. 

[End of figure] 

C-TPAT Program Structure and Membership: 

CBP conducts C-TPAT as a voluntary partnership program between the 
business community and CBP, designed to enhance the security of 
international supply chains to the United States, thus helping CBP to 
achieve its goals of homeland security and facilitation of trade by 
reducing the number of containers that otherwise might be screened for 
WMD because of risk considerations. CBP uses C-TPAT to pursue these 
goals by encouraging importers, freight forwarders, carriers, and other 
import logistics service companies to improve their security practices 
and to persuade their international supply chain service providers-- 
companies operating overseas and outside CBP's jurisdiction--to do the 
same. CBP accomplishes this through partnership agreements and by 
reviewing C-TPAT members' security practices. As a first step in C-TPAT 
membership, a company must sign an agreement with CBP signifying its 
commitment to enhance its supply chain security consistent with C-TPAT 
minimum security criteria and to work with its service providers to 
enhance security throughout its supply chain to the United States. The 
partnership agreements that C-TPAT members sign provide CBP with the 
authority it needs to conduct the program, including validating 
members' security practices and assessing the results of audits and 
internal reviews of member companies. 

Under C-TPAT, CBP officials work with private companies to review their 
supply chain security plans and improve members' overall security. In 
return, C-TPAT members may receive benefits, such as reduced scrutiny 
or expedited processing of their shipments. CBP data show that from 
2004 through 2006, C-TPAT members were responsible for importing about 
30 percent of U.S.-bound cargo containers, and specifically imported 
29.5 percent of the 11.7 million oceangoing cargo containers arriving 
at and offloaded in the United States during the first 9 months of 
2007. In September 2007, CBP had over 7,000 C-TPAT members from the 
import trade community that had various roles in the supply chain, as 
described in table 1. Importers, at 48 percent, were the largest C-TPAT 
member group and, as shown in figure 2, the remainder of about 52 
percent was distributed among nine other sectors that participate in 
international supply chains as business partners to importers. 

Figure 2: Percent of C-TPAT Members by Trade Sector, as of September 
30, 2007: 

This figure is a pie chart showing percent of C-TPAT members by trade 
sector, as of September 30, 2007. 

Importers: 48%; 
Highway carriers-U.S./Canada: 20%; 
Licensed U.S. customs brokers: 9%; 
Consolidators: 8%; 
Foreign manufacturers: 7%; 
Highway carriers-- U.S./Mexico: 5%; 
U.S. Marine port or terminal operators: 1%; 
Sea carriers: 1%. 

[See PDF for image] 

Source: GAO analysis of CBP data. 

Note: Percentages do not total 100 percent due to rounding and the 
exclusion of air carriers and rail carriers, each of which accounted 
for less than 1 percent of the C-TPAT program's membership. 

[End of figure] 

Other trade sectors that are not importers serve in various roles as 
business partners to importers including supplier, manufacturer, 
vendor, service provider, and customer. Nonimporters participating in C-
TPAT benefit by acquiring status as a "preferred importer business 
partner," which is a company that importers prefer to do business with 
based on the company's known acceptance of C-TPAT security 
requirements. According to CBP, the agency wants importing companies to 
have their business partners either join C-TPAT or adhere to C-TPAT 
security requirements. Table 1 describes the role of trade community 
members in the international supply chain. 

Table 1: Roles of Trade Community Members in the Supply Chain: 

Trade community member: Air/rail/sea carriers; 
Role in the supply chain: Carriers transport cargo via air, rail, or 
sea. 

Trade community member: Border highway carriers; 
Role in the supply chain: Highway carriers transport cargo for 
scheduled and unscheduled operations via road across the Canadian and 
Mexican borders. 

Trade community member: Importers; 
Role in the supply chain: Importers, in the course of trade, bring 
articles of trade from a foreign source into a domestic market. 

Trade community member: Licensed customs brokers; 
Role in the supply chain: Brokers clear goods through customs. The 
responsibilities of a broker include preparing the entry form and 
filing it, advising the importer on duties to be paid, and arranging 
for delivery to the importer. 

Trade community member: Freight consolidators/ocean transportation 
intermediaries and nonvessel-operating common carriers; 
Role in the supply chain: A freight consolidator is a firm that accepts 
partial container shipments from individual shippers and combines the 
shipments into a single container for delivery to the carrier. A 
transportation intermediary facilitates transactions by bringing buyers 
and sellers together. A nonvessel-operating common carrier is a company 
that buys shipping space through a special arrangement with an ocean 
carrier and resells the space to individual shippers. 

Trade community member: Port authorities/terminal operators; 
Role in the supply chain: A port authority is an entity of state or 
local government that owns, operates, or otherwise provides wharf, 
dock, and other marine terminal investments at ports. Terminal operator 
responsibilities include the overseeing and unloading of cargo from 
ship to dock, checking the actual cargo against the ship's manifest 
(list of goods), checking documents authorizing a truck to pick up 
cargo, overseeing the loading and unloading of railroad cars, and so 
forth. 

Source: GAO. 

[End of table] 

CBP hired 156 supply chain security specialists to provide services for 
C-TPAT members, as of September 2007 to, among other things, review the 
C-TPAT applicants' and members' security practices. The security 
specialists are located in five C-TPAT field offices: Washington, D.C; 
Miami, Florida; Los Angeles, California; Newark, New Jersey; and New 
York, New York. Overall, for fiscal year 2007, the C-TPAT budget was 
about $55 million. The budget for fiscal year 2008 was about $56 
million, and the budget for fiscal year 2009 is also about $56 million. 

CBP's Multistep Review Process for Accepting C-TPAT Members: 

CBP has a multistep review process for accepting businesses as members 
in the C-TPAT program and granting them benefits. As described in 
figure 3, the process consists of five steps: application, submission 
of a security profile, certification, vetting, and validation. 

Figure 3: Overview of the C-TPAT Member Acceptance Process: 

This figure is an overview of the C-TPAT member acceptance process. 

1. Application: 

Company submits information and agrees to voluntarily participate in C-
TPAT. 

2. Security Profile: 

Within 60 days of initial application, company is to submit a supply 
chain security profile meeting or exceeding C-TPATï¿½s minimum security 
criteria for the companyï¿½s trade sector. 

3. Certification: 90-day Review: 

CBP is to review the companyï¿½s supply chain security profile for 
consistency with C-TPATï¿½s minimum security criteria within 90 days of 
receipt, to the extent practicable. 

4. Vetting: Benefits Granted: 

CBP is also to conduct a vetting process by reviewing the compliance 
with customs laws and regulations and violation history of the company 
to identify any questionable information that might preclude approval 
of benefits. 

If the review is favorable, nonimporters are to receive benefits such 
as an assigned CBP liaison, access to C-TPAT partners, and attendance 
at CBP sponsored training. Importers are to receive Tier 1 reduced 
inspection benefits. 

5. Validation: Tier 2 or 3 Benefits Granted Importers: 

CBP is to conduct a validation of certified C-TPAT partners not later 
than 1 year after certification, to the extent practicable, to ensure 
they have implemented the security outlined in their supply chain 
security profiles and any supplemental information provided to CBP. 

Importers whose security measures are validated receive Tier 2 benefits 
that may include priority searches and reduced cargo examinations. 

If validation shows sustained commitment beyond what is minimally 
expected, the importer receives Tier 3 benefits such as expedited cargo 
release at U.S. ports at all threat levels, further reduction in cargo 
examinations, and participation in joint incident management exercises. 
Validated nonimporters receive no additional benefits.

[See PDF for image] 

Source: GAO. 

[End of figure] 

Companies first complete an online electronic application that includes 
submission of corporate information, a supply chain security profile, 
and an acknowledgement of an agreement to voluntarily participate. In 
completing the supply chain security profile, companies are to conduct 
a comprehensive self-assessment of their supply chain security 
procedures using the C-TPAT security criteria or guidelines that were 
jointly developed by CBP and the trade community for their specific 
participant category--such as U.S. importers or sea, rail, and highway 
carriers. These security profiles are to summarize the applicant's 
current security procedures in areas such as container security, 
personnel security, and security training and threat awareness. 

CBP next uses a certification process to review a new company's 
application and security profile by comparing their contents with 
security criteria, looking for any weaknesses or gaps in security 
procedures as described by the companies. In what is referred to as 
vetting, CBP also reviews the company's compliance with customs laws 
and regulations and reviews any violation history to identify 
information that might preclude approval of benefits. Once any 
omissions or issues are resolved to CBP's satisfaction, CBP accepts the 
company's agreement to voluntarily participate in C-TPAT and the 
company becomes a certified C-TPAT member, eligible for certain program 
benefits. The SAFE Port Act refers to certified members as "Tier 1 
participants" and provides that CBP is to offer them "limited 
benefits," such as a maximum 20 percent reduction in the score that CBP 
uses in identifying cargo for inspection that arrives at U.S. ports. 

CBP's final step in the review process for accepting new C-TPAT members 
is validating that the security measures outlined in a certified 
member's security profile are reliable, accurate, and effective. Member 
companies are selected for validation either on the basis of (1) a risk 
assessment; (2) CBP's election to focus on a particular country, 
industry, or commodity; (3) CBP headquarters' direction in accordance 
with a mandate, such as a SAFE Port Act requirement; or (4) meeting the 
SAFE Port Act requirement to complete validations not later than 1 year 
after certification, to the extent practicable. During the validation 
process, CBP security specialists meet with company representatives to 
verify that the supply chain security measures contained in the 
company's security profile are in place as described in the profile. If 
the company is an importer operating an international supply chain, the 
security specialists are to visit the company's domestic and foreign 
sites.[Footnote 11] The CBP security specialist assigned to a company 
identifies potential sites to visit based on research of the company's 
business history, import transportation modes, facility locations, and 
other factors. Preliminary selections are discussed with company 
officials and the C-TPAT program director provides final 
approval.[Footnote 12] To initiate the validation, the security 
specialist provides the member an outline of the discussion areas for 
meetings and site visits and a site visit agenda. Upon completion of 
the validation process, CBP prepares a final validation report it 
presents to the company. The report may include recommendations to 
improve security and required actions, if any, the member must take to 
conform to minimum security requirements, as well as a determination on 
whether the member should continue to receive program benefits and, if 
an importer, whether additional program benefits are warranted. The 
SAFE Port Act refers to validated members as Tier 2 participants and 
provides that CBP is to extend benefits to them, which may include 
reduced examinations of cargo, among other benefits. 

Once a C-TPAT member completes the validation process, CBP requires the 
member to perform an annual self-assessment--essentially an update of 
its security profile--that provides the member with an opportunity to 
review, update, or change its security procedures as needed. CBP 
requires its security specialists to annually certify that members 
complete the self-assessment, but does not subject each annual self- 
assessment to its validation process. Rather, CBP plans to revalidate 
members' security once every 3 years, as stated in the House 
Appropriations Committee report accompanying the fiscal year 2007 DHS 
appropriations bill.[Footnote 13] CBP began revalidations in early 
2007--about 3 years from the time the first C-TPAT members had been 
initially validated. As part of an overall revalidation strategy, CBP 
first performed annual revalidations of U.S./Mexico long haul highway 
carriers because of the high risk for drug trafficking and also 
conducted special revalidations for members involved in a serious 
violation, such as a drug seizure. 

SAFE Port Act and International Initiatives that Affect the C-TPAT 
Program: 

The SAFE Port Act provides a statutory framework for the C-TPAT 
program, which previously had been an agency initiative not 
specifically required by law. The act formally established the 
program's structure, including eligible participants, basic 
requirements, benefits, and operating processes. Moreover, the act 
mandated that the program have sufficient internal controls[Footnote 
14] to support C-TPAT management systems and include such elements as a 
strategic plan to identify outcome-based goals and performance 
measures; an annual plan to match available resources and projected 
workload; a standardized work program to execute its processes; and a 
record management system to document processing 
determinations.[Footnote 15] 

In recent years, CBP's international efforts have made C-TPAT a focus 
of other countries interested in developing similar customs-to-business 
partnership programs or considering arrangements with other countries 
to mutually accept the results of programs similar to C-TPAT. Foreign 
officials within the European Union and elsewhere have closely observed 
the C-TPAT program as one potential model for enhancing supply chain 
security. As we have previously reported and CBP has recognized, in 
security matters the United States is no longer self-contained, either 
in its problems or its solutions.[Footnote 16] The growing 
interdependence of nations requires policymakers to recognize the need 
to work in partnerships across boundaries to achieve vital national 
goals. For this reason, CBP has committed, through its strategic 
planning process, to promote an international framework of standards 
governing customs and related business relationships in order to 
enhance supply chain security. C-TPAT is one component of this ongoing, 
broad-based effort.[Footnote 17] 

CBP Has Strengthened C-TPAT by Establishing Minimum Security Criteria 
and a Tiered Approach to Awarding Benefits to Importers: 

In March 2005, we reported that CBP had not taken a rigorous approach 
to verifying C-TPAT members' supply chain security, thereby limiting 
its ability to ensure that the program helps prevent terrorism and that 
members are deserving of any C-TPAT benefits received.[Footnote 18] 
Since our report, CBP has acted on our recommendations to strengthen 
the security validation process by establishing minimum security 
criteria for the majority of C-TPAT members and providing a tiered 
structure for awarding benefits to importers. CBP also has actions 
underway to establish minimum security criteria for its remaining 
members. 

CBP Is Completing Its Establishment of Minimum Security Criteria for C- 
TPAT Members: 

Since March 2005, CBP has been working with the trade community to 
establish revised C-TPAT minimum security criteria for specific trade 
sectors to replace the more general security guidelines previously in 
effect for C-TPAT participation. As of November 2007, CBP had issued 
the revised criteria for 9 of the 10 trade sectors that participate in 
C-TPAT: importers, sea carriers, highway carriers, rail carriers, air 
carriers, foreign manufacturers, U.S. customs brokers, U.S. and foreign 
maritime port authorities and terminal operators, and long haul highway 
carriers in Mexico. The agency anticipates finalizing criteria for the 
remaining trade sector--freight consolidators/ocean transportation 
intermediaries and nonvessel-operating common carriers--and making it 
effective by mid-2008. According to CBP, defining the makeup of this 
sector is a challenge because of the variety of entities that may serve 
in this role. 

Overall, these criteria provide greater specificity about what is 
expected of the C-TPAT members. For example, the older, general 
guidance to foreign manufacturers required that "Where a manufacturer 
out sources or contracts elements of its supply chain, such as a 
transportation, conveyance, warehouseï¿½the manufacturer must work with 
these business partners to ensure that pertinent security measures are 
in place and adhered to throughout their supply chain." The minimum 
security criteria for foreign manufacturers now state that "Foreign 
manufacturers must have written and verifiable processes for the 
selection of business partners including, carriers, other 
manufacturers, product suppliersï¿½." 

Table 2 lists the trade sectors for which CBP has issued minimum 
security criteria and provides examples of the criteria established. 
The SAFE Port Act of 2006 ratified this approach, requiring that 
companies seeking to participate in C-TPAT maintain security measures 
and supply chain security practices in accordance with criteria 
established by CBP. 

Table 2: Examples of Minimum Security Criteria That Trade Sectors Must 
Meet for C-TPAT Participation: 

Trade sector: Importers; 
Examples of minimum security criteria: Written procedures must 
stipulate how seals are to be controlled and affixed to loaded 
containers; 
Month/year revised minimum criteria effective: March 2005. 

Trade sector: Sea carriers; 
Examples of minimum security criteria: A vessel visitor log must be 
maintained and a temporary visitor pass must be issued; 
Month/year revised minimum criteria effective: March 2006. 

Trade sector: Highway carriers; 
Examples of minimum security criteria: Trailers must be stored in a 
secure area to prevent unauthorized access and/or manipulation; 
Month/year revised minimum criteria effective: March 2006. 

Trade sector: Foreign manufacturers; 
Examples of minimum security criteria: To help ensure the integrity of 
cargo, procedures must be in place to ensure that information received 
from business partners is reported accurately and timely; 
Month/year revised minimum criteria effective: August 2006. 

Trade sector: Rail carriers; 
Examples of minimum security criteria: Rail carriers must have 
procedures in place for reporting unauthorized entry into rail cars and 
locomotives; 
Month/year revised minimum criteria effective: August 2006. 

Trade sector: U.S. customs brokers; 
Examples of minimum security criteria: For all brokers, procedures for 
the issuance, removal, and changing of access devices (e.g., keys, key 
cards, etc.) must be documented; 
Month/year revised minimum criteria effective: January 2007. 

Trade sector: U.S. and foreign marine port authorities and terminal 
operators; 
Examples of minimum security criteria: An employee identification 
system must be in place for positive identification and access control 
purposes; 
Month/year revised minimum criteria effective: August 2007. 

Trade sector: Long haul highway carriers in Mexico; 
Examples of minimum security criteria: Written procedures must exist 
which identify specific factors or practices, that may deem a shipment 
from a certain shipper of greater risk; 
Month/year revised minimum criteria effective: August 2007. 

Trade sector: Air carriers; 
Examples of minimum security criteria: Procedures must be in place to 
prevent, detect, or deter unmanifested material and unauthorized 
personnel from gaining access to aircraft, including concealment in 
cargo; 
Month/year revised minimum criteria effective: November 2007. 

Source: CBP. 

Note: CBP has not issued minimum security criteria for one trade 
sector--freight consolidators/ocean transportation intermediaries and 
nonvessel operating common carriers. CBP projects that criteria will be 
issued and effective for the trade group by mid-2008. 

[End of table] 

CBP Has Established Tiered Benefits for Importers: 

As another step to strengthen C-TPAT policies, CBP introduced a 
"tiered" benefits process for importers, whereby benefits are awarded 
on a tiered basis depending, in part, on CBP's validation to verify the 
importer's supply chain security plans and the extent to which 
importers demonstrated a sustained commitment to implementing minimum 
supply chain security practices. This tiered approach, which is now 
codified in the SAFE Port Act, addresses a problem we identified in our 
March 2005 report, namely, that CBP granted companies full C-TPAT 
benefits before verifying C-TPAT members' security procedures.[Footnote 
19] At that time, we reported that CBP's screening process for 
certifying and assessing member companies provided no actual 
verification that the security measures in the company's reported 
security profile were accurate and being followed before granting 
benefits. Under the new tiered approach, CBP postpones the granting of 
broader benefits for individual importers--who make up 48 percent of C-
TPAT members--until after it conducts a validation to verify the 
individual importer's supply chain security practices. 

While importers receive tiered benefits, other C-TPAT trade sectors-- 
which include sea carriers, highway carriers, U.S. marine and port 
terminal operators, foreign manufacturers, consolidators, and U.S. 
customs brokers and account for about 52 percent of C-TPAT members-- 
receive all benefits available to them, such as access to other C-TPAT 
members and attendance at CBP-sponsored security training, upon being 
certified into the program and before their security plans are 
verified. CBP considered the practicality and relevancy of implementing 
tiered benefits for the nonimporter trade sectors as well as importers, 
but CBP officials said they are having difficulty identifying 
additional benefits available to offer nonimporters in a tiered benefit 
structure. Specifically, CBP officials said that C-TPAT participants in 
these sectors generally derive their benefits from the business world 
in the form of increased marketability once they are designated a C- 
TPAT member. Hence CBP would have no additional benefits to offer these 
participants.[Footnote 20] 

While the SAFE Port Act provides for three tiers of participation and 
benefits for C-TPAT members, CBP officials told us that they interpret 
the benefit tiering provisions of the act to apply mainly to importers 
who use their international supply chains, consisting of the other 
trade sectors, to bring goods into the United States. Thus, although 
CBP acknowledges the act's tiered benefit structure, it believes the 
structure does not necessarily apply to all participants. 

When the SAFE Port Act established the statutory framework for the C- 
TPAT program, it set forth tiered benefits for all C-TPAT members, but 
provided examples of tiered benefits that apply only to importers. 
Specifically, as shown in table 3, the act established three tiers for 
granting C-TPAT members benefits and gave examples that describe the 
reduced likelihood of scrutiny or expedited processing of an importer's 
containerized cargo. 

Table 3: Summary of C-TPAT Tiered Benefits Structure from the SAFE Port 
Act: 

C-TPAT benefit level: Tier 1; 
When benefits are awarded: Upon CBP's certification of applicant as a C-
TPAT member; 
Time frame for benefits determination: Within 90 days of CBP's receipt 
of an application for C- TPAT membership, to the extent practicable; 
Benefit examples: May include: 
* a maximum 20 percent reduction in Automated Targeting System score 
for an importer. 

C-TPAT benefit level: Tier 2; 
When benefits are awarded: Upon validation of member's security 
measures and supply chain security practices; 
Time frame for benefits determination: Within 1 year of a member's 
certification into C-TPAT, to the extent practicable; 
Benefit examples: May include: 
* reduced scores in Automated Targeting System for importers; 
* reduced cargo examinations[A]; 
* priority cargo searches[B]. 

C-TPAT benefit level: Tier 3; 
When benefits are awarded: Upon validation that member demonstrates 
sustained commitment to maintaining measures and practices that exceed 
Tier 2 guidelines; 
Time frame for benefits determination: No time frame specified, but may 
be done as part of Tier 2 validation; 
Benefit examples: May include: 
* expedited release of cargo in U.S. ports at all threat levels 
designated by the Secretary, Homeland Security; 
* further reduction in cargo examinations; 
* priority cargo examinations; 
* further reduction in the Automated Targeting System risk score for 
importers; 
* inclusion in joint incident management exercises, as appropriate. 

Source: GAO. 

[A] An examination is an inspection of cargo to detect the presence of 
misdeclared, restricted, or prohibited items that utilizes nonintrusive 
imaging such as x-ray and detection technology. 

[B] A search is an intrusive examination in which a container is opened 
and its contents are unloaded and visually inspected for the presence 
of misdeclared, restricted, or prohibited items. 

[End of table] 

Tier 1 benefits are to be limited and may include a reduction in the 
score assigned a shipment through CBP's Automated Targeting System of 
not greater than 20 percent of the high-risk threshold established by 
the Secretary of Homeland Security.[Footnote 21] CBP is to determine, 
by comparing the applicant's security profile to established minimum 
security criteria or guidelines, whether a C-TPAT applicant is to be 
certified and granted benefits within 90 days of receiving the 
application, to the extent practicable. CBP must also vet the C-TPAT 
applicant by reviewing the applicant's compliance with customs laws and 
regulations and any violation history. If CBP gives the applicant a 
favorable review, the applicant is certified as a C-TPAT member and 
limited benefits can begin. 

Tier 2 or 3 benefits are to be determined based on CBP's validation 
results. After certifying a member into C-TPAT and granting limited 
Tier 1 benefits, CBP is to conduct the validation process to verify the 
member's security measures and practices. The SAFE Port Act provides 
that all C-TPAT participants undergo validation, including on-site 
assessments, within 1 year of certification as a Tier 1 participant, to 
the extent practicable. CBP is to extend benefits to each validated 
Tier 2 participant, which may include, in contrast to limited Tier 1 
benefits, further reductions in Automated Targeting System scores, 
reduced examinations of cargo, and priority searches of cargo. The act 
also provides for validation of C-TPAT members as Tier 3 participants 
if they demonstrate a sustained commitment to maintaining security 
measures and supply chain security practices that exceed Tier 2 
guidelines, but there is no deadline for making this determination. 
Upon Tier 3 validation, participants are to receive Tier 3 benefits, 
which may include further reductions in Automated Targeting System 
scores or cargo examinations, among other benefits. See appendix IV for 
data on C-TPAT members who have received tiered benefits through 
December 2007. 

CBP Has Taken Steps to Improve Data Collected for Validation, but Still 
Faces Limitations to Assure Consistent Program Decisions and Effective 
Security: 

The SAFE Port Act mandated that the C-TPAT program have sufficient 
internal controls to support C-TPAT management, including a 
standardized work program for validations. Standards for internal 
control in the federal government call for policies and procedures to 
ensure that the findings from audits and other reviews are promptly 
resolved. While CBP developed a personal-computer-based (PC-based) 
electronic instrument to help security specialists ensure that 
validation information is consistently collected, documented, and 
uniformly applied to decisions regarding the awarding of benefits to C- 
TPAT members, design problems with the instrument limit its 
effectiveness. Also, while the validation instrument allows specialists 
an opportunity to collect data on the results of members' internal or 
third-party audits and inspections of their supply chain security 
practices, CBP does not require security specialists to use these data 
in validating members' security practices as an alternative to direct 
testing, even though CBP views direct testing as impractical. Further, 
our work shows that CBP lacks a systematic process to ensure 
appropriate actions are taken in response to security specialists' 
recommendations in validation reports. Without such a key internal 
control, CBP does not have reasonable assurance that companies 
implement its recommendations to enhance supply chain security 
practices in accordance with CBP criteria. 

CBP Has Developed an Instrument to Collect Validation Data: 

In addition to its efforts to enhance the C-TPAT program's policies 
with minimum security criteria and tiered benefits, CBP has developed a 
portable, PC-based electronic instrument to help improve its process 
for collecting information during the validation process. In March 
2005, we recommended that CBP strengthen the validation process by 
providing appropriate guidance to security specialists conducting 
validations. CBP, partly in response to our recommendation, developed 
and implemented the Validation Security Assessment Tool (VSAT) to guide 
security specialists in performing validations, including data 
gathering and documentation.[Footnote 22] Prior to implementation of 
the VSAT in March 2006, C-TPAT did not have a consistent way to collect 
validation information. Rather, it was up to individual security 
specialists to determine how to verify supply chain security. With 
VSAT, security specialists are provided an electronic, PC-based 
instrument that contains a series of uniform questions within seven 
defined security areas that can be asked of C-TPAT member companies and 
their foreign supply chain partners during the validation process. 
Figure 4 provides an overview of the validation process and describes 
how security specialists are to use the VSAT in conducting validations. 

Figure 4: C-TPAT Validation Overview--Key Processing Steps Used by 
Supply Chain Security Specialists (SCSS): 

This figure is a chart showing C-TPAT validation overview--key 
processing steps used by supply chain security specialists (SCSS). 

1. Verify eligibility for validation: 

Verify: 

- completion of vetting; 

- company profile information is complete; 

- benefits status; 

- company status as "Certified"; 

* Ensure: - 30-day notice of validation sent to company; 

- all minimum security criteria have been met per security profile; 
security profile is approved; 

2. Research and plan: 

* Use open source data to determine companyï¿½s size, legal business 
designation, facility locations, business and import history, import 
transportation modes, membership in other CBP programs; 

* Identify potential visit sites, options to coordinate with other 
validations and CBP validation partner (e.g., field SCSS); 

3. Contact company and schedule validation: 

* Establish communication with partner point of contact; 

- discuss validation process; 

- provide outline of discussion areas for meeting(s) and site visits; 

- discuss visit sites/agenda; 

- advise of documentation needed; 

- determine legal/financial responsibility for cargo and who controls 
cargo within the supply chain; 

4. Preparation and local/HQ approval: 

* Input research data into Validation Security Assessment Tool (VSAT); 

* Identify type(s) of implementation evidence to be verified during 
visit/meeting; 

* Prepare/submit validation preparation outline for management 
approval; 

* Field Office Director/ Supervisory SCSS reviews outline/submits to C-
TPAT Program Director; 

* Program Director reviews/ approves Validation Preparation Outline; 

5. Conduct onsite validation: 

* Lasts 4 to 12 hours; 

* SCSS discusses validation process; 

* Company explains its risk analysis and security practices; 

* SCSS asks clarifying questions, follows up on security profile and 
gathers data on security vulnerabilities, gaps and risks; 

- SCSS may ask questions directly from VSAT or use VSAT to outline 
questions before meeting; 

* SCSS verifies/reviews evidence of security; tours facility; 

6. Close-out and determine C-TPAT status: 

* Conduct close-out meeting at or after final site visit; 

- inform C-TPAT partner of validation results; 

- make it clear that final status is determined by the C-TPAT Program 
Director based on the validation findings; 

* Analyze findings and recommend program status for company; 

7. Perform administrative tasks and develop validation report: 

* Upload VSAT data to portal within 7 days of foreign visit; 

* Immediately ask supervisor to upgrade benefits for eligible 
importers/change partner status to ï¿½validatedï¿½; 

* Notify supervisor immediately of companies recommended for suspension 
or removal; 

* Forward final report to field office director for approval - SCSS 
relies mainly on personal notes and recollections; 

* Forward reports recommending Tier 3 benefits to Director/ C-TPAT 
Industry Partnerships; verify information provided final authority 
rests with Executive Director, Cargo & Conveyance Security; 

* Send letter and final report to partner; 

8. Conduct follow-up/self-assessment/new validation 

* For validated companies meeting or exceeding criteria: 

- track progress of corrective actions in an action plan; 

- communicate regularly with partner; 

- check to see if partner has improved security; 

- ensure partner conducts an annual self-assessment; 

* For companies receiving a negative validation finding: 

- provide guidance to restore benefits; 

- track companyï¿½s progress and 

- conduct a new validation; 

[See PDF for image] 

Source: GAO and CBP. 

[End of figure] 

According to CBP, the VSAT was developed to help security specialists 
collect validation information in a consistent and uniform way and to 
measure the C-TPAT members' security from the foreign point where cargo 
is loaded into the container to the port where the container is loaded 
onto a vessel. The development of an instrument such as VSAT also helps 
CBP carry out the SAFE Port Act requirement that C-TPAT establish 
internal controls to help ensure that a standardized work program is 
used to execute validations and other C-TPAT management processes. 
Further, according to the VSAT requirements statement that initiated 
its development, CBP planned to eventually use the VSAT data, as they 
relate to C-TPAT member benefits, for direct input to its Automated 
Targeting System for identifying containerized shipments for inspection 
based on risk. 

CBP's VSAT Design Limits Its Usefulness for Providing a Standardized 
Validation Process: 

The VSAT, as envisioned by CBP, has the potential to strengthen C-TPAT 
processes. CBP officials see the VSAT as a way of addressing our 
earlier concerns with the adequacy and consistency of validations, as 
discussed in our March 2005 C-TPAT report.[Footnote 23] However, CBP's 
use of the VSAT to ensure that validation information is consistently 
collected, documented, and uniformly applied is limited. 

CBP's design of the VSAT does not provide for reliable analysis of data 
regarding verification of C-TPAT members' security practices. 
Specifically, the VSAT uses a binary format that requires security 
specialists to answer questions in a "yes/no" format with "no" being 
the default response. With this format, one cannot determine whether a 
"no" response denotes an intentional "no," "not applicable," or that 
the security specialist simply skipped or failed to complete the item. 
Determining the meaning of a "no" response is especially challenging 
considering that the VSAT consists of three electronic questionnaires 
that include a list of validation steps and questions that range from 
about 250 to more than 900 lines. Security specialists select the 
appropriate questionnaire to use in a validation and, even when the 
shortest questionnaire applies, the number of validation steps and 
questions posed is extensive. Further, the security specialists use 
their discretion to answer or not answer individual questions based on 
their assessment of the relevance of those questions to the companies' 
security practices. The reason for a "no" response is not accurately 
recorded unless the security specialist provides an explanatory note. 
While a "yes" response should mean that a security practice is in place 
or effective, overall analysis of VSAT data is not possible because of 
the uncertainty associated with the "no" responses. Consequently, the 
accuracy and reliability of the data associated with CBP's validation 
of C-TPAT members' security practices are unknown. 

CBP's Security Specialists Validate C-TPAT Members' Security Practices 
Based on Information Other than Testing Results: 

CBP accepts a company as a C-TPAT member and initiates benefits based 
on a CBP security specialist's favorable review of the security profile 
submitted by the company. The security specialist verifies only that 
the self-reported information meets C-TPAT's minimum security criteria. 
During the validation process, CBP security specialists gather 
information on security vulnerabilities, gaps, and risks through 
activities that include (1) asking questions about the company's 
security practices, (2) gathering information by observing physical 
security and reviewing policies and procedures, (3) identifying 
accountability for security, and (4) identifying any requirements the 
member may have for audits (or testing to be conducted) of its security 
measures to determine if the measures are working as intended. However, 
because of the voluntary nature of the C-TPAT program, limited 
resources, and limits to CBP's jurisdiction over international trade 
partners, it is impractical for CBP to directly test members' supply 
chain security practices. Without such testing, CBP is challenged to 
know that members' security measures are reliable, accurate, and 
effective--the stated purpose of the validation process. 

In addition to information CBP collects during the validation process, 
C-TPAT companies may perform ongoing monitoring of their supply chain 
security in the course of normal operations. The VSAT includes a 
variety of questions regarding member companies' actions to monitor 
security, including whether a company: (1) periodically inspects its 
security measures and documents the results, (2) has documented 
procedures to review the effectiveness of security, (3) performs 
security audits, or (4) monitors the security practices of contractors. 
Specialists are not required to use this information in making security 
assessments and, according to the 11 specialists that we interviewed, 
are not doing so. However, without using such information, CBP lacks 
assurance that C-TPAT is meeting its goal to enhance supply chain 
security. 

Consistent with Operating Procedures, CBP May Grant C-TPAT Benefits 
Before Members Implement Recommended Security Enhancements and Does Not 
Systematically Follow Up on Actions Taken: 

The SAFE Port Act mandated that the C-TPAT program have sufficient 
internal controls to support C-TPAT management systems, including a 
standardized work program to execute validation and other program 
processes. Once validation data collection is completed, the security 
specialist is to analyze the validation findings and formulate a 
recommendation on the C-TPAT program status for the company. However, 
at the conclusion of a validation site visit, CBP may award a company 
benefits before recommended actions to enhance security are 
implemented. This practice is within the scope of CBP's operating 
procedures for C-TPAT. The transmittal letter for the subsequently 
prepared validation report is to inform the importer of its eligibility 
for the new benefits status, even if the validation report includes 
required actions to meet minimum security requirements. The letter 
encourages the importer to comment on its plans to adopt the validation 
report's recommendations; however, the eligibility for benefits is not 
stated as being contingent upon the importer implementing the required 
actions. 

We examined three validation reports and their transmittal letters 
provided by CBP's Executive Director, Cargo and Conveyance Security, as 
typical examples. Two of the letters advised the C-TPAT member of Tier 
2 or Tier 3 eligibility, but also noted required actions to enhance 
security such as (1) having documentation that business partners are 
meeting C-TPAT security criteria or (2) having a system in place to 
identify abuse of the company's information technology system. Because 
the validation data provided by CBP did not include all items needed to 
analyze C-TPAT member processing, such as the date a company was 
selected for a security validation, we could not determine how often 
these situations have occurred or whether Tier 2 or Tier 3 benefits had 
been provided to members who had not yet implemented required actions 
to meet C-TPAT minimum security requirements. However, CBP's lack of 
systematic procedures to follow up and verify that validation 
recommendations are implemented is inconsistent with CBP's validation 
purpose to ensure that members' security practices meet or exceed C- 
TPAT minimum security criteria. 

Besides granting benefits before ensuring recommended actions are 
implemented, CBP's policy does not require its security specialists to 
systematically follow up to ensure that companies implement validation 
report recommendations to make their security practices consistent with 
minimum security criteria. Instead, security specialists are 
encouraged, for example, to track the progress of corrective actions a 
member is required to take, communicate regularly with the member, and 
check back occasionally to see if the member's security has changed or 
improved. Security specialists are also to ensure that C-TPAT members 
conduct an annual self-assessment and update their security profiles, 
but are not required to verify these profile changes. Further, when 
planning revalidations, security specialists are to consider sites 
visited during the previous validation that were the source of 
recommendations or required actions. However, the security specialists 
are not required to visit problem areas. Without requiring its security 
specialists to verify and document that C-TPAT members implement 
validation recommendations, CBP does not have sufficient internal 
controls to ensure member security consistent with minimum security 
criteria. Specifically, standards for internal control in the federal 
government call for policies and procedures to ensure that the findings 
audits and other reviews are promptly resolved. We addressed this issue 
with CBP officials. CBP's Executive Director, Cargo and Conveyance 
Security, agreed that CBP could do more to follow up on validation 
recommendations, but noted that security specialists use their 
discretion and take into account the severity of the security shortfall 
when making validation decisions. 

CBP Has Improved C-TPAT Management with Better Human Capital Planning 
and Record Keeping, but Establishing C-TPAT Program Performance 
Measures for Security Enhancement Remains a Challenge: 

Since our March 2005 report, CBP has implemented human capital 
planning, a records management system, and performance measures to 
strengthen C-TPAT program management in response to prior 
recommendations.[Footnote 24] In particular, CBP developed a human 
capital plan that addressed long-term staffing needs and described how 
the program will recruit, train, and retain staff to achieve program 
goals. CBP also implemented a records management system for documenting 
key program decisions, but the system does not include key dates to 
monitor C-TPAT processes. Further, CBP increased the number of 
performance measures for some aspects of the C-TPAT program, but CBP 
does not yet have performance measures to determine whether the program 
meets its security goals. While these efforts have helped to improve C- 
TPAT management, the challenges that remain limit CBP's ability to 
monitor C-TPAT program operations and to ensure that the program 
enhances the supply chain security of C-TPAT members. 

CBP Has Developed a Human Capital Plan and Has Increased the Number of 
Supply Chain Security Specialists to Address C-TPAT Staffing 
Challenges: 

In 2005, CBP implemented a C-TPAT human capital plan to systematically 
address long-term staffing needs. In our July 2003 and March 2005 
reports, we noted CBP's lack of a systematic plan to address the long- 
term staffing resources necessary to conduct C-TPAT program activities 
such as conducting validations, reviewing company security profiles, 
and vetting company histories.[Footnote 25] In addition to the human 
capital plan, CBP developed a formula for determining the number of 
validations that a security specialist can complete within 1 year, 
which it used for its workforce planning. Since implementation of the 
plan, CBP increased the C-TPAT staff by 280 percent--from 41 
specialists in 2005 to a total of 156 specialists as of September 2007. 
CBP officials reported that the increase in staff will allow C-TPAT to 
continue with current and future certification, validation, and 
revalidation workloads based on projected growth in program membership. 
Table 4 shows CBP's projected staffing and validation workload for 2007 
through 2009. [Footnote 26] 

Table 4: CBP's Projected C-TPAT Staffing and Validation Workload for 
2007-2009: 

Year: 2007; 
Supply chain security specialist staff: 150; 
Validations per staff per year: 20; 
Total validations based on staffing: 3,000; 
Initial validations: 2,200; 
Revalidations: 420; 
Annual validations for Mexican highway carriers: 286; 
Total validations based on workload: 2,906. 

Year: 2008; 
Supply chain security specialist staff: 150; 
Validations per staff per year: 20; 
Total validations based on staffing: 3,000; 
Initial validations: 1,500; 
Revalidations: 1,080; 
Annual validations for Mexican highway carriers: 400; 
Total validations based on workload: 2,980. 

Year: 2009; 
Supply chain security specialist staff: 200a; 
Validations per staff per year: 20; 
Total validations based on staffing: 4,000; 
Initial validations: 1,500; 
Revalidations: 2,400; 
Annual validations for Mexican highway carriers: 400; 
Total validations based on workload: 4,300. 

Source: GAO analysis of data provided by CBP. 

[A] Expected total staff includes an additional 50 specialists 
authorized by the SAFE Port Act. 

[End of table] 

The human capital plan also describes how the program will recruit, 
train, and retain staff to achieve program goals. CBP has expanded the 
program's recruitment process to target candidates with experience in 
intelligence and investigations since specialists hired in 2003 and 
2004 possess previous experience in supply chain security. New 
employees undergo a 2-week initial training program and also have 
opportunities for recurring training. In 2007, CBP issued an annual 
plan update for the C-TPAT program to address SAFE Port Act 
requirements. The act requires, among other things, that CBP (1) review 
all new applications for certification within 90 days, to the extent 
practicable; (2) conduct initial validation of all new certified 
members within 1 year of acceptance into the program, to the extent 
practicable; and (3) conduct revalidation of all members within 4 years 
of initial validation. CBP, however, plans to conduct revalidations 
every 3 years. The SAFE Port Act also authorized an additional 50 
specialists for CBP to meet additional workload requirements mandated 
by the SAFE Port Act. According to CBP officials, the agency's human 
capital plan and current program staffing level are sufficient to meet 
SAFE Port Act requirements for projected validation and revalidations 
for 2007 and 2008. CBP anticipates the additional 50 specialists will 
be available in the latter part of 2008 and will allow C-TPAT to meet 
its projected workload and remain compliant with SAFE Port Act 
requirements. 

CBP Has Implemented a Records Management System for Documenting Key 
Program Decisions, but Certain Key Dates Are Needed to Monitor C-TPAT 
Processes: 

In our March 2005 report, we recommended that CBP implement a records 
management system that accurately documents key decisions and 
significant operational events in a timely manner, including a reliable 
system for documenting and maintaining records of all decisions in the 
C-TPAT application through validation processes.[Footnote 27] In 
response to our recommendation, CBP has developed and implemented C- 
TPAT Portal, a centralized electronic records management system, to 
facilitate information storage, and secure interaction and 
communication with C-TPAT companies. According to CBP officials, C-TPAT 
Portal is the official records management system for the C-TPAT 
program. C-TPAT Portal provides real-time access to C-TPAT information, 
tools, and databases for C-TPAT members and staff. For example, the 
system enables CBP to track and ascertain the status of C-TPAT 
applicants and member companies to ensure that they are certified, 
validated, and revalidated within time frames specified in the SAFE 
Port Act. 

The SAFE Port Act requires CBP to maintain a records management system 
to document determinations on the reviews of each C-TPAT member, 
including certifications, validations, and revalidations. Standards for 
internal control in the federal government also require that all 
transactions be clearly documented in a manner that is complete, 
accurate, and useful to managers and others involved in evaluating 
operations. Prior to implementing C-TPAT Portal in May 2006, CBP lacked 
a basic records management system to document key decisions and to 
regularly and accurately update programmatic information.[Footnote 28] 
C-TPAT Portal is a substantial improvement in providing a framework for 
capturing data on C-TPAT members and core program activities. However, 
it does not contain certain data, including important processing dates. 

During our review, we obtained data from C-TPAT Portal on a sample of 
419 validations completed during March through September 2006.[Footnote 
29] We attempted to analyze CBP's time frames for processing the 
companies--from their application for C-TPAT membership through 
validation of their security profiles and the granting of C-TPAT 
benefits--but could not complete the analysis because CBP did not 
record certain key data elements in C-TPAT Portal. Specifically, based 
on our review of the C-TPAT membership processes and the data items in 
C-TPAT Portal, we found that 13 of the 27 data items needed for our 
analysis were not available in Portal. In particular, we found that 
while many key dates for core C-TPAT program activities were completed, 
other interim processing dates that reflect the internal process 
requirements were not available. The absence of such information from 
Portal not only prevents analysis by external agencies, but also limits 
CBP management's ability to monitor compliance with its requirements, 
assess the efficiency of C-TPAT operations, and determine that its 
processes are facilitating meeting time frames specified in the SAFE 
Port Act. For example, our analysis showed that Portal does not include 
data to determine whether security specialists are meeting the 
requirement to notify a company at least 30 days prior to a validation 
visit. The date of the initial validation meeting is captured in 
Portal, but the date that the security specialist sends the 30-day 
validation notification letter is not in Portal, making it impossible 
for CBP or reviewing agencies to determine whether C-TPAT is being run 
in accordance with the 30-day notice policy. Further, while Portal 
captures the date that VSAT data are uploaded to the Portal system, the 
date that a security specialist returns to his office after a foreign 
site validation visit is not captured. As a result, management is 
precluded from knowing whether security specialists are meeting CBP's 
requirement to complete the VSAT within 7 days of returning to their 
office from a foreign site visit. Without key data being available in 
Portal, we were not able to complete our assessment and CBP is limited 
in assessing the efficiency and effectiveness of C-TPAT. 

CBP Continues to Refine Performance Measures for the C-TPAT Program, 
but Challenges Remain: 

CBP has greatly expanded its C-TPAT program performance measures to 
focus on program participation, program administration, and the 
internationalization of C-TPAT principles.[Footnote 30] CBP has not 
yet, however, developed performance measures for efforts aimed at 
ensuring improved supply chain security of C-TPAT members--a goal of 
the program. CBP's activities to develop performance measures have 
focused on the areas mentioned and not on data collected during C-TPAT 
member processing activities that could support the development of 
performance measures for enhanced supply chain security. In our July 
2003 and March 2005 reports, we commented that CBP was developing 
performance measures with which to measure the program's success in 
achieving agency goals and inform decisions for process 
improvement.[Footnote 31] We recommended that CBP complete the 
development of performance measures, to include outcome-based measures 
and performance targets, to track the program's status in meeting its 
strategic goals.[Footnote 32] Furthermore, under the Government 
Performance and Results Act of 1993 (GPRA), federal agencies are to 
prepare an annual performance plan that establishes performance 
indicators to be used in measuring or assessing the relevant outputs, 
service levels, and outcomes of each of its program activities. 

CBP's November 2004 strategic plan identified seven performance 
measures that CBP developed for the C-TPAT program, consistent with 
recommendations in our 2003 and 2005 reports on the program. These 
measures, shown in table 5, reflect CBP's efforts in developing 
performance measures at the time the C-TPAT strategic plan was issued 
and are currently in effect. Table 5 also shows the performance data 
that CBP included for two of the seven measures in its fiscal year 2006 
performance and accountability report.[Footnote 33] 

Table 5: Performance Measures Identified in the C-TPAT 2004 Strategic 
Plan: 

Performance measure: Percent of sea container cargo transported by C- 
TPAT members; 
Program element or operational aspect addressed: Program partnership; 
Performance data: Target/actual: [Empty]; 
Performance data: FY 2005: [Empty]; 
Performance data: FY 2006: [Empty]; 
Performance data: FY 2007: [Empty]. 

Performance measure: Percent of value imported by C-TPAT importers; 
Program element or operational aspect addressed: Program partnership; 
Performance data: Target/actual: [Empty]; 
Performance data: FY 2005: [Empty]; 
Performance data: FY 2006: [Empty]; 
Performance data: FY 2007: [Empty]. 

Performance measure: Percent of C-TPAT importer volume; 
Program element or operational aspect addressed: Program partnership; 
Performance data: Target/actual: [Empty]; 
Performance data: FY 2005: [Empty]; 
Performance data: FY 2006: [Empty]; 
Performance data: FY 2007: [Empty]. 

Performance measure: Validation labor efficiency; 
Program element or operational aspect addressed: Internationalization 
efforts; 
Performance data: Target/actual: [Empty]; 
Performance data: FY 2005: [Empty]; 
Performance data: FY 2006: [Empty]; 
Performance data: FY 2007: [Empty]. 

Performance measure: Exam reduction ratio between C-TPAT and non-C-TPAT 
importers; 
Program element or operational aspect addressed: Internationalization 
efforts; 
Performance data: Target/actual: Target; 
Performance data: FY 2005: 3.5 times less; 
Performance data: FY 2006: 3.5 times less; 
Performance data: FY 2007: 3.5 times less. 

Performance measure: Exam reduction ratio between C-TPAT and non-C-TPAT 
importers; 
Program element or operational aspect addressed: Internationalization 
efforts; 
Performance data: Target/actual: Actual; 
Performance data: FY 2005: 4.1 times less; 
Performance data: FY 2006: 3.4 times less; 
Performance data: FY 2007: 3.5 times less. 

Performance measure: Compliance rate for C-TPAT members with program 
security guidelines; 
Program element or operational aspect addressed: Internationalization 
efforts; 
Performance data: Target/actual: Target; 
Performance data: FY 2005: 98%; 
Performance data: FY 2006: 90%; 
Performance data: FY 2007: 95%. 

Performance measure: Compliance rate for C-TPAT members with program 
security guidelines; 
Program element or operational aspect addressed: Internationalization 
efforts; 
Performance data: Target/actual: Actual; 
Performance data: FY 2005: 97%; 
Performance data: FY 2006: 98%; 
Performance data: FY 2007: 98%. 

Performance measure: Time savings to process US/Mexico FAST lane 
transactions; 
Program element or operational aspect addressed: Internationalization 
efforts; 
Performance data: Target/actual: [Empty]; 
Performance data: FY 2005: [Empty]; 
Performance data: FY 2006: [Empty]; 
Performance data: FY 2007: [Empty]. 

Source: CBP. 

Note: The targets for FY 2008 remained the same as for FY 2007. 
Performance data were not available for FY 2008. 

[End of table] 

C-TPAT officials have, as part of actions to revise the strategic plan, 
begun tracking additional measures of program partnership, program 
administration, and the internationalization of C-TPAT principles. As 
of October 1, 2007, the C-TPAT Director began requiring field directors 
and supervisors to collect data on 16 proposed measures, as shown in 
table 6. 

Table 6: Performance Measures Tracked for Evolving C-TPAT Strategic 
Plan Used by CBP, as of October 1, 2007: 

1; 
Performance measure: Reduced member examinations; 
Performance category: Program partnership; 
Target: 34.4%. 

2; 
Performance measure: Members' perceived faster or equal border crossing 
times; 
Performance category: Program partnership; 
Target: 85.9%. 

3; 
Performance measure: Members' intent to stay in C-TPAT; 
Performance category: Program partnership; 
Target: 91.5%. 

4; 
Performance measure: Members perceived timeliness of security 
specialists' responsiveness to questions; 
Performance category: Program partnership; 
Target: 83.8%. 

5; 
Performance measure: Members' perceptions of security specialists' 
knowledge level; 
Performance category: Program partnership; 
Target: 51.4%-very knowledgeable; 
34.4% - knowledgeable; 
and 9.8 % somewhat knowledgeable. 

6; 
Performance measure: Examination rate reduction ratio for C-TPAT 
importers compared to non C-TPAT importers; 
Performance category: Program partnership; 
Target: No fewer than 3.5 times less exams. 

7; 
Performance measure: Compliance measurement rate of C-TPAT importers 
compared to non C-TPAT importers; 
Performance category: Program partnership; 
Target: No significant deviation. 

8; 
Performance measure: Percentage of validations performed which result 
in suspension or removal of the member; 
Performance category: Program partnership; 
Target: 95% or higher compliance rate. 

9; 
Performance measure: Percentage of members suspended or removed as a 
result of a supply chain security breech; 
Performance category: Program partnership; 
Target: 95% or higher compliance rate. 

10; 
Performance measure: Percentage of applications reviewed within 90 days 
of receipt; 
Performance category: Program administration; 
Target: 100% compliance. 

11; 
Performance measure: Percentage of validations performed within 1 year 
of certification; 
Performance category: Program administration; 
Target: 100% compliance. 

12; 
Performance measure: Percentage of revalidations performed within 3 
years of original validation completion date; 
Performance category: Program administration; 
Target: 100% compliance. 

13; 
Performance measure: Percent of post incident analyses completed within 
30 days of actual incident; 
Performance category: Program administration; 
Target: 100% compliance. 

14; 
Performance measure: Random selection and review of two validations per 
security specialist and VSAT to ensure information is complete, timely, 
and is uploaded in the Portal; 
Performance category: Program administration; 
Target: 100% compliance. 

15; 
Performance measure: Number of foreign customs administrations' 
capacity building training activities supported annually; 
Performance category: Internationalization efforts; 
Target: CBP supports no fewer than 4 trainings per year. 

16; 
Performance measure: Number of countries that enter into formal mutual 
recognition arrangements with CBP annually; 
Performance category: Internationalization efforts; 
Target: CBP enters into mutual recognition arrangements with no fewer 
than 2 countries per year. 

Source: GAO analysis of CBP data. 

[End of table] 

CBP developed these measures to address various aspects of the C-TPAT 
program--including management oversight, program benefits and costs, 
member satisfaction, and internationalization of C-TPAT principles-- 
and to record program activity. The absence of performance measures for 
enhanced security indicates that CBP has yet to develop measures that 
assess C-TPAT's progress toward achieving its strategic goal to ensure 
that its members improve the security of their supply chains pursuant 
to C-TPAT security criteria. 

As part of its effort to develop additional performance measures, CBP-
-in response to one of our 2005 recommendations--funded a university 
research initiative to identify how C-TPAT has affected the operations 
of member companies and the perceived membership incentives and 
benefits. The University of Virginia Center for Survey Research 
conducted a survey of certified C-TPAT members as of December 1, 2006, 
and 1,756 of nearly 6,000 companies (29 percent) responded. The survey 
respondents provided their perceptions about costs, benefits, and 
impacts of participation in the C-TPAT program. However, given that the 
response rate was only 29 percent, and absent any additional data that 
would suggest that the respondents were representative of the C-TPAT 
membership, we cannot determine whether the results of the survey are 
truly representative of the views of the C-TPAT membership as a whole. 

The report that the University of Virginia issued in August 2007 in 
response to this survey affirmed that a majority of C-TPAT members 
responding stated they would remain in the program. The report also 
stated that a majority of the C-TPAT members identified as importers 
said that an extremely important motivation for joining the C-TPAT 
program is reducing disruptions in the supply chain. In addition, all 
businesses responding stated that they joined the C-TPAT program to 
reduce the time and cost of cargo getting released by CBP and viewed 
implementation and maintenance of physical security and maintenance of 
in-house education, training, and awareness as significant costs of 
program membership. Additionally, nearly one-third of the C-TPAT 
members who responded believed the program benefits outweighed costs 
and nearly a quarter of members who responded believed costs were 
roughly the same as benefits. Also, at a minimum, about one-quarter of 
C-TPAT member survey respondents noted that tangible benefits included 
improvements in workforce security, time of release and inspection of 
cargo by CBP, and predictability in moving goods. Further, over one- 
half of C-TPAT members responding identified enhanced cargo security, 
demonstration of corporate citizenship, and improved risk management as 
extremely important intangible benefits. In contrast, more than half of 
nonimporters that responded indicated that they joined the C-TPAT 
program because their business members required them to be C-TPAT 
certified. While these study results indicated the benefits and costs 
of C-TPAT membership as expressed by survey respondents, the study was 
not designed to assess C-TPAT's impact on supply chain security. 

CBP collects information in its C-TPAT member processing activities 
that may provide direction for developing performance measures of 
enhanced supply chain security. For example, during the course of a 
company's membership in C-TPAT, CBP security specialists observe the 
company's security practices from the filing of the company's initial 
security profile through validation of its practices and the filing of 
annual company security profile updates. Thus, CBP is in a position to 
identify security changes and improvements that could provide a measure 
of enhanced supply chain security. The recommendations in validation 
reports represent opportunities for companies to improve their supply 
chain security and could point to areas where C-TPAT has a measurable 
impact. With an appropriate recommendation follow-up system to document 
companies' security improvements, CBP could develop measures of 
improved supply chain security. Similar opportunities occur with 
revalidations and C-TPAT members' annual security profile updates. If 
CBP does the appropriate follow up and review to determine that 
proposed or stated security actions have actually been implemented, 
supply chain security could be enhanced. For example, if security data 
collected using VSAT show that a periodic company inspection identified 
a security weakness that the company resolved, CBP could track and 
summarize such examples over time as measures of the extent to which C- 
TPAT has contributed to enhanced supply chain security. 

We acknowledge and accept CBP's assessment that the challenge to 
develop outcome-based performance measures for C-TPAT is a difficult 
one given that effectiveness is difficult to measure in terms of 
deterrence because the direct impact of a program on unlawful activity 
is generally unknown. However, CBP remains subject to the GPRA 
requirement that federal agencies develop outcome-based measures to 
assess the results of a program activity compared to its intended 
purpose. Without outcome-based performance measures on which to base 
program evaluations, CBP will not be able to assess the effectiveness 
of C-TPAT as it contributes to homeland security. 

Conclusions: 

CBP has taken valuable steps in developing partnerships within the 
trade community to improve supply chain security while maintaining the 
flow of commerce. Developing partnerships is particularly challenging 
given the international nature of the trade community and the resulting 
limits on CBP's jurisdiction and activities. While the benefits offered 
through C-TPAT make membership worthwhile for many companies, it is 
vital that CBP maintain adequate internal controls to ensure that 
member companies deserve these benefits. CBP has been responsive to our 
prior concerns but still needs to take several important steps to 
provide Congress with further assurance that C-TPAT is working as 
intended. 

CBP developed the VSAT to conduct more consistent validations, but the 
VSAT is limited in its effectiveness. CBP also does not follow up on 
validation report recommendations to determine if members are actually 
implementing measures to enhance supply chain security. This represents 
another lost opportunity to fulfill the very purpose of validations. 
Moreover, data from validations are not being routinely used to inform 
CBP about strengths and vulnerabilities in C-TPAT members' supply chain 
security. Collectively, these data could make it possible for CBP to 
move closer to establishing performance measures for supply chain 
security. 

Further, a review of selected records in C-TPAT Portal showed that 
security specialists often omitted entering interim processing dates 
into the system--dates which would document processing times and 
company waiting periods. Without these dates, CBP cannot determine 
whether its processes are facilitating the meeting of time frames 
specified in the SAFE Port Act or ensuring it is meeting its own 
standards. Finally, without outcome-based performance measures on which 
to evaluate the program, CBP will not be able to assess the 
effectiveness of C-TPAT as it contributes to homeland security. 

Recommendations for Executive Action: 

To improve CBP's implementation of SAFE Port Act provisions and to 
strengthen C-TPAT program management, ensure adequate internal controls 
to manage the program, provide management with complete program data 
for decision making, and establish indicators of the program's impact 
on supply chain security, we recommend that the Secretary of Homeland 
Security direct the Commissioner of U.S. Customs and Border Protection 
to take the following five actions: 

Continue to improve the consistency with which validations are 
conducted and documented by revising the electronic instrument used in 
validations to include appropriate response options and eliminate the 
use of default "no" responses. 

Strengthen the evaluation of security during validations by requiring 
validations to include the review and assessment of any available 
results from audits, inspections, or other reviews of a member's supply 
chain security. 

Ensure that C-TPAT validation report recommendations are implemented by 
establishing a policy for security specialists to follow up with member 
companies when CBP requires them to make security enhancements to 
ensure that the necessary steps are taken. 

Ensure that the C-TPAT Portal records management system completely 
documents key data elements needed to track compliance with SAFE Port 
Act and other CBP internal requirements. 

Identify and pursue opportunities in information collected during C- 
TPAT member processing activities that may provide direction for 
developing performance measures of enhanced supply chain security. 

Agency Comments: 

We provided a draft of this report to the Secretary of Homeland 
Security for review and comment. We received comments from DHS and CBP 
that are reprinted in appendix III. DHS and CBP agreed with our 
recommendations and outlined actions that CBP plans to take to 
implement them. CBP also provided technical comments, which we have 
incorporated into the report as appropriate. 

We plan no further distribution of this report until 30 days after its 
issue date. At that time, we will provide copies of this report to 
appropriate departments and interested congressional committees. We 
will also make copies available to others upon request. In addition, 
the report will be available at no charge on GAO's Web site [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-9610 or at [email protected]. Key contributors 
to this report are listed in appendix V. 

Signed by: 

Stephen L. Caldwell: 

Director, Homeland Security and Justice Issues: 

List of Congressional Requesters: 

The Honorable Daniel K. Inouye, Chairman: 
The Honorable Ted Stevens, Vice Chairman: 
Committee on Commerce, Science, and Transportation: 
United States Senate: 

The Honorable Joseph I. Lieberman, Chairman: 
The Honorable Susan M. Collins, Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Carl Levin, Chairman: 
The Honorable Norm Coleman, Ranking Member: 
Permanent Subcommittee on Investigations: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable John D. Dingell, Chairman: 
Committee on Energy and Commerce: 
House of Representatives: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Objectives: 

This appendix discusses the objectives, scope and methodology of our 
review of the U.S. Customs and Border Protection's (CBP) Customs-Trade 
Partnership Against Terrorism (C-TPAT) program. In our March 2005 
report on C-TPAT,[Footnote 34] we made several recommendations to help 
CBP achieve C-TPAT objectives and address the challenges associated 
with its continued development, including recommendations to (1) 
strengthen the validation process by providing appropriate guidance to 
security specialists conducting validations; (2) implement a records 
management system that accurately and timely documents key decisions 
and significant operational events; and (3) complete the development of 
performance measures, to include outcome-based measures and performance 
targets. Recognizing the importance of the C-TPAT program, 
congressional requesters asked GAO to conduct another review. The 
following discussion addresses our objectives and how we performed the 
review. 

We addressed the following questions regarding C-TPAT: 

* What has CBP done to strengthen its policies for awarding benefits to 
companies that participate in C-TPAT in response to our 2005 report? 

* What progress has CBP made in addressing challenges in its processes 
for validating C-TPAT companies' security processes that we identified 
in our 2005 report? 

* What actions has CBP taken since 2005 to address overall management 
and staffing challenges of the C-TPAT program and ensure that the 
program operates as intended? 

Scope and Methodology: 

To address the three questions or objectives, we discussed C-TPAT 
program operations with officials from CBP headquarters in Washington, 
D.C. and the five C-TPAT field locations: (1) Washington, D.C; (2) Los 
Angeles, California; (3) Miami, Florida; (4) Newark, New Jersey; and 
(5) New York, New York. We reviewed current federal laws and 
regulations including the Security and Accountability for Every Port 
(SAFE Port) Act of 2006. We also reviewed pertinent GAO reports. 

More specifically, to address our first objective on policies for 
awarding benefits to C-TPAT participants, we reviewed CBP's minimum 
security criteria that had been issued as of November 2007. We 
discussed the criteria's development with CBP and C-TPAT program 
officials. We also reviewed CBP's tiered benefits structure for C-TPAT 
importers and subsequent requirements under the SAFE Port Act for 
tiering the benefits awarded C-TPAT participants. The tiered benefits 
concept involves providing limited benefits initially and delaying 
additional benefits until validation of the C-TPAT member's security 
practices. 

To address our second objective on CBP's progress in addressing 
challenges in its process for validating the security practices of 
companies in the C-TPAT program, we reviewed a sample of 419 
validations completed from March 1, 2006, through September 30, 2006. 
In addition, we selected a nonprobability sample of 25 validation cases 
and conducted a more detailed review that included examining hard-copy 
records and other data, such as notes taken by the security specialists 
during validation visits to members' facilities, not available for the 
broader sample. The results of this review are not generalizable beyond 
the subset examined. However, because we selected the validation cases 
based on the variety of their field office location, role in the supply 
chain, use and nonuse of CBP's automated validation instrument, and 
type of validation questionnaire used, they provided us with an overall 
understanding of validation activities and documents collected during 
validation site visits. We selected these cases because they 
represented validations of the following trade sectors in the supply 
chain: (1) foreign logistic service providers; (2) foreign 
manufacturers; (3) foreign port or terminal operators; (4) non-U.S. 
importers; (5) U.S. importers; and (6) others, such as sea carriers. At 
the CBP field locations where we performed the detailed reviews, we 
also discussed the validation process with 11 supply chain security 
specialists who conduct C-TPAT validations. These specialists provided 
descriptive information about their data collection, documentation, and 
report preparation practices for C-TPAT validations. They were selected 
by CBP based on their availability and their views are not 
generalizable beyond those interviewed. Nonetheless, because the 
specialists were selected nonsystematically and by chance and included 
a wide range of experience in the specialist position, their interview 
statements provided broad-based, realistic personal descriptions of 
what occurs in CBP's validation process for C-TPAT members. 

We also reviewed GAO' and Office of Management and Budget guidance on 
internal controls to assess the extent to which CBP has incorporated 
them into the C-TPAT program. We also obtained information on the 
automated instrument that CBP developed for use in the validation 
process and reviewed the instrument's application in our sample of 
cases. Finally, we reviewed the items in the automated instrument and 
compared them with the minimum security criteria for U.S. importers. 
Although our sample of 419 validations included 329 validations using 
the automated instrument, analysis of the instrument's use was not 
possible due to data reliability issues concerning flaws in the 
instrument's design (see below). We also compared the C-TPAT minimum 
security criteria for importers to the three questionnaires that 
comprise the automated instrument.[Footnote 35] 

To address our third objective on CBP's actions since 2005 to address 
management and staffing challenges to ensure that the C-TPAT program 
operates as intended, we interviewed officials from CBP headquarters in 
Washington, D.C. In addition, we reviewed documentation on C-TPAT 
Portal, which is CBP's records management system. In reviewing our 
sample of 419 validations, we reviewed the information in Portal that 
provides C-TPAT management with the internal control to manage the 
program. CBP sent the original Portal data of the 419 validation cases 
in February 2007 and then sent updated Portal data for the same cases 
in August 2007 to provide us with current information on the cases. In 
addition, we obtained and reviewed the 2005 human capital plan and 2007 
annual plan for information on how CBP plans to meet its staffing 
requirements to achieve C-TPAT program goals. In addition, we reviewed 
the 2004 C-TPAT strategic plan, CBP strategic plan for fiscal years 
2005-2010, and the fiscal year 2006 CBP Performance and Accountability 
Report for conformance with Government Performance and Results Act of 
1993 (GPRA) structural requirements and for performance measures that 
show how well the program is meeting its goals. Finally, we obtained 
and reviewed CBP's 2007 C-TPAT study of members' program participation 
benefits and costs, conducted by the University of Virginia Center for 
Survey Research, to assess how CBP plans to use the results in the 
development of performance measures. 

We conducted this performance audit from May 2006 to April 2008 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Data Reliability: 

To assess the reliability of CBP's data on member status in C-TPAT-- 
management data in Portal and validation data in VSATs--we (1) reviewed 
existing documentation related to the data sources, (2) electronically 
tested the data to identify apparent problems with completeness or 
accuracy, and (3) questioned knowledgeable agency officials about 
controls over the integrity of the data. Initial reliability testing of 
the databases and interviews of staff with responsibility for the 
program led us to conclude that data used to track participant status 
and VSAT information had some weaknesses that could cause concerns with 
the reliability of the data. In particular, in the Portal database, 
certain key data, such as interim processing dates needed to calculate 
processing time frames, were missing that did not permit a complete 
analysis. We determined that the data from Portal were sufficiently 
reliable for the limited use of describing the program status, such as 
the approximate numbers of participants and number of validations, 
since our analysis and discussions with CBP officials assured us that 
those data fields were reasonably complete and accurate. 

For the VSAT database, an analysis of much of the data collected 
through the use of the instrument was not possible due to reliability 
issues with the data resulting from limitations in the design of the 
instrument. For example, the automated instrument is designed to yield 
responses in a binary format (i.e., "yes/no" responses), with "no" as 
an automatic default response. Therefore, if a response is marked "no," 
it is unclear whether the question was intentionally answered "no" or 
whether the response was an automatic default. Furthermore, completion 
of many items on the VSAT questionnaire is optional (not mandatory); 
therefore, it is not possible to determine the validity of the 
responses to the questions that cover the C-TPAT criteria in the seven 
defined security areas. As a result, we deemed the VSAT data 
insufficiently reliable for analytical purposes, though since nearly 
all the VSATs had at least one completed numerical assessment score, we 
deemed these scores sufficiently reliable to use to select our 25 
validation cases for more in depth review. 

[End of section] 

Appendix II: CBP's Implementation of C-TPAT Third Party Validation 
Pilot: 

This appendix provides information on U.S. Customs and Border 
Protection's (CBP) efforts to use third parties to conduct validations 
in China, where CBP currently lacks full access. The Chinese government 
does not allow CBP personnel access to conduct supply chain security 
validations in China. The Security and Accountability for Every Port 
(or SAFE Port) Act of 2006 requires CBP to develop a plan to implement 
a 1-year voluntary pilot program to test and assess the feasibility, 
costs, and benefits of using third party entities to conduct 
validations of Customs-Trade Partnership Against Terrorism (C-TPAT) 
program participants. CBP established the program in May 2007. This 
appendix discusses the pilot's initiation and its policies and 
procedures. 

CBP's third party validation pilot program provides the opportunity for 
qualified contractors to validate C-TPAT member international supply 
chain participants in China. CBP recognized its inability to validate 
the security of C-TPAT members' supply chains in China as an 
opportunity (1) to conduct the pilot as mandated by the SAFE Port Act 
and (2) for C-TPAT members importing solely from China to be validated 
and possibly receive Tier 2 or 3 benefits. According to CBP, C-TPAT 
members that import solely from China are not receiving the highest C- 
TPAT benefits to which they may be entitled because CBP's security 
specialists are prohibited by the Chinese government from validating 
foreign supply chains in their country. CBP compiled a list of 
importers eligible for the pilot--those who source 75 percent or more 
of their imports from China--and identified 11 contractors qualified to 
perform the validations. The pilot program is voluntary, and as 
outlined in the SAFE Port Act, any C-TPAT member wishing to participate 
must agree to validation by a third party contractor and pay all costs 
for this service. Also, CBP retains the authority to make validation 
findings and tier status determinations based on the data gathered and 
submitted by third party validators in their electronic checklist or 
questionnaire. Of 304 C-TPAT member companies eligible to participate 
in the pilot, as of December 2007, 14 had expressed an interest in 
doing so and 1 had actually gone through validation with a third party 
validator. 

CBP developed standard operating procedures as guidelines for ensuring 
that third party contractors follow necessary procedures in validating 
a C-TPAT member. In March 2007, CBP posted an announcement of the pilot 
on the Federal Business Opportunities website that included third party 
requirements, duties to be performed by the third party firm, and 
standard operating procedures for the pilot. Specifically, third party 
validation firms selected were required to sign confidentiality 
agreements, maintain liability insurance, apply for protections under 
the Support Anti-terrorism by Fostering Effective Technologies Act of 
2002, and remain free from conflicts of interest, including having any 
direct or indirect control over the company which is being validated. 
Also, third party firms must provide CBP with documentation of their 
training procedures for validators, including information on the scope 
of the training and type of material presented to sufficiently 
establish the validator's knowledge of the C-TPAT program, the 
international supply chain, and the transportation and logistics 
industry. In completing and reporting on validations, third parties are 
required to: 

(1) perform the validations in accordance with C-TPAT importer minimum 
security criteria; 

(2) properly document all validation findings, recommendations, and 
actions required in an electronic checklist or questionnaire format, 
consistent with all CBP importer minimum security criteria; 

(3) acknowledge to CBP that written procedures were on hand and 
reviewed by the validator to verify the information provided by the 
company being validated; and: 

(4) submit the electronic security checklist or questionnaire and other 
associated validation information to CBP within 15 working days after 
completion of the validation. 

CBP has not provided the Validation Security Assessment Tool (VSAT) 
that its security specialists use in validations for third party 
validators to use when validating C-TPAT members as part of the pilot 
program. Validation information, developed separately by the 11 
selected validator companies, will likely vary among the validators and 
differ from the VSAT used by the CBP security specialists. CPB plans to 
transfer the electronic information provided by third party validators 
onto a VSAT questionnaire and follow up as necessary with the third 
party validator and the C-TPAT member, but CBP has not established a 
standard operating procedure for reviewing the electronic information 
and, according to CBP officials, has no plans to do so given the low 
number of members that have used the third-party validator option. As 
of December 14, 2007, only 1of 304 C-TPAT members eligible to use a 
third party validator had actually done so and CBP had not yet received 
the electronic results of the validation. 

In October 2007, the Department of Homeland Security Assistant 
Secretary for Policy said interest in the pilot program had been 
minimal.[Footnote 36] According to the Assistant Secretary, the primary 
concerns expressed by C-TPAT members involve sharing proprietary and 
business data with a third party and the costs associated with the 
validation, which, as outlined in the SAFE Port Act, must be incurred 
by C-TPAT members. 

[End of section] 

Appendix III: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 
[hyperlink, http://www.dhs.gov]: 

Homeland Security: 

April 8, 2008: 

Mr. Stephen L. Caldwell: 
Director, Homeland Security and Justice Issues: 
U.S. Government Accountability Office: 
Washington, D.C. 20548: 

Dear Mr. Caldwell: 

Thank you for providing us with a copy of the draft report entitled 
"Supply Chain Security: U.S. Customs and Border Protection Has Enhanced 
Its Partnership with Import Trade Sectors, but Challenges Remain in 
Verifying Practices" (GAO-08-240), which examines U.S. Customs and 
Border Protection's (CBP) Customs-Trade Partnership Against Terrorism 
(C-TPAT) program. This report assessed the progress CBP has made since 
2005 in 1) improving its benefit award policies for C-TPAT members, 2) 
addressing challenges in validating members' security practices, and 3) 
addressing management and staffing challenges. 

The Department of Homeland Security (DHS) and CBP concur with GAO's 
observations that CBP continues to improve the consistency with which 
validations are conducted, strengthen the evaluation of security during 
validations, ensuring that C-TPAT validation report recommendations are 
implemented, ensure that the C-TPAT Portal records management system 
completely documents all decision making and identifies and pursues 
opportunities in information collected during C-TPAT member processing 
activities. 

CBP would like to emphasize that C-TPAT is an integral part of the CBP 
multi-layered strategy through which CBP works in partnership with the 
trade community to better secure goods moving through the international 
supply chain. C-TPAT has enabled CBP to leverage supply chain security 
throughout international locations where CBP has no regulatory reach. 

In Fiscal Year 2009, C-TPAT will focus its efforts on strengthening the 
partnership with member companies at both the macro and micro levels 
and leveraging corporate influence throughout the international supply 
chain. In doing so, C-TPAT will continue to ensure compliance with the 
requirements of the SAFE Port Act to include certifying security 
profiles within 90 days of submission and conducting validations within 
one year of certification and revalidations within 4-years of initial 
validation. C-TPAT projects that 3800-4500 validations will be required 
during FY 2009, requiring on site visits at facilities throughout the 
world. 

In strengthening this successful program, CBP will also continue to 
review its performance and, where needed, enhance the minimum security 
criteria for each enrollment sector. 

Additionally, CBP will continue to conduct informational and training 
sessions for various internal/external audiences to improve knowledge 
of cargo security procedures and provide the latest information 
regarding terrorism trends and conveyance breaches. 

Another important effort to note is the potential mutual recognition of 
other countries' customs-to-business partnership programs. The World 
Customs Organization has developed a global standard for trusted 
partnerships with the trade, known as the Authorized Economic Operator, 
or AEO, program. This concept is similar to the C-TPAT program. Mutual 
Recognition Arrangements reduce costs and simplify these programs for 
both industry and government. CBP is engaged in mutual recognition 
discussions with several governments and is following a very methodical 
process to achieve recognition. These programs must meet three 
requirements: they must be security-based; they must be operational; 
and they must have a minimum level of validation to verify the company 
has done what it claims to have done. 

Creating an international network to exchange information about trusted 
traders and knowing that those participants are observing specified 
security standards in the secure handling of goods and relevant 
information is a win-win for both government and business. In June 
2007, CBP signed its first mutual recognition arrangement with New 
Zealand and CBP is beginning to see several positive outcomes and 
challenges taking form as the work to implement that arrangement 
continues. 

Attached are comments specific to the recommendations. Please note that 
CBP understands that GAO has made changes to recommendations 4 and 5. 
CBP requested that GAO reword the recommendations and it is our 
understanding that the changes agreed to will be captured in the final 
report. CBP's corrective action plans are based upon the revised 
recommendations. 

With regard to the classification of the draft report, CBP has not 
identified information within the report requiring restricted public 
access based on a designation of "For Official Use Only." 

Recommendation 1: Continue to improve the consistency with which 
validations are conducted and documented by revising the electronic 
instrument used in validations to include appropriate response options 
and eliminate the use of default "no" responses. 

Response: Concur. CBP is developing a second generation automated tool 
which will eliminate the use of default "no" response and will address 
all security criteria. 

Due Date: Phased in approach on a sector-by-sector basis over the next 
12 months. 

1. Phase 1 to be completed by June 30, 2008. 

2. Additional sectors will be identified and roll-out scheduled 
determined by August 30, 2008.

3. Additional automated reports to be operational by December 31, 2008. 

Recommendation 2: Strengthen the evaluation of security during 
validations by requiring validations to include the review and 
assessment of any available results from audits, inspections, or other 
reviews of a member's supply chain security. 

Response: Concur. CBP will issue a policy memo to the Security 
Specialists instructing them to request from the partner company any 
available internal audits, inspections or reviews which will serve as 
additional information to consider during the validation process. 

Due Date: C-TPAT Headquarters will issue the policy memorandum by June 
30, 2008 and will include this topic at its fall 2008 internal training 
session. 

Recommendation 3: Ensure that C-TPAT validation report recommendations 
are implemented by establishing a policy for security specialists to 
follow-up with member companies when CBP requires them to make security 
enhancements to ensure that the necessary steps are taken. 

Response: Concur. CBP will issue a policy memorandum and revise 
Standard Operating Procedures to the extent necessary to ensure that 
all actions required / recommendations are implemented and will explore 
ways to capture and quantify this information either in the Portal 
records management system or via other means. 

Due Date: C-TPAT Headquarters will implement the policy change by June 
30, 2008 and immediately begin to identify Portal enhancements with the 
goal of accomplishing system changes by December 31, 2008. 

Recommendation 4: Ensure that the C-TPAT Portal records management 
system completely documents key data elements needed to track 
compliance with SAFE Port Act and other CBP internal requirements. 

Response: Concur. GAO cites two specific examples of data elements 
(dates) which it believes C-TPAT managers and 3rd party reviewer(s) 
need to ensure compliance with certain aspects of the program e.g. the 
date the validation letter is sent to the member and the date the VSAT 
information is uploaded into the portal. 

CBP believes that priority should be placed on capturing those dates / 
milestones which will establish compliance with the performance 
measures identified in Table 6 of the report with specific emphasis on 
SAFE Port Act mandates, i.e. certify within 90 days, initiate 
validation within 1 year of the date of validation and revalidate 
within 3 years of the date of initial validation. 

C-TPAT Headquarters will ensure the data elements needed to ensure 
compliance with the performance indicators stated in the October 1, 
2007 memorandum and as identified Table 6 are available in the Portal 
records system. 

Due Date: June 30, 2008: 

Recommendation 5: Identify and pursue opportunities in information 
collected during C-TPAT member processing activities that may provide 
direction for developing performance measures of enhanced supply chain 
security. Response: Concur. CBP agrees that the C-TPAT program must 
continue to strive to develop outcome based measures and CBP will 
conduct an analysis. 

Due Date: December 31, 2008. 

We thank you again for the opportunity to review this important report 
and provide comments. 

Sincerely,

Penelope G. McCormack: 
Acting Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix IV: Data on C-TPAT Members Receiving Tiered Benefits: 

This appendix provides information on C-TPAT members receiving tiered 
benefits. Beginning with C-TPAT's inception in November 2001through 
December 31, 2007, CBP validated 79.1 percent (6,290) of C-TPAT's 
certified member companies. As shown in table 7, 39.9 percent (2,512) 
of the validated members were importers, of which 88.3 percent (2,219) 
were awarded Tier 2 benefits, 9.3 percent (233) were awarded Tier 3 
benefits, and 2.4 percent (60) were suspended or removed from the 
program. Importers receiving Tier 1 benefits made up 60.4 percent 
(1,001) of certified CTPAT members that were awaiting initial 
validation, as of December 31, 2007. The remaining 39.6 percent (657) 
of members certified and awaiting validation were non-importers. Non- 
importers represented 60.1 percent (3,778) of C-TPAT's validated 
membership. While 97.7 percent (3,692) of non-importers validated 
received a positive result, no additional benefits were awarded. 

Table 7: Analysis of C-TPAT Member Status as of December 31, 2007: 

Member status: Certifications; 
Member status: (1) Certified members from program's inception; Number: 
7,948; Percent: [Empty]. 

Member status: (2) Certified members awaiting validation; 
Number: 1,658; 
Percent: 20.9. 

Member status: * Certified Tier 1 importers; 
Number: 1,001; 
Percent: 60.4. 

Member status: * Certified nonimporters; 
Number: 657; 
Percent: 39.6. 

Member status: Initial validations; 
Number: [Empty]; 
Percent: [Empty]. 

Member status: (1) Initial validations completed from program's 
inception; 
Number: 6,290; 
Percent: 79.1. 

Member status: (2) Importers' initial validations completed; 
Number: 2,512; 
Percent: 39.9. 

Member status: * Importers awarded Tier 2 benefits; 
Number: 2,219; 
Percent: 88.3. 

Member status: * Importers awarded Tier 3 benefits; 
Number: 233; 
Percent: 9.3. 

Member status: * Importers suspended or removed; 
Number: 60; 
Percent: 2.4. 

Member status: (3) Nonimporters' initial validations completed; 
Number: 3,778; 
Percent: 60.1. 

Member status: * Nonimporters' positive validation result; 
Number: 3,692; 
Percent: 97.7. 

Member status: * Nonimporters suspended or removed; 
Number: 86; 
Percent: 2.3. 

Source: GAO analysis of CBP data. 

[End of table] 

[End of section] 

Appendix V: GAO Contacts and Staff Acknowledgments: 

GAO Contact: 

Stephen L. Caldwell, Director, (202) 512-9610, [email protected]. 

Staff Acknowledgments: 

This report was prepared under the direction of Christine A. Fossett 
and Christopher Conrad, Assistant Directors. Key contributions to this 
report also included Amy Bernstein, Fredrick Berry, Yecenia Camarillo, 
Frances Cook, Katherine Davis, Wendy Dye, Nkenge Gibson, Valerie 
Kasindi, Stanley Kostyla, Frederick Lyles, Michael Pose, Robert Rivas, 
and Beverly Ross. 

[End of section] 

Related GAO Products: 

Supply Chain Security: Examinations of High-Risk Cargo at Foreign 
Seaports Have Increased, but Improved Data Collection and Performance 
Measures Are Needed. GAO-08-187. Washington, D.C.: January 25, 2008. 

Maritime Security: The SAFE Port Act: Status and Implementation One 
Year Later. GAO-08-126T. Washington, D.C.: October 30, 2007. 

Maritime Security: One Year Later: A Progress Report on the SAFE Port 
Act. GAO-08-171T. Washington, D.C.: October 16, 2007. 

Maritime Security: The SAFE Port Act and Efforts to Secure Our Nation's 
Seaports. GAO-08-86T. Washington, D.C.: October 4, 2007. 

Combating Nuclear Smuggling: Additional Actions Needed to Ensure 
Adequate Testing of Next Generation Radiation Detection Equipment. GAO- 
07-1247T. Washington, D.C.: September 18, 2007. 

Maritime Security: Observations on Selected Aspects of the SAFE Port 
Act. GAO-07-754T. Washington, D.C.: April 26, 2007. 

Customs Revenue: Customs and Border Protection Needs to Improve 
Workforce Planning and Accountability. GAO-07-529. Washington, D.C.: 
April 12, 2007. 

Cargo Container Inspections: Preliminary Observations on the Status of 
Efforts to Improve the Automated Targeting System. GAO-06-591T. 
Washington, D.C.: March 30, 2006. 

Combating Nuclear Smuggling: Efforts to Deploy Radiation Detection 
Equipment in the United States and in Other Countries. GAO-05-840T. 
Washington, D.C.: June 21, 2005. 

Container Security: A Flexible Staffing Model and Minimum Equipment 
Requirements Would Improve Overseas Targeting and Inspection Efforts. 
GAO-05-557. Washington, D.C.: April 26, 2005. 

Homeland Security: Key Cargo Security Programs Can Be Improved. GAO-05- 
466T. Washington, D.C.: May 26, 2005. 

Maritime Security: Enhancements Made, but Implementation and 
Sustainability Remain Key Challenges. GAO-05-448T. Washington, D.C.: 
May 17, 2005. 

Cargo Security: Partnership Program Grants Importers Reduced Scrutiny 
with Limited Assurance of Improved Security. GAO-05-404. Washington, 
D.C.: March 11, 2005. 

Preventing Nuclear Smuggling: DOE Has Made Limited Progress in 
Installing Radiation Detection Equipment at Highest Priority Foreign 
Seaports. GAO-05-375. Washington, D.C.: March 31, 2005. 

Homeland Security: Process for Reporting Lessons Learned from Seaport 
Exercises Needs Further Attention. GAO-05-170. Washington, D.C.: 
January 14, 2005. 

Port Security: Better Planning Needed to Develop and Operate Maritime 
Worker Identification Card Program. GAO-05-106. Washington, D.C.: 
December 10, 2004. 

Maritime Security: Substantial Work Remains to Translate New Planning 
Requirements into Effective Port Security. GAO-04-838. Washington, 
D.C.: June 30, 2004. 

Homeland Security: Summary of Challenges Faced in Targeting Oceangoing 
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 
31, 2004. 

Container Security: Expansion of Key Customs Programs Will Require 
Greater Attention to Critical Success Factors. GAO-03-770. Washington, 
D.C.: July 25, 2003. 

[End of section] 

Footnotes: 

[1] Ports of entry are government-designated locations where CBP 
inspects persons and goods to determine whether they may be lawfully 
admitted into the country. 

[2] For a further discussion of CSI, see GAO, Supply Chain Security: 
Examinations of High-Risk Cargo at Foreign Seaports Have Increased, but 
Improved Data Collection and Performance Measures Are Needed, GAO-08-
187 (Washington, D.C.: Jan. 25, 2008). 

[3] Member companies' security practices are to be revalidated every 3 
years. 

[4] According to CBP's Executive Director, Cargo and Conveyance 
Security, C-TPAT members include other transportation modes in addition 
to seagoing vessels and, as a whole, accounted for 46 percent of 
imported containerized cargo as of September 2007. 

[5] Pub. L. No. 109-347, 120 Stat. 1884 (2006). 

[6] The World Customs Organization is an international organization 
aimed at enhancing the effectiveness and efficiency of customs 
administrations. We plan to report in the spring of 2008 on our ongoing 
review of CBP's role in promoting international standards. 

[7] GAO, Cargo Security: Partnership Program Grants Importers Reduced 
Scrutiny with Limited Assurance of Improved Security, GAO-05-404 
(Washington, D.C.: Mar. 11, 2005). 

[8] GAO, Container Security: Expansion of Key Customs Programs Will 
Require Greater Attention to Critical Success Factors, GAO-03-770 
(Washington, D.C.: July 25, 2003). 

[9] Department of Transportation Volpe National Transportation Systems 
Center, Intermodal Cargo Transportation: Industry Best Security 
Practices (Cambridge, Mass.: June 2002). 

[10] The National Strategy for Maritime Security (September 2005). The 
document is guided by the objectives and goals contained in the 
National Security Strategy and the National Strategy for Homeland 
Security. 

[11] One country, China, denies CBP personnel access to conduct supply 
chain security validations. For more information on CBP efforts to 
conduct validations in China, see app. II. 

[12] The CBP security specialist assigned to a company identifies 
potential sites to visit based on research of the company's business 
history, import transportation modes, facility locations and other 
factors. Preliminary selections are discussed with company officials 
and the C-TPAT program director provides final approval. 

[13] The SAFE Port Act required CBP to conduct revalidations at least 
once every 4 years, but CBP has elected to perform them every 3 years 
in response to the committee report language. 

[14] Internal controls are the integral components of an organization's 
management that provide reasonable assurance of the effectiveness and 
efficiency of operations, the reliability of financial reporting, and 
the compliance with applicable laws and regulations. 

[15] Outcome-based goals are goals that reflect the intended purpose of 
a program or activity. 

[16] See GAO, Maritime Security: The SAFE Port Act: Status and 
Implementation One Year Later, GAO-08-126T (Washington, D.C.: Oct. 30, 
2007). 

[17] GAO has work ongoing addressing international maritime security 
efforts and plans to issue a report in the spring of 2008. 

[18] GAO-05-404. 

[19] GAO-05-404. 

[20] Highway carriers and manufacturers who participate in CBP's Free 
and Secure Trade (FAST) initiative are the exception. The initiative is 
between the United States, Canada, and Mexico and allows known low-risk 
highway carriers and manufacturers that are C-TPAT certified to receive 
expedited border processing. 

[21] As discussed earlier in this report, the Automated Targeting 
System is a computerized targeting model that CBP uses in the targeting 
and inspection of cargo that arrives at U.S. ports. ATS uses hundreds 
of targeting rules to check available data on every arriving container 
and assigns each container a risk characterization or score. 

[22] In December 2004, C-TPAT management issued requirements for an 
automated risk assessment and validation tool to the contractor in 
CBP's Automated Commercial Environment project---a multiyear effort to 
modernize CBP's business processes, information technology, and 
infrastructure. The VSAT is a result of the contractor's effort. Per 
CBP's requirement's statement, the initial purpose of the tool was to 
provide C-TPAT validation capability, but information gathered using 
the tool would ultimately serve as input to CBP's Automated Targeting 
System, used in selecting containerized shipments for inspection. 

[23] See GAO-05-404. 

[24] See GAO-05-404. 

[25] See GAO-03-770 and GAO-05-404. 

[26] The information on projected staffing and validation workload in 
this report is based mainly on interviews with CBP officials. To the 
extent possible, we corroborated the information provided by CBP 
officials with agency documentation. Although CBP officials presented 
the data as their official numbers, we cannot attest to their 
reliability. However, in the context in which the data were presented, 
we determined the usage to be appropriate because the data did not 
constitute the sole support of our findings, conclusions, and 
recommendations. 

[27] See GAO-05-404. 

[28] CBP used C-TPAT tracker--an Access database--to record some 
information about C-TPAT members--as an interim measure prior to Portal 
and subsequently, the agency migrated C-TPAT tracker data into Portal. 

[29] As previously mentioned, CBP migrated data from C-TPAT tracker 
including information on validations completed into the Portal system. 

[30] CBP seeks to internationalize C-TPAT principles to promote supply 
chain security and to facilitate trade moving to and between nations. 

[31] See GAO-03-770 and GAO-05-404. 

[32] The Government Performance and Results Act (GPRA) provides the 
following definitions: Outcome-based measure refers to an assessment of 
the results of a program activity compared to its intended purpose; 
performance target means a target level of performance expressed as a 
tangible, measurable objective, against which actual achievement shall 
be compared, including a goal expressed as a quantitative standard, 
value, or rate; strategic goals explain what results are expected from 
the agency's major functions and when to expect those results. 

[33] Executive agencies must file an annual performance and 
accountability report in accordance with the GPRA, Reports 
Consolidation Act, Homeland Security Act, and as required by Office of 
Management and Budget Circular A-11. 

[34] GAO-05-404. 

[35] CBP issued its first minimum security criteria for importers in 
March 2005 and, according to CBP officials, the criteria are 
representative of C-TPAT criteria in general. 

[36] Statement of Stewart Baker, Assistant Secretary for Policy, DHS, 
at a hearing before the Committee on Homeland Security and Governmental 
Affairs, U.S. Senate, October 16, 2007. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***