CTPAT MSC for U.S. Importers

Every CTPAT Minimum Security Criterion for U.S. Importers — labeled Must or Should, straight from CBP’s official document.

The CTPAT Minimum Security Criteria (MSC) for U.S. Importers is the official CBP document that defines exactly what a U.S. importer must do — and what it should do — to become and remain CTPAT-certified. This page walks through all 12 criteria categories, lists every criterion by its official CBP ID number, and labels each one as a Must (required) or Should (strongly recommended) based on CBP's own classification.

MustRequired

ShouldStrongly recommended

How the MSC Is Organized

CBP organizes the U.S. Importer MSC into three Focus Areas containing 12 criteria categories. Criterion ID numbers are not sequential — CBP omits IDs that do not apply to importers, which is why you will see jumps like 3.1 → 3.4 → 3.5 or 5.8 → 5.14 → 5.29. This page preserves CBP's exact numbering so that every reference lines up with the source document.

Focus Area 1 — Corporate Security: Categories 1–4 (Security Vision, Risk Assessment, Business Partners, Cybersecurity)
Focus Area 2 — Transportation Security: Categories 5–8 (Conveyance/IIT Security, Seal Security, Procedural Security, Agricultural Security)
Focus Area 3 — People and Physical Security: Categories 9–12 (Physical Security, Physical Access Controls, Personnel Security, Education & Training)

1. Security Vision & Responsibility

A supply chain security program will not succeed without visible commitment from senior leadership. This category is about making supply chain security part of the company's culture — not a siloed function — and making sure someone is accountable for the program and for communicating with CBP.

1.1Should

Demonstrate a culture of security through a statement of support signed by a senior company official (president, CEO, general manager, or security director) and displayed in appropriate locations — company website, reception, packaging area, warehouse, or in security seminars.

1.2Should

Build a cross-functional supply chain security team with representatives from all relevant departments (Security, HR, IT, Import/Export, Operations). Integrate security measures into existing company procedures rather than treating them as a separate manual.

1.3Must

Maintain a written review component that holds personnel accountable for their security responsibilities and verifies that all documented procedures are actually being followed. Update the review plan as operations or risk levels change.

1.4Must

Designate one or more Points of Contact (POC) for CTPAT who are knowledgeable about program requirements and who provide regular updates to upper management on audits, security exercises, and validations. The POC must be proactive and responsive to the assigned Supply Chain Security Specialist.

2. Risk Assessment

Risk assessment is about knowing where the threats are in your supply chain and documenting what you are doing about them. For U.S. importers, this includes both a self-assessment of the company's own facilities and an international risk analysis of how the cargo moves from the foreign point of origin to the importer's U.S. distribution center.

2.1Must

Conduct and document an overall Risk Assessment (RA) that identifies threats, assesses risks, and incorporates sustainable measures to mitigate vulnerabilities. The RA must reflect the member's role in the supply chain and include both a self-assessment and an international portion. CBP's Five Step Risk Assessment guide is the recommended framework.

2.2Should

Map the movement of cargo through the supply chain from point of origin to the importer's distribution center, including all business partners involved directly or indirectly — including customs brokers, NVOCCs, 3PLs, and any subcontracted transportation. Document where cargo is "at rest" for extended periods, since those are the highest-risk points.

2.3Must

Review the risk assessment at least annually, and sooner whenever circumstances warrant — increased threats from a source country, security incidents, changes in business partners, or changes in corporate structure such as mergers or acquisitions.

2.4Should

Maintain written procedures for crisis management, business continuity, security recovery, and business resumption. Tailor contingency plans to the risks specific to where the company operates or sources from.

3. Business Partners

U.S. importers typically outsource a large portion of their supply chain — foreign manufacturers, freight forwarders, NVOCCs, carriers, customs brokers, 3PLs, and contracted IT providers. Importers usually have leverage over these partners and are expected to use that leverage to ensure partners meet or exceed CTPAT's Minimum Security Criteria. This is one of the most heavily scrutinized categories during validation.

3.1Must

Maintain a written, risk-based process for screening new business partners and monitoring existing ones. The screening should include checks related to money laundering and terrorist financing, verification of business addresses, research on the company and its principals, business references, and credit reports where appropriate.

3.4Must

Confirm whether a business partner is already CTPAT-certified or a member of a foreign AEO program with a Mutual Recognition Arrangement with the United States (currently New Zealand, Canada, Jordan, Japan, South Korea, the EU, Taiwan, Israel, Mexico, Singapore, Dominican Republic, Peru, United Kingdom, and India). Obtain evidence of certification and continue to monitor its validity.

3.5Must

For any outsourced or subcontracted supply chain function, exercise documented due diligence — visits, questionnaires, onsite audits — to verify that the partner meets or exceeds CTPAT's MSC. If using a questionnaire, require the responder's name and title, date, signature of a senior official attesting to accuracy, and sufficient detail or photographic evidence to confirm compliance.

3.6Must

Address any weaknesses identified during a business partner assessment as soon as possible, and confirm through documentary evidence (photos, contracts, inspection records) that deficiencies have been mitigated.

3.7Should

Update business partner security assessments on a regular basis, and more frequently when risk changes — new source locations, heightened threat levels, or new critical partners who directly handle cargo or documentation.

3.9Must

Maintain a documented social compliance program that addresses how the company ensures goods imported into the United States were not mined, produced, or manufactured — wholly or in part — using forced, imprisoned, indentured, or indentured child labor, in accordance with 19 U.S.C. § 1307. This is a Must for U.S. importers — one of the few criteria where the importer's designation differs from other CTPAT member categories.

4. Cybersecurity

Cybersecurity protects the data, systems, and intellectual property that support the movement of international cargo — purchase orders, ACE filings, ISF data, broker communications, and customer information. CTPAT expects importers to have written cybersecurity policies, standard defensive controls, regular testing, and appropriate training. NIST's Cybersecurity Framework is the recommended reference.

4.1Must

Maintain comprehensive written cybersecurity policies and procedures that cover every individual cybersecurity criterion in this category. Align the policy with a recognized framework such as NIST where possible.

4.2Must

Install sufficient software and hardware protection against malware and intrusion (firewalls, antivirus), keep security software current with regular updates, maintain procedures against social engineering, and have recovery procedures for data or equipment loss.

4.3Must

Regularly test the security of IT infrastructure using vulnerability scans or equivalent testing. Implement corrective actions as soon as feasible when vulnerabilities are identified — especially after changes to the network infrastructure.

4.4Should

Address in the cybersecurity policy how the company shares cybersecurity threat information with the government and with supply chain partners (for example, through the National Cybersecurity and Communications Integration Center).

4.5Must

Maintain a system that identifies unauthorized access of IT systems or data, abuse of policies, improper access of internal systems or external websites, and tampering with business data by employees or contractors. Apply appropriate disciplinary action to all violators.

4.6Must

Review cybersecurity policies and procedures at least annually, and more frequently when circumstances (such as a cyberattack) warrant. Update the policies based on lessons learned.

4.7Must

Restrict user access based on job description or assigned duties, review authorized access regularly, and remove computer and network access immediately upon employee separation.

4.8Must

Require individually assigned user accounts protected by strong passwords, passphrases, or multi-factor authentication. Change passwords or passphrases immediately if a compromise is suspected. Follow NIST Special Publication 800-63B guidelines for password complexity.

4.9Must

For users who connect remotely, employ secure technologies such as VPNs or multi-factor authentication, and maintain procedures to prevent unauthorized remote access.

4.10Must

If employees use personal devices (including USB drives, CDs, DVDs, or personal computers) for company work, those devices must comply with company cybersecurity policies, including regular security updates and a secure method of accessing the company network.

4.11Should

Include measures in the cybersecurity policy to prevent the use of counterfeit or improperly licensed technological products. Retain product keys and certificates of authenticity when new media is purchased.

4.12Should

Back up data at least weekly, or more frequently as risk dictates. Store sensitive and confidential data in encrypted format. Keep backup media physically separate from the production network — an offsite or cloud location is acceptable.

4.13Must

Account for all media, hardware, or IT equipment that contains sensitive import/export information through regular inventories. When disposed of, sanitize or destroy devices in accordance with NIST Special Publication 800-88 Guidelines for Media Sanitization.

5. Conveyance and Instruments of International Traffic (IIT) Security

Smuggling schemes often target the modification of conveyances or the hiding of contraband inside Instruments of International Traffic (IIT) — containers, trailers, ULDs, pallets, and similar items. For U.S. importers, this category applies to the conveyances and IIT that move the importer's cargo, and importers are expected to ensure through their business partners that inspections and tracking are being performed correctly at the point of origin.

5.1Must

Store conveyances and Instruments of International Traffic (both empty and full) in a secure area to prevent unauthorized access that could allow structural alteration or seal/door compromise.

5.2Must

Maintain written procedures for both security and agricultural inspections of conveyances and IIT. Look for structural modifications used to conceal contraband and for visible pest contamination.

5.3Must

Ensure systematic inspections are conducted: a 7-point inspection on all empty containers and ULDs (front wall, left side, right side, floor, ceiling/roof, inside/outside doors and locking mechanisms, outside/undercarriage), or an 8-point inspection on refrigerated containers (adding the fan housing). For land border shipments via highway carrier, an additional 17-point inspection of tractor and trailer must be conducted at storage yards, upon entering/departing, and at the point of loading/stuffing.

5.4Must

Ensure conveyances and IIT are equipped with external hardware that can reasonably withstand tampering attempts. The door, handles, rods, hasps, rivets, brackets, and all locking mechanisms must be fully inspected before any seal is attached.

5.5Should

Ensure every inspection is recorded on a checklist that captures the container/trailer/IIT number, date, time, the name of the employee conducting the inspection, and the specific areas inspected. Include the checklist in the shipping documentation sent to the consignee.

5.6Should

Ensure all security inspections are performed in an area of controlled access and, when available, under CCTV monitoring.

5.8Should

Based on risk, have management personnel conduct random, unannounced searches of conveyances after the regular inspection has been completed — at the yard, after loading, and en route to the U.S. border — to counter internal conspiracies.

5.14Should

Work with transportation providers to track conveyances from origin to final destination. Specify tracking, reporting, and data-sharing requirements in the service agreement.

5.16Should

For land border shipments close to the U.S. border, implement a "no-stop" policy for unscheduled stops. Scheduled stops must be accounted for in an overall tracking and monitoring procedure.

5.29Must

If a credible or detected threat to the security of a shipment or conveyance is discovered, alert affected supply chain partners and the appropriate law enforcement agencies as soon as feasibly possible.

6. Seal Security

Seal integrity is one of the most closely scrutinized elements of a CTPAT program. Every criterion in this category is a Must. Seal security covers written procedures, the correct type of seal, proper placement, verification, documentation, and how to respond when a seal is altered or tampered with. Importers are expected to ensure their foreign shippers and carriers follow these requirements on every U.S.-bound shipment.

6.1Must

Maintain detailed written high-security seal procedures covering seal issuance and control at the facility and in transit, with steps for seal alteration, tampering, or incorrect seal numbers — including documentation, partner notification, and investigation. Required elements include controlling access to seals, secure storage, a seal log (receipt, issuance, and tracking), trained personnel only affixing seals, in-transit verification, replacement seal protocols, and reporting compromised seals to CBP. Review procedures at least annually.

6.2Must

Immediately after loading, secure all CTPAT shipments that can be sealed with a high-security seal that meets or exceeds the most current ISO 17712 standard (cable or bolt seals both acceptable). Place the seal on the secure cam position if available; otherwise on the center-most left-hand locking handle of the right container door.

6.5Must

Members who maintain seal inventories must be able to document that the high-security seals they use meet or exceed ISO 17712 — typically through a laboratory testing certificate. Members are expected to be aware of the tamper-indicative features of the seals they purchase.

6.6Must

Members who maintain seal inventories must have company management or a security supervisor conduct documented seal audits — periodic inventory of stored seals reconciled against logs and shipping documents. Dock supervisors or warehouse managers must also periodically verify seal numbers on conveyances and IIT.

6.7Must

Follow the VVTT seal verification process to ensure all high-security seals are affixed properly and operating as designed: View the seal and container locking mechanisms, Verify the seal number against shipping documents, Tug the seal to confirm it is affixed, Twist and turn the bolt seal to confirm components cannot unscrew or separate. For cable seals, ensure the cable is taut and envelops the hardware base with no slippage.

7. Procedural Security

Procedural Security covers the day-to-day procedures that surround cargo: documentation, staging, loading, incident reporting, handling of unknown persons, and the ability to spot suspicious shipments. CBP accepts electronic documents, signatures, and records — written does not mean paper. The goal is a uniform, repeatable process that every employee follows.

7.1Must

When cargo is staged overnight or for an extended period, take measures to secure it from unauthorized access.

7.2Must

Regularly inspect cargo staging areas and the immediate surroundings to ensure they remain free of visible pest contamination. Use baits, traps, and vegetation control as necessary.

7.4Should

Have a security officer, manager, or other designated personnel supervise the loading and stuffing of cargo into containers and IIT.

7.5Should

Take digital photographs at the point of stuffing to document the cargo, the loading process, the location of the seal, and the properly installed seal. Where feasible, electronically forward these images to the destination for verification.

7.6Must

Ensure all information used in the clearing of merchandise is legible, complete, accurate, protected against loss or unauthorized change, and reported on time.

7.7Should

If paper documents are used, secure forms and import/export documentation against unauthorized use — for example, by storing unused forms and manifests in a locked filing cabinet.

7.8Must

Shippers (or their agents) must ensure that bills of lading and manifests accurately reflect the information provided to the carrier, and carriers must exercise due diligence to confirm accuracy. BOL information filed with CBP must identify the first foreign location where the carrier took possession of the cargo, with accurate weight and piece count. Printing the seal number on the BOL helps guard against alteration.

7.10Must

Train relevant personnel to review import/export documentation — manifests, bills of lading — to identify suspicious shipments. Warning signs include unusual origin or destination locations, cash or certified check payment, unusual routing, atypical shipping or receiving practices, and vague or missing information. Base training on the CTPAT Warning Indicators for Trade-Based Money Laundering and Terrorism Financing Activities.

7.23Must

Maintain written procedures for reporting security incidents, including the facility's internal escalation process. Notify the assigned Supply Chain Security Specialist, the closest port of entry, appropriate law enforcement, and affected partners as soon as feasibly possible — and in advance of any conveyance crossing the border. Reportable incidents include seal tampering, hidden compartments, unaccounted new seals, smuggling (including people), unauthorized conveyance entry, extortion or threats, and unauthorized use of a business identifier such as an IOR number or SCAC code. Periodically review contact lists for accuracy.

7.24Must

Maintain procedures for identifying, challenging, and removing unauthorized or unidentified persons from the premises. Personnel must know the challenge and removal protocol.

7.25Should

Provide an anonymous mechanism — such as a hotline — for reporting security-related concerns. Investigate every allegation and take corrective action where warranted. Retain reports as evidence.

7.27Must

Investigate and resolve all shortages, overages, and other significant discrepancies or anomalies.

7.28Should

Reconcile arriving cargo against the cargo manifest, and verify departing cargo against purchase or delivery orders.

7.29Should

Transmit seal numbers to the consignee prior to departure.

7.30Should

Electronically print seal numbers on the bill of lading or other shipping documents.

7.37Must

Initiate an internal investigation immediately after becoming aware of any security-related incident (terrorism, narcotics, stowaways, absconders, etc.). Do not impede any government investigation. Document the internal investigation, complete it as soon as feasibly possible, and make it available to CBP/CTPAT and other law enforcement upon request.

8. Agricultural Security

Agricultural Security exists because invasive pests — insects, seeds, soil, plant or animal material — can hitchhike on cargo, containers, and Wood Packaging Materials (WPM). Eliminating this contamination reduces CBP cargo holds, delays, and returns, and helps protect a critical U.S. industry.

8.1Must

Maintain written procedures designed to prevent visible pest contamination throughout the supply chain, including compliance with Wood Packaging Materials (WPM) regulations under IPPC ISPM 15. WPM — pallets, crates, boxes, reels, dunnage — must be debarked, heat-treated or fumigated with methyl bromide, and stamped with the IPPC mark of compliance ("wheat stamp"). Products made from paper, metal, plastic, or processed wood panels (OSB, plywood, hardboard) are exempt.

9. Physical Security

Physical Security is about the barriers, lighting, cameras, alarms, and other deterrents that prevent unauthorized access to facilities, cargo, and sensitive areas. CTPAT is intentionally flexible here — not every facility needs every measure. Several technology-related criteria (cameras, alarms, access control devices) are Should, not Must. But if a member chooses to deploy them, the rules governing how they are used, tested, and monitored become Must requirements.

A note on security technology: Criteria 9.7 and 9.12 make cameras and alarms a Should — meaning they are strongly recommended but not required. However, once a member deploys that technology, the written policies, testing, positioning, review, and physical protection of the systems (criteria 9.8, 9.10, 9.13, and 9.15) become Must requirements. In practice, most CTPAT-certified importers operate CCTV and alarm systems at their U.S. facilities — and once they do, the associated Musts apply.

9.1Must

Equip all cargo handling and storage facilities, trailer yards, and offices with physical barriers or deterrents that prevent unauthorized access.

9.2Should

Enclose cargo handling and storage areas with perimeter fencing, use interior fencing to segregate cargo types (domestic, international, high-value, hazardous), inspect fencing regularly for damage, and repair damage as soon as possible. Walls or natural features such as cliffs or dense vegetation are acceptable alternatives.

9.4Must

Man or monitor all gates and other points of egress. Keep the number of gates to the operational minimum. Search individuals and vehicles as permitted by local and labor laws.

9.5Should

Prohibit private passenger vehicles from parking in or adjacent to cargo handling and storage areas, or near conveyances. Locate parking outside fenced or operational areas.

9.6Must

Provide adequate lighting inside and outside the facility — entrances, exits, cargo handling and storage areas, fence lines, and parking areas. Automatic timers and light sensors are useful additions.

9.7Should

Use security technology to monitor premises and prevent unauthorized access to sensitive areas — intrusion detection systems (IDS), access control devices, video surveillance (CCTV or IP cameras), and recording devices.

9.8Must

If security technology is deployed, maintain written policies and procedures covering its use, maintenance, and protection. At minimum: restrict access to locations where the technology is managed, define testing and inspection procedures, verify that equipment works and is positioned correctly, document inspection results and corrective actions, and retain results for audit. If using a third-party off-site monitoring station, document functionality and authentication protocols. Review and update policies at least annually.

9.9Should

Use licensed or certified resources when designing and installing security technology. In the U.S., 33 states require licensing for professionals engaged in the installation of security and alarm systems.

9.10Must

Physically secure all security technology infrastructure from unauthorized access — computers, software, control panels, cameras, recordings, and power and hard drive components.

9.11Should

Configure security technology systems with an alternative power source — auxiliary generator or backup batteries — so they continue operating during a power loss.

9.12Should

If camera systems are deployed, monitor the premises and sensitive areas (cargo handling, shipping/receiving, IT servers, IIT storage, inspection areas, seal storage) with cameras, and use alarms to alert the company to unauthorized entry.

9.13Must

If camera systems are deployed, position cameras to cover the key import/export process areas — cargo handling, shipping/receiving, cargo loading, sealing, conveyance arrival/exit, IT servers, container inspections, seal storage — at the highest picture quality reasonably available, recording on a 24/7 basis.

9.14Should

If camera systems are deployed, include an alarm or notification feature that signals a "failure to operate/record" condition and notifies designated personnel.

9.15Must

If camera systems are deployed, conduct periodic random reviews of camera footage (by management, security, or designated personnel) to verify that cargo security procedures are being followed. Summarize the review in writing — date of review, date of footage, camera/area, findings, and corrective actions — and retain results for audit purposes.

9.16Should

If cameras are deployed, retain footage covering key import/export processes for a period sufficient to complete an investigation — CBP recommends at least 14 days after a monitored shipment reaches its first point of distribution (where the container is opened after clearing Customs).

10. Physical Access Controls

Access controls manage who enters the facility, where they can go, and how their identity is verified. This includes employees, visitors, vendors, contract service providers, and truck drivers picking up or delivering cargo. For U.S. importers, this category applies most directly to distribution centers, corporate offices, and any facility where cargo or import documentation is handled.

10.1Must

Maintain written procedures for how identification badges and access devices are granted, changed, and removed. Where applicable, operate a positive identification and access control system. Restrict access to sensitive areas based on job duties, and remove access devices immediately upon employee separation. An identification system is generally required for companies with more than 50 employees.

10.2Must

Require visitors, vendors, and service providers to present photo identification upon arrival, and maintain a log that records the date of the visit, name, verification of photo ID (type), time of arrival, point of contact, and time of departure. Escort all visitors where practical and issue visibly displayed temporary identification.

10.3Must

Positively identify drivers delivering or receiving cargo before cargo is received or released. Drivers must present government-issued photo ID, or — where this is not feasible — a recognizable form of photo ID issued by the driver's employer.

10.4Must

Maintain a secure cargo pickup log that records driver name, date and time of arrival, employer, truck and trailer numbers, time of departure, and the seal number affixed to the shipment at departure. Drivers must not have access to the log. A visitor log may serve this purpose if it captures all required fields.

10.7Should

Require carriers to notify the facility in advance of the estimated time of arrival, driver name, and truck number. Where operationally feasible, allow deliveries and pickups by appointment only. This helps defeat fictitious pickup schemes that use fake IDs or fictitious carriers to steal cargo.

10.8Should

Periodically screen arriving packages and mail for contraband (explosives, illegal drugs, currency) before admitting them.

10.9Should

Limit delivery of goods to the consignee (or anyone accepting cargo on the partner's behalf) to a specific monitored area.

10.10Must

If security guards are used, document their work instructions in written policies and procedures. Management must periodically verify compliance and appropriateness through audits and policy reviews.

11. Personnel Security

People are both a company's greatest asset and its most common point of compromise. Internal conspiracies — one or more employees colluding to circumvent security — are a leading cause of supply chain breaches. Personnel Security focuses on screening, periodic checks, and a Code of Conduct that sets clear expectations and consequences.

11.1Must

Maintain written processes to screen prospective employees and periodically check current employees. Verify application information — employment history, references — prior to employment, to the extent permitted by local law.

11.2Should

Conduct employee background screenings — identity and criminal history at city, state, provincial, and country levels — to the extent permitted by local law and the availability of criminal record databases. Extend vetting to temporary workforce and contractors based on position sensitivity, and perform periodic re-investigations for cause or by position.

11.5Must

Maintain an Employee Code of Conduct that sets expectations, defines acceptable behaviors, and states penalties and disciplinary procedures. Employees and contractors must sign an acknowledgement that they have read and understood the Code, and the acknowledgement must be kept in the employee file.

12. Education, Training & Awareness

Layered security only works if people know what the layers are. Training is what turns written procedures into real-world compliance. CTPAT expects a comprehensive program covering all of the MSC, with specialized training for personnel in sensitive positions — cargo handlers, drivers, dispatchers, security guards, seal controllers, IT administrators, and anyone managing security technology. U.S. importers have two training criteria (12.6 trade-based money laundering, 12.7 pest contamination) that do not appear for other member categories.

12.1Must

Establish and maintain a security training and awareness program that covers all CTPAT requirements and addresses the vulnerabilities of facilities, conveyances, and cargo at each supply chain point. Deliver specialized training to sensitive positions — shipping, receiving, mailroom, drivers, dispatch, security guards, load assignment, conveyance tracking, seal controls. Retain training records (date, attendees, topics), and train new hires during orientation.

12.2Must

Train drivers and personnel who conduct security and agricultural inspections on how to inspect empty conveyances and IIT. Cover signs of hidden compartments, concealed contraband in naturally occurring compartments, and signs of pest contamination. Provide refresher training periodically, after incidents, or when procedures change.

12.4Should

Verify that training met its objectives — through exams, quizzes, simulation exercises, drills, or regular audits of procedures.

12.6Should

Deliver specialized training annually to personnel who may be able to identify the CTPAT Warning Indicators of Trade-Based Money Laundering and Terrorism Financing. Examples of appropriate audiences include trade compliance, security, procurement, finance, shipping, and receiving.

12.7Must

Train applicable personnel on preventing visible pest contamination, including pest prevention measures, regulatory requirements for Wood Packaging Materials (WPM), and how to identify infested wood. CBP and USDA have developed training modules for air, sea, and land border environments, available through the CTPAT Portal.

12.8Must

Train personnel (as applicable to their functions) on the company's cybersecurity policies and procedures, including protecting passwords/passphrases and computer access. Deliver cybersecurity training formally rather than only through emails or memos.

12.9Must

Provide operations and maintenance training to personnel who operate or manage security technology systems. Prior experience with similar systems is acceptable, and self-training via operational manuals is permitted.

12.10Must

Train personnel on how to report security incidents and suspicious activities — what to report, to whom, how to report, and what to do after the report. Include this in general security training and expand it in specialized modules for sensitive positions.

What This Means for Your Certification Readiness

Reading the list above is one thing. Demonstrating compliance when applying to obtain the CTPAT certification or during a CBP validation is something else. CBP's Supply Chain Security Specialist will assess your program in three ways:

Document review — written policies, procedures, risk assessments, training records, seal logs, inspection checklists, business partner documentation, social compliance program, and cybersecurity policies mapped against each Must in the criteria.
Interviews — conversations with employees at multiple levels to verify that documented procedures are understood and followed in practice.
Physical inspection — walk-throughs of facilities, cargo handling areas, IT environments, and security infrastructure to verify controls operate as documented.

An importer can have strong documentation and still fail validation if employees cannot demonstrate procedures in real time, or if physical controls do not match what is on paper. The MSC is evaluated as a whole — gaps compound across categories, and for U.S. importers the Business Partners category (3.5, 3.6, 3.9) and the full Cybersecurity category are where the most findings are typically issued.

How Secure Trade Advisors Helps U.S. Importers Meet the MSC

We work with U.S. Importers at every stage of CTPAT compliance against the Minimum Security Criteria:

MSC gap assessments — a full comparison of your current program against every criterion in the MSC, with a prioritized remediation roadmap separating Musts (for certification) from Shoulds (for program maturity).
Security Profile development and rewrite — drafting the MSC responses CBP actually wants to see, or rebuilding a rejected profile from scratch.
Policy and procedure development — written procedures for each of the 12 MSC categories, customized to your operations, including business partner screening, social compliance, cybersecurity, seal controls, and agricultural/WPM compliance.
CTPAT validation preparation — mock validations, interview prep, document readiness reviews, and on-site walk-throughs before CBP arrives.
Ongoing CTPAT program management — annual risk assessments, training delivery, business partner monitoring, and MSC maintenance year-round.

Ready to build a CTPAT program to become CTPAT certified and that passes validation?

We'll assess your program against every Must and Should in the MSC, identify gaps, and build the documentation and evidence CBP expects. Contact Secure Trade Advisors for a consultation.

Related Resources

CTPAT Eligibility for U.S. Importers — confirm your company qualifies before you begin.
CTPAT MSC for Foreign Manufacturers — the parallel criteria for the foreign suppliers/shippers that ship to your company.
CTPAT Certification Services — end-to-end certification support.
CTPAT Validation Preparation — mock validations and CBP readiness.
CTPAT Compliance Audits — gap assessments and program reviews.
Download the Full CTPAT MSC for U.S. Importers (October 2021 — PDF) — the official CBP document with complete language and implementation guidance for every criterion.

This page summarizes the CTPAT Minimum Security Criteria for U.S. Importers (CBP, October 2021) for informational purposes. Each criterion's Must/Should designation is taken directly from the official CBP document. For complete criteria language and implementation guidance, consult the official PDF. For guidance tailored to your company's operations and supply chains, contact Secure Trade Advisors.