This is the accessible text file for GAO report number GAO-05-404 
entitled 'Cargo Security: Partnership Program Grants Importers Reduced 
Scrutiny with Limited Assurance of Improved Security' which was 
released on May 25, 2005.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Requesters:

United States Government Accountability Office:

GAO:

March 2005:

Cargo Security:

Partnership Program Grants Importers Reduced Scrutiny with Limited 
Assurance of Improved Security:

GAO-05-404:

Contents:

Letter:

Results in Brief:

Background:

C-TPAT Benefits Reduce Scrutiny of Shipments:

CBP Grants Benefits before Verification of Security Procedures:

Weaknesses in Process for Verifying Security Procedures:

Incomplete Progress in Addressing Management Weaknesses:

Conclusions:

Recommendations for Executive Action:

Agency Comments and Our Evaluation:

Appendix I: Objectives, Scope, and Methodology:

Objectives:

Scope and Methodology:

Data Reliability:

Appendix II: Comments from the Department of Homeland Security:

Appendix III: GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Staff Acknowledgments:

Related GAO Products:

Tables:

Table 1: Roles of Trade Community Members in the Supply Chain:

Table 2: Benefits for C-TPAT Members:

Figures:

Figure 1: CBP's Review Process for C-TPAT Membership:

Figure 2: Status of Validating C-TPAT Members, as of November 2, 2004:

Abbreviations:

ATS: Automated Targeting System:

CBP: Customs and Border Protection:

CSI: Container Security Initiative:

C-TPAT: Customs-Trade Partnership Against Terrorism:

DHS: Department of Homeland Security:

FAST: Free and Secure Trade:

United States Government Accountability Office:

Washington, DC 20548:

March 11, 2005:

The Honorable Susan M. Collins: 
Chairman: 
The Honorable Joseph Lieberman: 
Ranking Minority Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate:

The Honorable Norm Coleman: 
Chairman: 
The Honorable Carl Levin: 
Ranking Minority Member: 
Permanent Subcommittee on Investigations: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable John D. Dingell: 
Ranking Minority Member: 
Energy and Commerce Committee: 
House of Representatives:

This report is a publicly available version of our report on the 
Customs-Trade Partnership Against Terrorism (C-TPAT). The Department of 
Homeland Security (DHS) designated our original report as Limited 
Official Use because of the sensitive and specific nature of the 
information it contained.

U.S. Customs and Border Protection (CBP), the DHS bureau responsible 
for protecting the nation's borders at and between the official ports 
of entry, has the dual goals of preventing terrorists and terrorist 
weapons from entering the United States and also facilitating the flow 
of legitimate trade and travel. Approximately 90 percent of the world's 
cargo moves by container. Addressing the threat posed by the movement 
of containerized cargo across U.S. borders has traditionally posed many 
challenges for CBP, in particular balancing the bureau's border 
protection functions and trade enforcement mission with its goal of 
facilitating the flow of cargo and persons into the United States. CBP 
has said that the large volume of imports and its limited resources 
make it impossible to physically inspect all oceangoing containers 
without disrupting the flow of commerce, and it is unrealistic to 
expect that all containers warrant such inspection.

To address its responsibility to improve cargo security while 
facilitating commerce, CBP employs multiple strategies. Among these 
strategies, CBP has in place an initiative known as C-TPAT, which aims 
to secure the flow of goods bound for the United States by developing a 
strong, voluntary antiterrorism partnership with the trade community. C-
TPAT members commit to improving the security of their supply chain 
(flow of goods from manufacturer to retailer) and develop written 
security profiles that outline the security measures in place for the 
company's supply chain. In exchange for this commitment, CBP offers C- 
TPAT members benefits for participating that may reduce the level of 
scrutiny given to their shipments, potentially resulting in a reduced 
number of inspections of their cargo at U.S. borders.

The program is promising, but previous work has raised concerns about 
its management and its ability to achieve its ultimate goal of improved 
cargo security. Specifically, in our July 2003 report on this program, 
we recommended that the Secretary of Homeland Security work with the 
CBP Commissioner to develop (1) a strategic plan that clearly lays out 
the program's goals, objectives, and detailed implementation 
strategies; (2) performance measures that include outcome-oriented 
indicators; and (3) a human capital plan that clearly describes how C- 
TPAT will recruit, train, and retain new staff to meet the program's 
growing demands as it implements new program elements.[Footnote 1]

Given our past concerns about the program's effectiveness and in light 
of the program's rapid expansion, we examined selected aspects of the 
program's operation and management. This report addresses the following 
issues:

1. What benefits does CBP provide to C-TPAT members?

2. Before providing benefits, what approach does CBP take to determine 
C-TPAT members' eligibility for them?

3. After providing benefits, how does CBP verify that members have 
implemented their security measures?

4. To what extent has CBP developed strategies and related management 
tools for achieving the program's goals?

To address all four objectives, we discussed program operations with 
CBP officials in Washington, D.C., with program responsibilities for C- 
TPAT and reviewed available data and documentation for the program. To 
ascertain the manner in which CBP validates security procedures for 
participating companies, we asked CBP to provide us with examples of 
participant files, including files of participants with 
responsibilities along various parts of the supply chain. While the 
files we reviewed were not a representative sample of files, we noted 
that in many cases these files were incomplete. We also reviewed CBP's 
database for tracking participant status in the program. Initial 
reliability testing of this database and interviews of staff with 
responsibility for the program led us to conclude that data used to 
track participant status had some serious reliability weaknesses. 
However, we found the data sufficiently reliable for limited use in 
describing the program's status. While we were able to review CBP's 
processes, because of the poor condition of member files we were unable 
to verify the extent that the bureau followed the processes in 
individual cases for individual members. We also examined the status of 
the agency's efforts to implement our prior recommendations for the 
program.

We conducted our work from February through December 2004 in accordance 
with generally accepted government auditing standards. More details 
about the scope and methodology of our work are presented in appendix I.

Results in Brief:

In return for committing to making improvements to the security of 
their shipments by joining the program, C-TPAT members receive a range 
of benefits that reduce the level of scrutiny CBP provides to their 
shipments bound for the United States. These benefits may change the 
risk characterization of their shipments, thereby reducing the 
probability of extensive documentary and physical inspection. Other 
benefits include access to FAST lanes on the Canadian and Mexican 
borders, expedited cargo processing at FAST lanes, and an emphasis on 
self-policing and self-monitoring of security activities.[Footnote 2] 
In addition, CBP grants benefits to C-TPAT members that do not directly 
affect the level of scrutiny given to their shipments. These additional 
benefits include a single point of contact within CBP to serve as a 
liaison with the member on issues related to the program, access to the 
identities of other companies that have become C-TPAT members, and 
eligibility to attend CBP-sponsored antiterrorism training seminars.

Before providing benefits, CBP uses a two-pronged approach to assess C- 
TPAT members. First, CBP has a certification process to review the self-
reported information contained in applicants' membership agreements and 
security profiles. Second, CBP has in place a vetting process to try to 
assess the compliance with customs laws and regulations and violation 
history of and intelligence data on importers before granting them 
benefits. At the program's inception, CBP began granting benefits to C-
TPAT applicants immediately upon receipt of their agreement to 
voluntarily participate in the program without any review of the 
security profiles submitted by potential member companies. In February 
2004, CBP changed its policy to grant benefits to C-TPAT members only 
after CBP's review and certification of their security profiles and 
successful completion of the vetting process. CBP believes that this 
two-pronged approach provides adequate assurance before granting 
benefits. However, this approach grants benefits to members before they 
undergo the validation process.

After providing benefits, CBP has a validation process to verify that C-
TPAT members' security measures have been implemented and that program 
benefits should continue. However, we found several weaknesses in the 
validation process that compromise CBP's ability to provide an actual 
verification that supply chain security measures in C-TPAT members' 
security profiles are accurate and are being followed. First, the 
validation process is not rigorous enough to achieve its stated 
purpose, which is to ensure that the security procedures outlined in 
members' security profiles are reliable, accurate, and effective. For 
example, CBP officials told us that validations are not considered 
independent audits, and the objectives, scope, and methodology of 
validations are jointly agreed upon with the member company. CBP 
officials, as well as our review of case files, indicated that the 
validations only examine a few of the security measures outlined in 
members' security profiles. Related to this, CBP has no written 
guidelines for its supply chain specialists to indicate what scope of 
effort is adequate for the validation to ensure that the member's 
measures are reliable, accurate, and effective. In addition, CBP has 
not determined the extent to which validations are needed. While the 
original stated goal of the program was to validate all members within 
3 years, CBP decided that it could not do so because of the rapid 
growth in membership. In 3 years of C-TPAT operation, CBP has validated 
about 10 percent of its certified members. While CBP has given up on 
its original goal to validate all members, it has not come up with an 
alternative goal for the number or percentage of members that should be 
validated. For validations that CBP does conduct, it prioritizes 
members for validation based on a variety of factors such as strategic 
threat, import volume, and past compliance violations.

While CBP has recently completed a strategic plan, we found weaknesses 
in some of the tools it uses to manage the program that could hinder 
the bureau in achieving the program's dual goals of securing the flow 
of goods bound for the United States and facilitating the flow of 
trade. CBP's new strategic plan appears to provide the bureau with a 
general framework on which to base key decisions, including key 
strategic planning elements such as strategic goals, objectives, and 
strategies. However, CBP still lacks a human capital plan, a fact that 
has impaired its ability to manage its resources. CBP officials told us 
they are in the process of developing an implementation plan that will 
address human capital planning elements such as analyzing (1) current 
workload, (2) the projected annual growth rate of the program, (3) the 
time it takes to complete the average validation, and (4) the number of 
validations supply chain specialists can complete annually. 
Furthermore, CBP still has not developed a comprehensive set of 
performance measures and indicators, including outcome-based measures, 
to monitor the status of program goals. CBP officials told us they have 
developed some initial measures to capture the program's impact. 
Finally, the C-TPAT program lacks an effective records management 
system. CBP's record keeping for the program is incomplete, as key 
decisions are not always documented and programmatic information is not 
updated regularly or accurately. For example, member files we reviewed 
contained no documentation of communications between CBP and members 
regarding how the scope of a validation was determined, and their 
database tracking member status contained errors.

We are making recommendations to the Secretary of the Department of 
Homeland Security to direct the U. S. Commissioner of Customs and 
Border Protection to improve the program's ability to meet its goals by 
providing appropriate guidance to specialists conducting validations, 
determining the extent to which members should be validated in lieu of 
the original goal to validate all members within 3 years of 
certification, and implementing performance measures, a human capital 
plan, and a records management system for the program. We provided a 
draft of this report to the Secretary of DHS for comment. In its 
response, from the Commissioner of U.S. Customs and Border Protection, 
CBP generally agreed with our recommendations and cited corrective 
actions they either have taken or planned to take.

Notwithstanding its general agreement with our recommendations, CBP 
noted that C-TPAT is a voluntary partnership to improve the security of 
the United States and not a program to confirm importer compliance with 
a regulatory requirement. As such, CBP said our report places too much 
emphasis on the validation process without adequately reflecting other 
aspects of the program. As a whole, CBP said that as part of its 
multilayered approach, C-TPAT identifies companies that take security 
seriously, appropriately lowers the risk level of their cargo, and thus 
focuses CBP resources on other companies' high-risk cargo, all 
consistent with a risk management approach. We believe that having a 
multilayered approach to cargo inspection can be effective, provided 
that each layer is adequately utilized. Given that C-TPAT members enjoy 
benefits that could greatly reduce the likelihood of an inspection of 
their cargo, not having full assurance of a reliable, accurate, and 
effective validation process potentially weakens the overall 
effectiveness of the other control mechanisms in meeting CBP's 
fundamental responsibility to ensure security of all cargo entering the 
United States. We fully address CBP's comments in the body of the 
report.

Background:

CBP maintains two overarching goals: (1) increasing security and (2) 
facilitating legitimate trade and travel. Disruptions to the supply 
chain could have immediate and significant economic impacts.[Footnote 
3] For example, in terms of containers, CBP data indicates that in 2003 
about 90 percent of the world's cargo moved by container.[Footnote 4] 
In the United States, almost half of all incoming trade (by value) 
arrived by containers on board ships. Almost 7 million cargo containers 
arrive and are offloaded at U.S. seaports each year. Additionally, 
containers arrive via truck and rail. Therefore, it is vital for CBP to 
try to strike a balance between its antiterrorism efforts and 
facilitating the flow of legitimate international trade and travel.

Vulnerability of the Supply Chain:

The terrorist events of September 11, 2001, raised concerns about 
company supply chains, particularly oceangoing cargo containers, 
potentially being used to move weapons of mass destruction to the 
United States. An extensive body of work on this subject by the Federal 
Bureau of Investigation and academic, think tank, and business 
organizations concluded that while the likelihood of such use of 
containers is considered low, the movement of oceangoing containerized 
cargo is vulnerable to some form of terrorist action. Such action, 
including attempts to smuggle either fully assembled weapons of mass 
destruction or their individual components, could lead to widespread 
death and damage.

The supply chain is particularly vulnerable to potential terrorists 
because of the number of individual companies handling and moving cargo 
through it. To move a container from production facilities overseas to 
distribution points in the United States, an importer has multiple 
options regarding the logistical process, such as routes and the 
selection of freight carriers. For example, some importers might own 
and operate key aspects of the overseas supply chain process, such as 
warehousing and trucking operations. Alternatively, importers might 
contract with logistical service providers, including freight 
consolidators and nonvessel-operating common carriers. In addition, 
importers must choose among various modes of transportation to use, 
such as rail, truck, or barge, to move containers from the 
manufacturer's warehouse to the port of lading. As shown in table 1, 
there are many players in the trade community, each with a role in the 
supply chain.

Table 1: Roles of Trade Community Members in the Supply Chain:

Trade community member: Air/rail/sea carriers; 
Role in the supply chain: Carriers transport cargo via air, rail, or 
sea.

Trade community member: Border highway carriers; 
Role in the supply chain: Highway carriers transport cargo for 
scheduled and unscheduled operations via road across the Canadian and 
Mexican borders.

Trade community member: Importers; 
Role in the supply chain: Importers, in the course of trade, bring 
articles of trade from a foreign source into a domestic market.

Trade community member: Licensed customs brokers; 
Role in the supply chain: Brokers clear goods through customs. The 
responsibilities of a broker include preparing the entry form and 
filing it, advising the importer on duties to be paid, and arranging 
for delivery to the importer.

Trade community member: Freight consolidators/ocean transportation 
intermediaries and nonvessel-operating common carriers; 
Role in the supply chain: A freight consolidator is a firm that accepts 
partial container shipments from individual shippers and combines the 
shipments into a single container for delivery to the carrier. A 
transportation intermediary facilitates transactions by bringing buyers 
and sellers together. A nonvessel-operating common carrier is a company 
that buys shipping space, through a special arrangement with an ocean 
carrier, and resells the space to individual shippers.

Trade community member: Port authorities/terminal operators; 
Role in the supply chain: A port authority is an entity of state or 
local government that owns, operates, or otherwise provides wharf, 
dock, and other marine terminal investments at ports. Terminal operator 
responsibilities include the overseeing and unloading of cargo from 
ship to dock, checking the actual cargo against the ship's manifest 
(list of goods), checking documents authorizing a truck to pick up 
cargo, overseeing the loading and unloading of railroad cars, and so 
forth.

Source: GAO.

[End of table]

According to research initiated by the U.S. Department of 
Transportation's Volpe National Transportation Systems Center, 
importers who own and operate the entire supply chain route from start 
to finish suffer fewer security breaches than others because they have 
greater control over their supply chains.[Footnote 5] However, 
relatively few importers own and operate all key aspects of the cargo 
container transportation process, relying instead on second parties to 
move containerized cargo and prepare various transportation documents.

CBP's Layered Enforcement Strategy:

CBP has implemented a layered enforcement strategy to prevent 
terrorists and weapons of mass destruction from entering the United 
States through the supply chain.[Footnote 6] A key element of this 
strategy is CBP's targeting and inspection of cargo that arrives at 
U.S. ports. For all arriving cargo containers, CBP uses a targeting 
strategy that employs its computerized targeting model, the Automated 
Targeting System (ATS). CBP uses ATS to review container documentation 
and help select, or target, shipments for additional documentary review 
or physical inspection. ATS is operated by CBP's National Targeting 
Center and is characterized by CBP as an expert system that uses 
hundreds of targeting rules to check available data for every arriving 
container, assigning a risk characterization to each container. The 
risk characterization helps to determine the type and level of scrutiny 
a container will receive. For example, CBP could review the container's 
bill of lading, examine the container with nonintrusive inspection 
equipment (that is, X-ray), or physically open the container. The 
extent of review varies, since according to CBP, the large volume of 
imports and CBP's limited resources make it impossible to physically 
inspect all containers without disrupting the flow of commerce.

Initiated in November 2001, C-TPAT is another element of CBP's layered 
enforcement strategy. C-TPAT is a voluntary program designed to improve 
the security of the international supply chain while maintaining an 
efficient flow of goods. Under C-TPAT, CBP officials work in 
partnership with private companies to review their supply chain 
security plans to improve members' overall security. In return for 
committing to making improvements to the security of their shipments by 
joining the program, C-TPAT members may receive benefits that result in 
reduced scrutiny of their shipments (e.g., reduced number of 
inspections or shorter border wait times for their shipments). C-TPAT 
membership is open to U.S.-based companies in the trade community, 
including (1) air/rail/sea carriers, (2) border highway carriers, (3) 
importers, (4) licensed customs brokers, (5) air freight consolidators 
and ocean transportation intermediaries and nonvessel-operating common 
carriers, and (6) port authorities or terminal operators.[Footnote 7] 
According to CBP officials, program membership has grown rapidly, and 
continued growth is expected, especially as member importers are 
requiring their suppliers to become C-TPAT members. For example, as of 
January 2003 approximately 1,700 companies had become C-TPAT members. 
By May 2003, the number had nearly doubled to 3,355. According to CBP 
officials, as of November 2004, the C-TPAT program had 7,312 members. 
For fiscal year 2004, the C-TPAT budget was about $18 million, with a 
requested budget for fiscal year 2005 of about $38 million for program 
expansion efforts. As of August 2004, CBP had hired 40 supply chain 
specialists, who are dedicated to serve as the principal advisers and 
primary points of contact for C-TPAT members.[Footnote 8] The 
specialists are located in Washington, D.C., Miami, Florida, Los 
Angeles, California, and New York, New York.

CBP has a multistep review process for the C-TPAT program. As figure 1 
shows, applicants first submit signed C-TPAT agreements affirming their 
desire to participate in the voluntary program. Applicants must also 
submit security profiles--executive summaries of their company's 
existing supply chain security procedures--that follow guidelines 
jointly developed by CBP and the trade community. These security 
profiles are to summarize the applicant's current security procedures 
in areas such as physical security, personnel security, and education 
and training awareness.[Footnote 9] CBP established a certification 
process in which it reviews the applications and profiles by comparing 
their contents with the security guidelines jointly developed by CBP 
and the industry, looking for any weaknesses or gaps in the 
descriptions of security procedures. Once any issues are resolved to 
CBP's satisfaction, CBP signs the agreement and the company is 
considered to be a certified C-TPAT member, eligible for program 
benefits. Members that are not importers begin receiving benefits at 
this point, but members that are importers must undergo another layer 
of review, as described below. CBP encourages members to conduct self- 
assessments of their security profiles each year to determine any 
significant changes and to notify CBP. For example, members may be 
using new suppliers or new trucking companies and would need to update 
their security profiles to reflect these changes.

Figure 1: CBP's Review Process for C-TPAT Membership:

[See PDF for image]

[End of figure]

For certified importers, CBP has an additional layer of review called 
the vetting process in which CBP reviews information about an 
importer's compliance with customs laws and regulations and violation 
history. CBP requires the vetting process for certified importers as a 
condition of granting them key program benefits. As part of the vetting 
process, CBP obtains trade compliance and intelligence information on 
certified importers from several data sources. If CBP gives the 
importer a favorable review, benefits are to begin within a few weeks. 
If not, benefits are not to be granted until successful completion of 
the validation process (see below).

The final step in the review process is validation. CBP's stated 
purpose for validations is to ensure that the security measures 
outlined in certified members' security profiles and periodic self- 
assessments are reliable, accurate, and effective. In the validation 
process, CBP staff meet with company representatives to verify the 
supply chain security measures contained in the company's security 
profile. The validation process is designed to include visits to the 
company's domestic and, potentially, foreign sites. The member and CBP 
jointly determine which elements of the member's supply chain measures 
will be validated, as well as which locations will be visited. Upon 
completion of the validation process, CBP prepares a final validation 
report it presents to the company that identifies any areas that need 
improvement and suggested corrective actions, as well as a 
determination if program benefits are still warranted for the member.

We have conducted previous reviews of the C-TPAT program and CBP's 
targeting and inspection strategy. In July 2003, we reported that CBP's 
management of C-TPAT had not evolved from a short-term focus to a long- 
term strategic approach.[Footnote 10] We recommended that the Secretary 
of Homeland Security work with the CBP Commissioner to develop (1) a 
strategic plan that clearly lays out the program's goals, objectives, 
and detailed implementation strategies; (2) performance measures that 
include outcome-oriented indicators; and (3) a human capital plan that 
clearly describes how C-TPAT will recruit, train, and retain new staff 
to meet the program's growing demands as it implements new program 
elements. In March 2004, we testified that CBP's targeting system does 
not incorporate all key elements of a risk management framework and 
recognized modeling practices in assessing the risks posed by 
oceangoing cargo containers.[Footnote 11]

C-TPAT Benefits Reduce Scrutiny of Shipments:

CBP officials cite numerous benefits to C-TPAT members. As table 2 
shows, these benefits may reduce the scrutiny of members' shipments. 
These benefits are emphasized to the trade community through direct 
marketing in presentations and via CBP's Web site. Although these 
benefits potentially reduce the likelihood of inspection of members' 
shipments, CBP officials noted that all shipments entering the United 
States are subject to random inspections by CBP officials or 
inspections by other agencies.

Table 2: Benefits for C-TPAT Members:

Benefit: A reduced number of inspections and reduced border wait times; 
Reduces amount of scrutiny provided for members? Yes.

Benefit: Reduced selection rate for trade-related compliance 
examinations; 
Reduces amount of scrutiny provided for members? Yes.

Benefit: Self-policing and self-monitoring of security activities; 
Reduces amount of scrutiny provided for members? Yes.

Benefit: Access to the expedited cargo processing at designated FAST 
lanes (for certified highway carriers and certified importers along the 
Canadian and Mexican borders, as well as for certified Mexican 
manufacturers); Reduces amount of scrutiny provided for members? Yes.

Benefit: Eligible for the Importer Self-Assessment Program and has 
priority access to participate in other selected customs programs (for 
certified importers only); 
Reduces amount of scrutiny provided for members? Yes.

Benefit: A C-TPAT supply chain specialist to serve as the CBP liaison 
for validations; 
Reduces amount of scrutiny provided for members? No.

Benefit: Access to the C-TPAT members list; 
Reduces amount of scrutiny provided for members? No.

Benefit: Eligible to attend CBP-sponsored antiterrorism training 
seminars; 
Reduces amount of scrutiny provided for members? No.

Source: CBP's C-TPAT Strategic Plan, January 2005.

[End of table]

CBP Grants Benefits before Verification of Security Procedures:

CBP has in place a two-pronged process to review members' 
qualifications for program benefits. First, CBP has a certification 
process to review the applications and security profiles submitted by 
applicants for any weaknesses or gaps in security procedures. CBP 
officials told us that during the certification process, it compares 
the members' security profiles against the C-TPAT security guidelines. 
Under the process, if there are any missing or unclear items, CBP is 
supposed to contact the member for clarification of those items. If the 
issues are resolved, CBP considers the member to be certified. However, 
if CBP determines that the security profiles contain weaknesses, CBP is 
not supposed to certify the member. According to CBP, approximately 20 
percent of applications are not immediately certified because of 
initial shortcomings with the security profiles. However, CBP has 
stated that a company will not be rejected from participating in C-TPAT 
if there are problems with its security profile. Instead, CBP says it 
will work with companies to try to resolve and overcome any 
deficiencies with the profile itself.

Second, CBP has in place a vetting process to assess the compliance and 
violation history of importers before granting them benefits. If, in 
conducting the vetting process, CBP finds no prior negative compliance, 
violation, or intelligence information, it grants certified importers 
program benefits. According to CBP, to date most certified members who 
have been vetted have proven to have favorable or neutral importing 
histories. CBP officials told us that not many members have been denied 
benefits.

At the program's inception in November 2001, CBP began granting 
benefits to applicants upon receipt of their application for C-TPAT 
membership without any review of the applicants' paperwork. In February 
2004, CBP changed its policy to retroactively delay granting the 
benefits until after CBP reviewed and certified applicants' security 
profiles and completed the vetting process. By providing incentives to 
members to implement certain security measures and performing various 
levels of checks on these measures, the C-TPAT program aims to 
encourage the reduction of vulnerability throughout the supply chain. 
CBP established a certification process in which it reviews the 
applications and profiles by comparing their contents with the security 
guidelines jointly developed by CBP and the industry, looking for any 
weaknesses or gaps in the descriptions of security procedures. The 
vetting process, which is required for importers eligible to receive 
benefits, augments the certification process by providing information 
about past compliance and violations, which CBP officials told us may 
suggest whether members' security practices have historically been 
effective at reducing vulnerability to exploitation. In addition, the 
vetting process may disclose threat concerns by pulling in information 
contained in intelligence databases. Ultimately, however, neither the 
certification nor vetting process provides an actual verification that 
the supply chain security measures contained in the C-TPAT member's 
security profile are accurate and are being followed before CBP grants 
the member benefits. A direct examination of selected members security 
procedures is conducted later as part of CBP's validation process, as 
discussed below.

Weaknesses in Process for Verifying Security Procedures:

After providing benefits, CBP has a validation process to verify C-TPAT 
members' security measures have been implemented and that program 
benefits should continue. However, we found weaknesses in the 
validation process in that CBP has not taken a rigorous approach to 
conducting validations and has not determined the extent to which 
validations are needed. These weaknesses limit the bureau's ability to 
ensure that the program supports the prevention of terrorists and 
terrorist weapons from entering the United States.

Validation Process Lacks Rigor to Achieve Stated Purpose:

CBP's validation process is not rigorous enough to achieve its stated 
purpose, which is to ensure that the security procedures outlined in 
members' security profiles are reliable, accurate, and effective. While 
C-TPAT's stated purpose for validations is to ensure that the member's 
security measures are reliable, accurate, and effective, CBP officials 
told us that validations are not considered independent audits and the 
objectives, scope, and methodology of validations are jointly agreed 
upon with the member representatives. CBP has indicated that it does 
not intend for the validation process to be an exhaustive review of 
every security measure at each originating location; rather it selects 
specific facets of the members' security profiles to review for their 
reliability, accuracy, and effectiveness. For example, the guidance to 
ocean carriers for preparing a security profile directs the carriers to 
address, at a minimum, three broad areas (security program, personnel 
security, and service provider requirements), which contain several 
more specific security measures, such as facilities security and pre- 
employment screening. According to CBP officials, as well as our review 
of selected case files, validations only examine a few facets of 
members' security profiles. CBP supply chain specialists, who are 
responsible for conducting most of the validations, are supposed to 
individually determine which segments of a company's supply chain 
security will be suggested to the member for validation. To assist in 
this decision, supply chain specialists are supposed to compare a 
company's security profile, as well as any self-assessments or other 
company materials or information retrievable in national databases, 
against the C-TPAT security guidelines to determine which elements of 
the profile will be validated. Once the supply chain specialist 
determines the level and focus of the validation, the specialist is 
supposed to contact the member company with a potential agenda for the 
validation. The two parties then jointly reach agreement on which 
security elements will be reviewed and which locations will be visited.

CBP has no written guidelines for its supply chain specialist to 
indicate what scope of effort is adequate for the validation to ensure 
that the member's security measures are reliable, accurate, and 
effective, in part because it seeks to emphasize the partnership nature 
of the program. Importantly, CBP has no baseline standard for what 
minimally constitutes a validation. CBP discourages supply chain 
specialists from developing a set checklist of items to address during 
the validation, as CBP does not want to give the appearance of 
conducting an audit. In addition, as discussed later in the management 
section of this report, the validation reports we reviewed did not 
consistently document how the elements of members' security profiles 
were selected for validation.

CBP Has Not Determined the Extent to Which Validations Are Needed:

CBP has not determined the extent to which it must conduct validations 
of members' security profiles to ensure that the operation of C-TPAT is 
consistent with its overall approach to managing risk. In 3 years of C- 
TPAT operation, CBP has validated about 10 percent of its certified 
members. CBP's original goal was to validate all certified members 
within 3 years of certification. However, CBP officials told us that 
because of rapid growth in program membership, it would not be possible 
to meet this goal. In February 2004, CBP indicated that approximately 
5,700 companies had submitted signed agreements to participate in the 
program. As shown in figure 2, by November 2004, the number of members 
had grown to over 7,000, about 4,200 of which had been certified and 
thus eligible for validation. According to CBP, as of November 2004, 
CBP staff had completed validations of 409 companies, including 147 
importers.

Figure 2: Status of Validating C-TPAT Members, as of November 2, 2004:

[See PDF for image]

[End of figure]

CBP has made efforts to hire additional supply chain specialists to 
handle validations for the growing membership. As of August 2004, CBP 
had hired a total of 40 supply chain specialists to conduct 
validations, with 24 field office managers also available to conduct 
validations. CBP officials told us the bureau is currently conducting 
as many validations as its resources allow. However, CBP has not 
determined the number of supply chain specialists it needs or the 
extent to which validations are needed to provide reasonable assurance 
that it is employing a good risk management approach for the program.

CBP Considers Variety of Factors to Prioritize Validations:

As noted above, CBP officials told us it would not be possible to meet 
the goal of validating every member within 3 years of certification. 
Instead, CBP is using what it calls a risk-based approach, which 
considers a variety of factors to prioritize which members should be 
validated as resources allow. CBP has an internal selection process it 
is supposed to apply to all certified members. Under this process CBP 
officials are supposed to prioritize members for validation based on 
established criteria but may also consider other factors.

CBP officials noted that other factors could affect the prioritization 
of members for validation. For example, recent seizures involving C- 
TPAT members can affect validation priorities. If a member is involved 
in a seizure, CBP officials noted that the member is supposed to lose 
program benefits and be given top priority for a validation. In 
addition, CBP officials told us that an importer that failed CBP's 
vetting process would also be given top priority for a validation. CBP 
officials have taken this approach because any importer that fails the 
vetting process is not supposed to receive program benefits until after 
successful completion of the validation process.

In August 2004, CBP began using a risk assessment tool developed for 
CBP's regulatory audits to assist in its prioritization of importers 
for validation. This tool ranks importers by risk according to factors 
such as value of imports, import volume, and method of transportation 
used by the importer for its goods.[Footnote 12] CBP tailored the tool 
to consider only those factors it deemed relevant to C-TPAT. Applying 
the tool with this revised set of factors, CBP officials told us they 
produced a list that ranked each certified importer according to its 
risk. However, these ranked importers are then re-evaluated, along with 
members from other trade sectors, using CBP's internal selection 
process criteria. CBP officials told us that the human element provided 
by their internal selection process was important in prioritizing 
members for validation.

Incomplete Progress in Addressing Management Weaknesses:

CBP continues to expand the C-TPAT program without addressing 
management weaknesses that could hinder the bureau from achieving the 
program's dual goals of securing the flow of goods bound for the United 
States and facilitating the flow of trade. In our July 2003 report, we 
recommended that the Secretary of Homeland Security work with the CBP 
Commissioner to develop (1) a strategic plan that clearly lays out the 
program's goals, objectives, and detailed implementation strategies; 
(2) a human capital plan that clearly describes how C-TPAT will 
recruit, train, and retain new staff to meet the program's growing 
demands as it implements new program elements; and (3) performance 
measures that include outcome-oriented indicators. While CBP agreed 
with our July 2003 recommendations, to date only one of them--the 
development of a strategic plan--has been implemented. According to 
CBP, the bureau is continuing to work on the July 2003 recommendations, 
which are in different stages of review.

CBP Has Finalized Its Strategic Plan:

While a draft of this report was with DHS for comment, CBP issued a 
final strategic plan for C-TPAT on January 13, 2005. Our brief review 
of this plan indicates that it appears to clearly articulate the goals 
of the program, their relationship to broader CBP goals, and strategies 
for achieving them. For example, according to the plan there are five 
goals for the C-TPAT program:

1. ensure that C-TPAT partners improve the security of their supply 
chains pursuant to C-TPAT security criteria,

2. provide incentives and benefits to include expedited processing of C-
TPAT shipments to C-TPAT partners,

3. internationalize the core principles of C-TPAT through cooperation 
and coordination with the international community,

4. support other CBP security and facilitation initiatives, and:

5. improve administration of the C-TPAT program.

While we have not fully reviewed the strategic plan, it is a step in 
the right direction, and we encourage CBP to ensure that future plans 
include all of the key elements of a strategic plan as described in the 
Government Performance and Results Act of 1993. Specifically, the 
formal strategic plan should include a description of performance goals 
and how they are related to the general goals and objectives of the 
program, as well as a description of program evaluations, which are 
useful for identifying key factors likely to affect program 
performance. 

CBP Has Not Completed a Human Capital Plan:

As a companion to developing a strategic plan for C-TPAT, CBP is 
developing an implementation plan to address the lower-level strategies 
for carrying out the program's goals. CBP told us it is still 
developing the implementation plan for the program but that it will 
include those elements required in a human capital plan. For example, 
CBP said it has developed new positions, training programs and 
materials, and a staffing plan. Further, CBP said the C-TPAT program 
will continue to refine all aspects of its human capital plan to 
include headquarters personnel, additional training requirements, 
budget, and future personnel profiles.

CBP Has Not Completed Development of Performance Measures:

CBP has told us that it continues developing a comprehensive set of 
performance measures and indicators for C-TPAT. In support of the 
department's Future Years Homeland Security Program, CBP officials told 
us has identified 21 budget subactivities (programs, including C-TPAT) 
and has been tasked to develop two performance measures for each: (1) a 
main measure that would reflect program outcomes and (2) an efficiency 
measure that would reflect time or cost savings achieved through the 
program. CBP's Director, Strategic Planning and Audit Division, Office 
of Policy and Planning, noted that developing these measures for C- 
TPAT, as well as other programs in the bureau, has been difficult. The 
director noted that CBP lacks data necessary to exhibit whether a 
program has prevented or deterred terrorist activity. For example, as 
noted in the C-TPAT strategic plan, it is difficult to measure program 
effectiveness in terms of deterrence because generally the direct 
impact on unlawful activity is unknown. The plan also notes that while 
traditional workload measures are a valuable indicator, they do not 
necessarily reflect the success or failure of the bureau's efforts. CBP 
is working to collect more substantive information--related to C-TPAT 
activities (i.e., current workflow process)--to develop its performance 
measures. In commenting on a draft of this report, CBP indicated it has 
developed initial measures for the program but will continue to develop 
and refine these measures to ensure program success.

CBP's Records Management Practices for C-TPAT Are Inadequate:

CBP's record keeping for the program is incomplete, as key decisions 
are not always documented and programmatic information is not updated 
regularly or accurately. Federal regulations require that bureau record-
keeping procedures provide documentation to facilitate review by 
Congress and other authorized agencies of government. Further, 
standards for internal control in the federal government require that 
all transactions be clearly documented in a manner that is complete, 
accurate, and useful to managers and others involved in evaluating 
operations.

To get a better understanding of the validation process, we asked CBP 
to provide us with examples of company files for which validations had 
been completed. CBP selected six members' files for us to review for 
some of the initial validations the bureau conducted. During our 
review, it was not always clear what aspect of the security profile was 
being validated and why a particular site was selected at which to 
conduct the validation because there was not always documentation of 
the decision-making process. The aspects of the security profiles 
covered and sites visited did not always appear to be the most 
relevant. For example, one validation report we reviewed for a major 
retailer--one that imports the vast majority of its goods from Asia-- 
indicated that the validation team reviewed facilities in Central 
America. CBP officials noted that it recently revised its validation 
report format to better capture any justification for report 
recommendations and best practices identified. CBP then provided us 
with eight additional member files with more recently completed 
validation reports. After reviewing the more recent validation reports 
contained in these files, we noted that there appeared to be a greater 
discussion related to the rationale for validating specific aspects of 
the security profiles. However, these files did not consistently 
contain other documentation of members' application, certification, 
vetting, receipt of benefits, or validation. While files contained some 
of these elements, they were generally not complete. In fact, most 
files did not usually contain anything beyond copies of the member's C- 
TPAT agreement, security profiles, and validation report. When we asked 
if CBP required its supply chain specialists to document their 
communications with C-TPAT members, CBP officials told us there has 
been no requirement that communications be documented. For example, 
member files we reviewed contained no documentation of communications 
between CBP and members regarding how the scope of a validation was 
determined. Recently, supply chain specialists located at CBP 
headquarters (but not at field offices) have been asked to document all 
conversations with member companies on a spreadsheet, so that each 
supply chain specialist will be aware of the outcomes of conversations 
with member companies.

CBP does not update programmatic information regularly or accurately. 
In particular, the reliability of CBP's database to track member status 
using key dates in the application through validation processes is 
questionable. The database, which is primarily used for documentation 
management and workflow tracking, is not updated on a regular basis. In 
addition, C-TPAT management told us that earlier data entered into the 
database may not be accurate, and CBP has taken no systematic look at 
the reliability of the database. CBP officials also told us that there 
are no written guidelines for who should enter information into the 
database or how frequently the database should be updated. We made 
several requests over a period of weeks to review the contents of the 
database to analyze workload factors, including the amount of time that 
each step in the C-TPAT application and review process was taking. The 
database information that CBP ultimately provided to us was incomplete, 
as many of the data fields were missing or inaccurate. For example, 
more than 33 percent of the entries for validation date were 
incomplete. In addition, data on the status of companies undergoing the 
validation process was provided in hard copy only and included no date 
information. CBP officials told us that they are currently exploring 
other data management systems, working to develop a new, single 
database that would capture pertinent data, as well as developing a 
paperless environment for the program.

Conclusions:

CBP's primary reliance on members' self-reporting about their security 
procedures to receive C-TPAT benefits places added importance on the 
validation process, which is CBP's method of verifying the 
effectiveness, efficiency, and accuracy of the security profile. 
However, the weaknesses in the validation process we found raise 
questions about its effectiveness. CBP's validation process, the 
purpose of which is to ensure that members' security measures are 
reliable, accurate, and effective, is not rigorous enough to achieve 
CBP's goals because of the bureau's consideration of the process as a 
joint, partnership review with the member company. In this vein, 
without guidelines for what constitutes a validation, CBP cannot be 
sure that it effectively and consistently verifies a standard set of 
security measures to ensure some minimally appropriate level of 
vulnerability reduction, nor can it apply a methodical approach to 
assessing the security procedures. In addition, CBP has not assessed 
the extent (in terms of numbers or percentage) to which it must conduct 
validations to ensure that the C-TPAT program is consistent with its 
overall approach to managing risk. Also, we found a lack of clear 
documentation for the validation process. Because of these weaknesses, 
CBP's ability to provide assurance that the program prevents terrorists 
and terrorist weapons from entering the United States is limited.

Finally, CBP has not completed corrective actions from our July 2003 
report, which were meant to change the management of the program from a 
short-term focus to a strategic focus. Specifically, CBP has not 
completed (1) developing performance measures with which to measure the 
program's success in achieving bureau goals and inform decisions for 
process improvement and (2) developing a human capital plan to account 
for how the program will recruit, train, and retain staff to achieve 
program goals. CBP also does not have a basic records management system 
to ensure adequate internal controls to manage the program. Because of 
these management weaknesses, CBP will have difficulty effectively 
planning, executing, and monitoring the program.

Recommendations for Executive Action:

To help CBP achieve C-TPAT objectives and address the challenges 
associated with its continued development, we recommend that the 
Secretary of Homeland Security direct the Commissioner of U.S. Customs 
and Border Protection to take the following five actions:

* strengthen the validation process by providing appropriate guidance 
to specialists conducting validations, including what level of review 
is adequate to determine whether member security practices are 
reliable, accurate, and effective;

* determine the extent (in terms of numbers or percentage) to which 
members should be validated in lieu of the original goal to validate 
all members within 3 years of certification;

* complete the development of performance measures, to include outcome- 
based measures and performance targets, to track the program's status 
in meeting its strategic goals;

* complete a human capital plan that clearly describes how the C-TPAT 
program will recruit, train, and retain sufficient staff to 
successfully conduct the work of the program, including reviewing 
security profiles, vetting, and conducting validations to mitigate 
program risk; and:

* implement a records management system that accurately and timely 
documents key decisions and significant operational events, including a 
reliable system for (1) documenting and maintaining records of all 
decisions in the application through validation processes, including 
but not limited to documentation of the objectives, scope, 
methodologies, and limitations of validations, and (2) tracking member 
status.

Agency Comments and Our Evaluation:

We provided a draft of this report to the Secretary of DHS for comment. 
We received comments from the Commissioner of U.S. Customs and Border 
Protection that are reprinted in appendix II. CBP generally agreed with 
our recommendations and outlined actions it either had taken or was 
planning to take to implement them.

CBP agreed with our two recommendations on validations and said it will 
readdress the validation process. Specifically, CBP said that it was 
developing standard operating procedures, guidance, and written 
baseline criteria for the validation process, as well as an automated 
validation tool to document validations. CBP also agreed to determine 
the extent to which C-TPAT members should be validated, stating that it 
will develop member selection criteria and an automated system to 
standardize and assist in the selection of companies for validation. If 
properly implemented, these actions should address the intent of these 
recommendations.

Our draft report also included a recommendation to complete a formal 
strategic plan that clearly articulates goals, linkages, and 
strategies. While our draft report was with DHS for comment, CBP issued 
its final strategic plan on January 13, 2005. Our brief review of this 
strategic plan indicates that it appears to address the intent of our 
recommendation. Therefore, we removed the recommendation from this 
report. Nevertheless, as CBP further refines its strategic plan in the 
future, we encourage CBP to include all of the key elements of a 
strategic plan as described in the Government Performance and Results 
Act of 1993. Specifically, the formal strategic plan should include a 
description of performance goals and how they are related to the 
general goals and objectives of the program, as well as a description 
of program evaluations, which are useful for identifying key factors 
likely to affect program performance.

CBP agreed with our recommendation on developing performance measures, 
and has developed initial measures relating to membership, inspection 
percentages, and validation effectiveness. CBP has developed new 
performance measures for use in the FY 2006 Fiscal Year Homeland 
Security Plan and plans to enlist the help of a contractor to develop 
other outcome-based performance measures and targets. If properly 
implemented, these plans should help address the intent of this 
recommendation.

In addressing our recommendation to complete a human capital plan for 
the C-TPAT program, CBP told us it is still developing an 
implementation plan for the program that will include those elements 
required in a human capital plan. For example, CBP said it has 
developed new positions, training programs and materials, and a 
staffing plan. Further, CBP said the C-TPAT program will continue to 
refine all aspects of its human capital plan to include headquarters 
personnel, additional training requirements, budget, and future 
personnel profiles. If the final implementation plan contains these 
elements, the plan should address the intent of the recommendation.

CBP agreed with our recommendation on implementing a records management 
system that accurately and timely documents key decisions and 
significant operational events. While its comments did not specify the 
nature or capabilities of a new system, CBP indicated that in the near 
future, it plans to automate every aspect of the C-TPAT program, both 
internally and externally. In automating its system, to fully meet the 
intent of this recommendation, CBP needs to ensure that the system 
addresses all aspects of C-TPAT operations and that tracking member 
status is done timely, accurately, and reliably.

Notwithstanding its general agreement with the recommendations, CBP 
expressed some concerns regarding the report. In its general comments, 
CBP said that C-TPAT is a voluntary program that is not designed to 
confirm company compliance with regulatory requirements. Further, CBP 
said it is very difficult for the U.S. government to regulate supply 
chain security procedures outside the country. CBP also noted that it 
is looking to establish more broadly applicable minimum security 
standards that may build on C-TPAT requirements. Our report clearly 
notes that the program is of a voluntary nature, designed around 
security guidelines jointly developed by CBP and the trade community. 
The cooperation envisioned by the C-TPAT program can build productive 
relationships and encourage supply chain security. However, in 
accepting members into the program, CBP still has the responsibility 
for verifying that security measures planned or claimed by C-TPAT 
members are properly implemented and effective. This program goes 
beyond trade facilitation in that it awards benefits that can reduce 
the scrutiny given cargo containers arriving in the United States. This 
is not a matter of regulating supply chain security in other countries. 
Rather, it is a matter of providing a security benefit for containers 
arriving at our nation's ports. If CBP does not ensure that this 
important security-related benefit is deserved, it runs the risk of 
overlooking potentially dangerous cargo during the inspection process.

CBP also said that the report's title is misleading, asserting that it 
creates the improper impression that only the validation process 
ensures adequate security for containerized cargo and does not place 
enough emphasis on the certification and vetting processes, as well as 
omits that C-TPAT cargo is not exempt from advance reporting 
requirements or enforcement and security inspections, such as random 
inspections and nonintrusive screening technology. Our report clearly 
describes the various steps CBP takes in the overall cargo inspection 
process and how the C-TPAT program fits into that process. The report 
also clearly describes the purpose of each process within the C-TPAT 
program, including the validation process that is to determine whether 
C-TPAT members' security procedures are accurate, reliable, and 
effective. We did modify the report's title and, where appropriate, the 
text to better reflect the report's focus on C-TPAT versus other 
programs in CBP's layered enforcement strategy for cargo security. 
However, any weakness in C-TPAT could weaken CBP's layered approach. 
Given that C-TPAT members enjoy benefits that reduce the likelihood of 
an inspection of their cargo, not having an effective validation 
process could serve to defeat the purposes of the other enforcement 
layers.

Finally, CBP noted many benefits achieved under the C-TPAT program, 
including that thousands of companies working as part of C-TPAT have 
taken concrete steps to improve their security procedures and that C- 
TPAT has fostered an expanding international dialogue on best security 
practices. We agree that actions on the part of program members to 
shore up supply chain security are valuable and desirable. Again, with 
the threat of terrorism present in the global supply chain, we believe 
that verifying that planned improvements are actually implemented and 
ensuring that security controls are effective are important 
responsibilities that cannot be achieved only with members self- 
reporting about their security procedures.

CBP also offered technical comments and clarifications, which we 
considered and incorporated where appropriate.

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
after its issue date. At that time, we will provide copies of this 
report to appropriate departments and interested congressional 
committees. We will also make copies available to others upon request. 
In addition, the report will be available on GAO's Web site 
http://www.gao.gov.

If you or your staff have any questions about this report, please 
contact me at (202) 512-8777 or at stanar@gao.gov. Key contributors to 
this report are listed in appendix III.

Signed by: 

Richard M. Stana: 
Director, Homeland Security and Justice Issues:

[End of section]

Appendix I: Objectives, Scope, and Methodology:

Objectives:

We addressed the following questions regarding the U.S. Customs and 
Border Protection's (CBP, formerly the U.S. Customs Service) Customs- 
Trade Partnership Against Terrorism (C-TPAT):

* What benefits does CBP provide to C-TPAT members?

* Before providing benefits, what approach does CBP take to determine C-
TPAT members' eligibility for them?

* After providing benefits, how does CBP verify that members have 
implemented their security measures?

* To what extent has CBP developed strategies and related management 
tools for achieving the program's goals?

Scope and Methodology:

To address these questions, we visited CBP's headquarters in 
Washington, D.C., which manages the C-TPAT program. We interviewed CBP 
officials and reviewed available data and documentation for the 
program. We reviewed individual CBP files for a subset of C-TPAT 
members, including members with responsibilities along various parts of 
the supply chain. We also reviewed CBP's database for tracking member 
status in the program from the program's inception through July 2004. 
All records in this database were reviewed. We intended to use these 
data to select a random set of files to review and to conduct analyses 
of workloads, but the data were not reliable enough to do so (see 
below). Given the weaknesses in the files as well as the data 
reliability issues, our review focused on identifying C-TPAT's 
processes. Because of deficiencies in the files and database, we were 
unable to verify the extent CBP actually follows these processes for 
individual members. We also obtained the status of the agency's efforts 
to implement our prior recommendations for the program, including the 
completion of a strategic plan, a human capital plan, and performance 
measures.

We conducted our work from February through December 2004 in accordance 
with generally accepted government auditing standards.

Data Reliability:

To assess the reliability of CBP's database for tracking member status 
in C-TPAT, we (1) reviewed existing documentation related to the data 
sources, (2) electronically tested the data to identify obvious 
problems with completeness or accuracy, and (3) interviewed 
knowledgeable bureau officials about the data. Initial reliability 
testing of this database and interviews of staff with responsibility 
for the program led us to conclude that data used to track participant 
status had some serious reliability weaknesses. We determined that 
using the data in certain cases, for example, to calculate average 
times for phases of the membership process, might have led to an 
incorrect or misleading message. However, we determined that the data 
were sufficiently reliable for limited use in descriptions of the 
program status, such as the approximate numbers of participants, 
because our analysis and discussions with CBP officials assured us that 
those data fields were reasonably complete and accurate.

[End of section]

Appendix II: Comments from the Department of Homeland Security:

This version of our report is unrestricted based on a security review 
by CBP.

[End of section]

Appendix III GAO Contacts and Staff Acknowledgments:

U.S. Department of Homeland Security: 
Washington, DC 20229:

U.S. Customs and Border Protection:

Commissioner:

Mr. Richard M. Stana:
Director, Homeland Security and Justice: 
Government Accountability Office:
441 G Street, N.W.: 
Washington, D.C. 20548:

Dear Mr. Stana:

Thank you for the opportunity to review and comment on the Government 
Accountability Office (GAO) draft report related to the Customs-Trade 
Partnership Against Terrorism (C-TPAT) program. U.S. Customs and Border 
Protection (CBP) and the Department of Homeland Security (DHS) 
appreciate the work done in this review to identify areas where actions 
can be taken by CBP to improve the C-TPAT program. Technical comments 
were provided to GAO under a separate cover; however, there are a few 
areas of the report that deserve comment.

When C-TPAT was established in response to the attacks of September 11, 
the intent was to build a partnership to leverage the resources of the 
private sector so that the limited resources of the government could be 
focused on inspecting high-risk cargo shipments. Any evaluation of C- 
TPAT must recognize that it is a voluntary partnership to improve the 
security of the United States and not a program to confirm importer 
compliance with a regulatory requirement. The C-TPAT participants 
voluntarily share with the government details of sensitive corporate 
security plans and again, voluntarily, agree to allow government 
representatives access to their facilities to confirm that they are 
following their own security plans and that these plans meet or exceed 
C-TPAT supply chain security criteria. DHS believes that to date, 
thousands of companies working under the auspices of this partnership 
have taken concrete steps to improve their security procedures, thereby 
increasing global supply chain security and the security of the United 
States.

The supply chain that facilitates the shipment of cargo to the United 
States is global. It is very difficult for our government to regulate 
the security procedures outside our country. However, C-TPAT importers 
are willing to use their business leverage over their foreign suppliers 
throughout the world to require their suppliers to improve security at 
the beginning of the supply chain.

This free and open communication with industry has allowed Customs and 
Border Protection to further identify security baseline practices and 
best practices. This has been a leaming experience for all involved, 
and through this exchange C-TPAT has fostered an expanding 
international dialogue on best security practices. This has created an 
opportunity for DHS to work internationally to promote supply chain 
security.

C-TPAT is a partnership program that has benefits for both the 
government and the industry participants. The title of the draft 
report, "DHS Grants Importers Reduced Scrutiny with Limited Assurance 
of Adequate Security", is misleading. The title creates the improper 
impression that only the validation process assures adequate security 
for containerized cargo. The report places excessive emphasis on the 
validation process without adequately reflecting the certification and 
vetting process within C-TPAT and the other layers of security put in 
place since the terrorist attacks three years ago. However, as noted 
below, we believe the shipments of a company which has committed to C- 
TPAT security levels represent less risk. That lessened risk is taken 
into account in our risk targeting rules. That said, C-TPAT cargo is 
not exempt from advance reporting requirements, enforcement and 
security inspections, random inspections, or non-intrusive screening 
technology such as radiation portals where we are moving to 100% 
screening of all in-bound cargo for WMD threats. The DHS cargo security 
strategy clearly identifies the screening of all containers for WMD's 
as its highest priority.

The discussion of the benefits of C-TPAT, including the section "C-TPAT 
Benefits Designed to Reduce Scrutiny of Shipments" would be more 
accurate if it reflected that the benefits of the program were designed 
to create incentives for industry to improve supply chain security. 
Eligibility for the Importer Self-Assessment Program (ISA) for example, 
is included as a benefit that reduces the level of scrutiny.

Further, CBP, in the context of the DHS cargo security strategy, is 
looking to establish more broadly applicable minimum security standards 
that may in some cases build on C-TPAT requirements. For example, CBP 
is currently working on a proposed regulatory standard that would 
require 100 percent of all loaded in-bound maritime containers to be 
outfitted with a high-security seal that would be verified before the 
cargo is loaded at the foreign port. The C-TPAT program currently 
includes guidelines for high security seals that meet or exceed this 
regulatory requirement. The movement of a C-TPAT guideline to a more 
broadly regulated minimum standard is another way to transition 
industry towards a stricter security framework.

Finally, C-TPAT is part of our overall risk management approach. C-TPAT 
helps identify the importers that take security seriously. This 
information is factored into the risk assessment and lower risk cargo 
receives less scrutiny. That is how risk management works. The 
resources used to validate that low risk importers are truly low risk 
must be reasonable when balanced against the greater threat presented 
by higher risk cargo. That is not to say that the C-TPAT program cannot 
be improved. On the contrary, DHS concurs with the final 
recommendations in the report.

As part of their corrective action plan, CBP will readdress the 
validation process, including establishing policies and procedures 
related to the extent to which C-TPAT members are validated. Actions 
that CBP plans to take regarding specific recommendations are below:

Recommendation 1: Strengthen the validation process by providing 
appropriate guidance to specialists conducting validations, including 
what level of review is adequate to determine whether member security 
practices are reliable, accurate, and effective.

Response: CBP has provided all Supply Chain Specialists (SCS) with a 
comprehensive training program developed by CBP's Office of Training 
and Development. SCS training includes specific instruction on 
validation scope and methodology, conducting pre-validation research, 
supply chain identification/selection, and report writing. CBP is 
developing Standard Operating Procedures and directives to provide 
further clarification and guidance for all SCS personnel conducting 
validations. This will include the need for appropriate documentation 
of the validation process. CBP will also develop an automated 
validation tool for SCS.

Recognizing that no two international supply chains or validations are 
exactly the same, and that C-TPAT must remain flexible to meet the 
complex challenges of international trade, CBP will develop written 
baseline criteria for assisting the SCS in determining if member's 
security practices and processes are adequate and effective.

Recommendation 2: Determine the extent (in terms of numbers or 
percentage) to which members should be validated in lieu of the 
original goal to validate all members within three years of 
certification.

Response: Overwhelming response by the trade community forced CBP to 
reconsider its original goal to validate all certified members within a 
three-year period. Selection for validations were initially based upon 
risk management principles, i.e., strategic threat geographically, 
import volume/value, security related incidents, history of compliance/ 
violations, etc. CBP will further refine the risk management process 
and develop member selection methodology/criteria and an automated 
system to standardize and assist in the selection process. C-TPAT will 
determine and prioritize which sectors of membership will be selected 
for validations, select individual companies based upon a standardized 
risk assessment, and identify "company specific" high-risk supply 
chains to better focus our efforts and resources. The resource needs to 
support this approach will be reflected in the human capital plan.

Recommendation 3: Complete a formal strategic plan that clearly 
articulates the goals of the C-TPAT program, their relationship to 
broader CBP goals, and strategies for achieving them.

Response: As part of its ongoing industry outreach effort, C-TPAT has 
developed a strategic plan that was shared with the public during CBP's 
Trade Symposium on January 13 and 14, 2005 and is attached to this 
response. CBP is continuing its efforts to strategically strengthen C- 
TPAT and is working with the Department of Homeland Security to draft 
an implementation plan for the program. This implementation plan will 
build on the public dialogue associated with the strategic plan and 
specifically focus on developing performance metrics to adequately 
assess security and trade facilitation aspects, human resource 
requirements and a plan for transitioning C-TPAT requirements to 
minimum baseline standards (as may be appropriate), consistent with 
GAO's recommendations."

Recommendation 4: Complete the development of performance measures, to 
include outcome-based measures and performance targets, to track the 
program's status in meeting its strategic goals.

Response: C-TPAT has developed initial measures to determine the scope 
of the program (i.e., membership), measures to gauge the realization of 
benefits by certified members (i.e., inspection percentages), and 
measures to gauge the effectiveness of validations. C-TPAT has refined 
its measures in coordination with the Department. New measures have 
been developed for use in the FY 2006 Fiscal Year Homeland Security 
Plan. They include: compliance rate for C-TPAT members with the 
established C-TPAT security guidelines, C-TPAT validation labor 
efficiency rate, average CBP exam reduction ratio for C-TPAT member 
importers compared to non-C-TPAT importers, and time savings to process 
U.S./Mexico Border FAST lane transactions. In addition, CBP will be 
identifying a contractor to assist with the development of outcome- 
based measures and performance targets for the C-TPAT program. CBP will 
continue to develop and refine these and other measures as may be 
required to ensure program success.

Recommendation 5: Complete a formal human capital plan that clearly 
describes how the C-TPAT program will recruit, train, and retain 
sufficient staff to successfully conduct the work of the program, 
including reviewing security profiles, vetting, and conducting 
validations to mitigate program risk.

Response: To date, C-TPAT has developed the new SCS position, developed 
an official 2 week training program, developed a formalized SCS 
training manual, conducted two rounds of SCS selections, conducted two 
formal training programs, established four C-TPAT field offices, and 
developed a future continuing education program for C-TPAT personnel. 
In addition, CBP produced a detailed SCS staffing plan which analyzed 
current SCS workload, annual program growth rate, actual duties being 
performed by SCS, time to complete average validation, and the number 
of validations an SCS can complete in 1 year. C-TPAT will continue to 
refine all aspects of the human capital plan to include Headquarters 
personnel, additional training requirements, budget, and future 
personnel profiles.

Recommendation 6: Implement a records management system that accurately 
and timely documents key decisions and significant operational events, 
including a reliable system for (1) documenting and maintaining records 
of all decisions in the application through validation processes, 
including but not limited to documentation of the objectives, scope, 
methodologies, and limitation of validations, and (2) tracking member 
status.

Response: CBP's goal is to automate every aspect of the C-TPAT program, 
both internally and externally. In the near future, only electronic 
submissions will be accepted by C-TPAT. Trade partners will submit 
information through a web application. The information will be 
processed against internal risk criteria and accepted or denied 
immediate responses generated and validation time frames established. 
Internally, information will be easily stored, reports generated and 
risk analysis conducted. Externally, response times will decrease and 
more information will be readily available.

Thank you for the opportunity to review and provide comments to the 
draft report. Our expectation is that this report will be handled 
appropriately as a "Limited Official Use Only" document due to the 
sensitivity of the information contained in the report.

Yours truly,

Signed by: 

Robert C. Bonner: 
Commissioner: 

Attachment: 

[End of section]

GAO Contacts:

Richard M. Stana (202) 512-8777; 
Stephen L. Caldwell (202) 512-9610:

Staff Acknowledgments:

In addition to those named above, Kristy N. Brown, Kathryn E. Godfrey, 
Wilfred B. Holloway, Stanley J. Kostyla, Shakira O'Neil, and Deena D. 
Richart made key contributions to this report.

[End of section]

Related GAO Products:

Homeland Security: Process for Reporting Lessons Learned from Seaport 
Exercises Needs Further Attention. GAO-05-170. Washington, D.C.: 
January 14, 2005.

Port Security: Planning Needed to Develop and Operate Maritime Worker 
Identification Card Program. GAO-05-106. Washington, D.C.: December 10, 
2004.

Maritime Security: Better Planning Needed to Help Ensure an Effective 
Port Security Assessment Program. GAO-04-1062. Washington, D.C.: 
September 30, 2004.

Maritime Security: Substantial Work Remains to Translate New Planning 
Requirements into Effective Port Security. GAO-04-838. Washington, 
D.C.: June 30, 2004.

Border Security: Agencies Need to Better Coordinate Their Strategies 
and Operations on Federal Lands. GAO-04-590. Washington, D.C.: June 
2004.

Homeland Security: Summary of Challenges Faced in Targeting Oceangoing 
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 
31, 2004.

Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail 
Security, but Significant Challenges Remain. GAO-04-598T. Washington, 
D.C.: March 23, 2004.

Department of Homeland Security, Bureau of Customs and Border 
Protection: Required Advance Electronic Presentation of Cargo 
Information. GAO-04-319R. Washington, D.C.: December 18, 2003.

Homeland Security: Preliminary Observations on Efforts to Target 
Security Inspections of Cargo Containers. GAO-04-325T. Washington, 
D.C.: December 16, 2003.

Posthearing Questions Related to Aviation and Port Security. GAO-04- 
315R. Washington, D.C.: December 12, 2003.

Homeland Security: Risks Facing Key Border and Transportation Security 
Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September 
19, 2003.

Maritime Security: Progress Made in Implementing Maritime 
Transportation Security Act, but Concerns Remain. GAO-03-1155T. 
Washington, D.C.: September 9, 2003.

Container Security: Expansion of Key Customs Programs Will Require 
Greater Attention to Critical Success Factors. GAO-03-770. Washington, 
D.C.: July 25, 2003.

Homeland Security: Challenges Facing the Department of Homeland 
Security in Balancing Its Border Security and Trade Facilitation 
Missions. GAO-03-902T. Washington, D.C.: June 16, 2003.

Transportation Security: Federal Action Needed to Address Security 
Challenges. GAO-03-843. Washington, D.C.: June 30, 2003.

Transportation Security: Post-September 11th Initiatives and Long-Term 
Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003.

Border Security: Challenges in Implementing Border Technology. GAO-03- 
546T. Washington, D.C.: March 12, 2003.

Customs Service: Acquisition and Deployment of Radiation Detection 
Equipment. GAO-03-235T. Washington, D.C.: October 17, 2002.

Port Security: Nation Faces Formidable Challenges in Making New 
Initiatives Successful. GAO-02-993T. Washington, D.C.: August 5, 2002.

FOOTNOTES

[1] GAO, Container Security: Expansion of Key Customs Programs Will 
Require Greater Attention to Critical Success Factors, GAO-03-770, 
Washington, D.C.: July 25, 2003.

[2] The Free and Secure Trade (FAST) program is a CBP program that 
allows Canadian and Mexican companies expedited processing of their 
commercial shipments at the border.

[3] A supply chain consists of all stages involved in fulfilling a 
customer request, including the manufacturer, suppliers, transporters, 
warehouses, and retailers.

[4] A container is a van, open-top trailer, or other similar trailer 
body on or into which cargo is loaded and transported.

[5] Department of Transportation Volpe National Transportation Systems 
Center, Intermodal Cargo Transportation: Industry Best Security 
Practices (Cambridge, Mass.: June 2002).

[6] The layered enforcement strategy encompasses CBP programs including 
C-TPAT (addressed in this report), as well as the Container Security 
Initiative (CSI). CSI is an initiative whereby CBP places staff at 
designated foreign seaports to work with foreign counterparts to 
identify and inspect high-risk containers for weapons of mass 
destruction before they are shipped to the United States. We are 
currently reviewing the CSI program and a report is forthcoming.

[7] In addition, there are hundreds of foreign-based air, rail, sea, 
and truck carriers certified in C-TPAT.

[8] For fiscal year 2004, CBP had authorization for 157 positions for 
supply chain specialists and support staff, but as of August 2004 had 
hired only 40 specialists. CBP officials noted that the bureau 
recognizes the need for additional permanent positions, and CBP plans 
to hire, train, and have in place an additional 30 to 50 supply chain 
specialists by the end of calendar year 2004.

[9] CBP established security guidelines to assist companies in 
completing their security profiles. Each set of security guidelines is 
tailored according to member type.

[10] GAO, Container Security: Expansion of Key Customs Programs Will 
Require Greater Attention to Critical Success Factors, GAO-03-770, 
Washington, D.C.: July 25, 2003.

[11] GAO, Homeland Security: Summary of Challenges Faced in the 
Targeting of Oceangoing Cargo Containers for Inspection, GAO-04-557T, 
Washington, D.C.: March 2004.

[12] CBP officials told us they are currently working to adapt the risk 
assessment tool so that it can be applied to C-TPAT members from 
additional trade sectors, such as brokers and carriers.

GAO's Mission:

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548:

To order by Phone:



Voice: (202) 512-6000:

TDD: (202) 512-2537:

Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: