CTPAT MSC for Foreign Manufacturers

Every CTPAT Minimum Security Criterion for Foreign Manufacturers — labeled Must or Should, straight from CBP’s official document.

The CTPAT Minimum Security Criteria (MSC) for Foreign Manufacturers is the official CBP document that defines exactly what a foreign manufacturer must do — and what it should do — to become and remain CTPAT-certified. This page walks through all 12 criteria categories, lists every criterion by its official CBP ID number, and labels each one as a Must (required) or Should (strongly recommended) based on CBP's own classification.

MustRequired
ShouldStrongly recommended

How the MSC Is Organized

CBP organizes the Foreign Manufacturer MSC into three Focus Areas containing 12 criteria categories. Criterion ID numbers are not sequential — CBP omits IDs that do not apply to foreign manufacturers, which is why you will see jumps like 3.1 → 3.4 → 3.5 or 5.8 → 5.14 → 5.24. This page preserves CBP's exact numbering so that every reference lines up with the source document.

  • Focus Area 1 — Corporate Security: Categories 1–4 (Security Vision, Risk Assessment, Business Partners, Cybersecurity)
  • Focus Area 2 — Transportation Security: Categories 5–8 (Conveyance/IIT Security, Seal Security, Procedural Security, Agricultural Security)
  • Focus Area 3 — People and Physical Security: Categories 9–12 (Physical Security, Physical Access Controls, Personnel Security, Education & Training)

1. Security Vision & Responsibility

A supply chain security program will not succeed without visible commitment from senior leadership. This category is about making supply chain security part of the company's culture — not a siloed function — and making sure someone is accountable for the program and for communicating with CBP.
1.1Should
Demonstrate a culture of security through a statement of support signed by a senior company official (president, CEO, general manager, or security director) and displayed in appropriate locations — company website, reception, packaging area, warehouse, or in security seminars.
1.2Should
Build a cross-functional supply chain security team with representatives from all relevant departments (Security, HR, IT, Import/Export, Operations). Integrate security measures into existing company procedures rather than treating them as a separate manual.
1.3Must
Maintain a written review component that holds personnel accountable for their security responsibilities and verifies that all documented procedures are actually being followed. Update the review plan as operations or risk levels change.
1.4Must
Designate one or more Points of Contact (POC) for CTPAT who are knowledgeable about program requirements and who provide regular updates to upper management on audits, security exercises, and validations. The POC must be proactive and responsive to the assigned Supply Chain Security Specialist.

2. Risk Assessment

Risk assessment is about knowing where the threats are in your supply chain and documenting what you are doing about them. For foreign manufacturers, this includes both a self-assessment of the facility and an international risk analysis of how the cargo moves from the plant to the U.S. importer.
2.1Must
Conduct and document an overall Risk Assessment (RA) that identifies threats, assesses risks, and incorporates sustainable measures to mitigate vulnerabilities. The RA must reflect the member's role in the supply chain and include both a self-assessment and an international portion. CBP's Five Step Risk Assessment guide is the recommended framework.
2.2Should
Map the movement of cargo through the supply chain from point of origin to the importer's distribution center, including all business partners involved directly or indirectly. Document where cargo is "at rest" for extended periods — those are the highest-risk points.
2.3Must
Review the risk assessment at least annually, and sooner whenever circumstances warrant — increased threats from a source country, security incidents, changes in business partners, or changes in corporate structure such as mergers or acquisitions.
2.4Should
Maintain written procedures for crisis management, business continuity, security recovery, and business resumption. Tailor contingency plans to the risks specific to where the company operates or sources from.

3. Business Partners

Foreign manufacturers rely on many partners — raw material suppliers, packaging vendors, carriers, freight forwarders, brokers, and IT providers. Each one creates a potential point of entry into the supply chain, which is why CTPAT expects the manufacturer to know who these partners are, verify they are legitimate, and confirm they meet applicable security standards.
3.1Must
Maintain a written, risk-based process for screening new business partners and monitoring existing ones. The screening should include checks related to money laundering and terrorist financing, verification of business addresses, research on the company and its principals, business references, and credit reports where appropriate.
3.4Must
Confirm whether a business partner is already CTPAT-certified or a member of a foreign AEO program with a Mutual Recognition Arrangement with the United States (currently New Zealand, Canada, Jordan, Japan, South Korea, the EU, Taiwan, Israel, Mexico, Singapore, Dominican Republic, Peru, United Kingdom, and India). Obtain evidence of certification and continue to monitor its validity.
3.5Must
For any outsourced or subcontracted supply chain function, exercise documented due diligence — visits, questionnaires, onsite audits — to verify that the partner meets or exceeds CTPAT's MSC. If using a questionnaire, require the responder's name and title, date, signature of a senior official attesting to accuracy, and sufficient detail or photographic evidence to confirm compliance.
3.6Must
Address any weaknesses identified during a business partner assessment as soon as possible, and confirm through documentary evidence (photos, contracts, inspection records) that deficiencies have been mitigated.
3.7Should
Update business partner security assessments on a regular basis, and more frequently when risk changes — new source locations, heightened threat levels, or new critical partners who directly handle cargo or documentation.
3.8Must
For inbound U.S. shipments, if transportation is subcontracted to another highway carrier, use a CTPAT-certified carrier or a carrier working directly for the member under a written contract that requires adherence to all MSC requirements. Limit subcontracting to one level and keep the shipper informed of any further subcontracting.
3.9Should
Maintain a documented social compliance program that addresses how the company ensures goods imported into the United States were not mined, produced, or manufactured — wholly or in part — using forced, imprisoned, indentured, or indentured child labor, in accordance with 19 U.S.C. § 1307.

4. Cybersecurity

Cybersecurity protects the data, systems, and intellectual property that support the movement of international cargo. CTPAT expects foreign manufacturers to have written cybersecurity policies, standard defensive controls, regular testing, and appropriate training. NIST's Cybersecurity Framework is the recommended reference.
4.1Must
Maintain comprehensive written cybersecurity policies and procedures that cover every individual cybersecurity criterion in this category. Align the policy with a recognized framework such as NIST where possible.
4.2Must
Install sufficient software and hardware protection against malware and intrusion (firewalls, antivirus), keep security software current with regular updates, maintain procedures against social engineering, and have recovery procedures for data or equipment loss.
4.3Must
Regularly test the security of IT infrastructure using vulnerability scans or equivalent testing. Implement corrective actions as soon as feasible when vulnerabilities are identified — especially after changes to the network infrastructure.
4.4Should
Address in the cybersecurity policy how the company shares cybersecurity threat information with the government and with supply chain partners (for example, through the National Cybersecurity and Communications Integration Center).
4.5Must
Maintain a system that identifies unauthorized access of IT systems or data, abuse of policies, improper access of internal systems or external websites, and tampering with business data by employees or contractors. Apply appropriate disciplinary action to all violators.
4.6Must
Review cybersecurity policies and procedures at least annually, and more frequently when circumstances (such as a cyberattack) warrant. Update the policies based on lessons learned.
4.7Must
Restrict user access based on job description or assigned duties, review authorized access regularly, and remove computer and network access immediately upon employee separation.
4.8Must
Require individually assigned user accounts protected by strong passwords, passphrases, or multi-factor authentication. Change passwords or passphrases immediately if a compromise is suspected. Follow NIST Special Publication 800-63B guidelines for password complexity.
4.9Must
For users who connect remotely, employ secure technologies such as VPNs or multi-factor authentication, and maintain procedures to prevent unauthorized remote access.
4.10Must
If employees use personal devices (including USB drives, CDs, DVDs, or personal computers) for company work, those devices must comply with company cybersecurity policies, including regular security updates and a secure method of accessing the company network.
4.11Should
Include measures in the cybersecurity policy to prevent the use of counterfeit or improperly licensed technological products. Retain product keys and certificates of authenticity when new media is purchased.
4.12Should
Back up data at least weekly, or more frequently as risk dictates. Store sensitive and confidential data in encrypted format. Keep backup media physically separate from the production network — an offsite or cloud location is acceptable.
4.13Must
Account for all media, hardware, or IT equipment that contains sensitive import/export information through regular inventories. When disposed of, sanitize or destroy devices in accordance with NIST Special Publication 800-88 Guidelines for Media Sanitization.

5. Conveyance and Instruments of International Traffic (IIT) Security

Smuggling schemes often target the modification of conveyances or the hiding of contraband inside Instruments of International Traffic (IIT) — containers, trailers, ULDs, pallets, and similar items. For foreign manufacturers, this category governs how empty IIT are stored, inspected, sealed, and tracked from the point of stuffing through arrival at the border.
5.1Must
Store conveyances and Instruments of International Traffic (both empty and full) in a secure area to prevent unauthorized access that could allow structural alteration or seal/door compromise.
5.2Must
Maintain written procedures for both security and agricultural inspections of conveyances and IIT. Look for structural modifications used to conceal contraband and for visible pest contamination.
5.3Must
Conduct systematic inspections: a 7-point inspection on all empty containers and ULDs (front wall, left side, right side, floor, ceiling/roof, inside/outside doors and locking mechanisms, outside/undercarriage), or an 8-point inspection on refrigerated containers (adding the fan housing). For land border highway carriers, conduct an additional 17-point inspection of tractor and trailer at storage yards, upon entering/departing, and at the point of loading/stuffing.
5.4Must
Use conveyances and IIT equipped with external hardware that can reasonably withstand tampering attempts. Fully inspect the door, handles, rods, hasps, rivets, brackets, and all locking mechanisms before any seal is attached.
5.5Should
Record every inspection on a checklist that captures the container/trailer/IIT number, date, time, the name of the employee conducting the inspection, and the specific areas inspected. Include the checklist in the shipping documentation sent to the consignee.
5.6Should
Perform all security inspections in an area of controlled access and, when available, under CCTV monitoring.
5.7Must
If visible pest contamination is found during inspection, wash or vacuum to remove it. Retain documentation of the inspection and the corrective action for at least one year.
5.8Should
Based on risk, have management personnel conduct random, unannounced searches of conveyances after the regular inspection has been completed — at the yard, after loading, and en route to the U.S. border — to counter internal conspiracies.
5.14Should
Work with transportation providers to track conveyances from origin to final destination. Specify tracking, reporting, and data-sharing requirements in the service agreement.
5.15Should
Obtain access to the carrier's GPS fleet monitoring system so the shipper can track the movement of its own shipments.
5.16Should
For land border shipments close to the U.S. border, implement a "no-stop" policy for unscheduled stops. Scheduled stops must be accounted for in an overall tracking and monitoring procedure.
5.24Should
In high-risk areas and immediately prior to arrival at the border, implement a "last chance" verification of U.S.-bound shipments — visual inspection plus the VVTT seal verification (View, Verify, Tug, Twist) by properly trained personnel.
5.29Must
If a credible or detected threat to the security of a shipment or conveyance is discovered, alert affected supply chain partners and the appropriate law enforcement agencies as soon as feasibly possible.

6. Seal Security

Seal integrity is one of the most closely scrutinized elements of a CTPAT program. Every criterion in this category is a Must. Seal security covers written procedures, the correct type of seal, proper placement, verification, documentation, and how to respond when a seal is altered or tampered with.
6.1Must
Maintain detailed written high-security seal procedures covering seal issuance and control at the facility and in transit, with steps for seal alteration, tampering, or incorrect seal numbers — including documentation, partner notification, and investigation. Required elements include controlling access to seals, secure storage, a seal log (receipt, issuance, and tracking), trained personnel only affixing seals, in-transit verification, replacement seal protocols, and reporting compromised seals to CBP. Review procedures at least annually.
6.2Must
Immediately after loading, secure all CTPAT shipments that can be sealed with a high-security seal that meets or exceeds the most current ISO 17712 standard (cable or bolt seals both acceptable). Place the seal on the secure cam position if available; otherwise on the center-most left-hand locking handle of the right container door.
6.5Must
Members who maintain seal inventories must be able to document that the high-security seals they use meet or exceed ISO 17712 — typically through a laboratory testing certificate. Members are expected to be aware of the tamper-indicative features of the seals they purchase.
6.6Must
Members who maintain seal inventories must have company management or a security supervisor conduct documented seal audits — periodic inventory of stored seals reconciled against logs and shipping documents. Dock supervisors or warehouse managers must also periodically verify seal numbers on conveyances and IIT.
6.7Must
Follow the VVTT seal verification process to ensure all high-security seals are affixed properly and operating as designed: View the seal and container locking mechanisms, Verify the seal number against shipping documents, Tug the seal to confirm it is affixed, Twist and turn the bolt seal to confirm components cannot unscrew or separate. For cable seals, ensure the cable is taut and envelops the hardware base with no slippage.

7. Procedural Security

Procedural Security covers the day-to-day procedures that surround cargo: documentation, staging, loading, incident reporting, and handling of unknown persons. CBP accepts electronic documents, signatures, and records — written does not mean paper. The goal is a uniform, repeatable process that every employee follows.
7.1Must
When cargo is staged overnight or for an extended period, take measures to secure it from unauthorized access.
7.2Must
Regularly inspect cargo staging areas and the immediate surroundings to ensure they remain free of visible pest contamination. Use baits, traps, and vegetation control as necessary.
7.4Should
Have a security officer, manager, or other designated personnel supervise the loading and stuffing of cargo into containers and IIT.
7.5Should
Take digital photographs at the point of stuffing to document the cargo, the loading process, the location of the seal, and the properly installed seal. Where feasible, electronically forward these images to the destination for verification.
7.6Must
Ensure all information used in the clearing of merchandise is legible, complete, accurate, protected against loss or unauthorized change, and reported on time.
7.7Should
If paper documents are used, secure forms and import/export documentation against unauthorized use — for example, by storing unused forms and manifests in a locked filing cabinet.
7.8Must
Shippers (or their agents) must ensure that bills of lading and manifests accurately reflect the information provided to the carrier, and carriers must exercise due diligence to confirm accuracy. BOL information filed with CBP must identify the first foreign location where the carrier took possession of the cargo, with accurate weight and piece count. Printing the seal number on the BOL helps guard against alteration.
7.23Must
Maintain written procedures for reporting security incidents, including the facility's internal escalation process. Notify the assigned Supply Chain Security Specialist, the closest port of entry, appropriate law enforcement, and affected partners as soon as feasibly possible — and in advance of any conveyance crossing the border. Reportable incidents include seal tampering, hidden compartments, unaccounted new seals, smuggling (including people), unauthorized conveyance entry, extortion or threats, and unauthorized use of a business identifier such as an IOR number or SCAC code. Periodically review contact lists for accuracy.
7.24Must
Maintain procedures for identifying, challenging, and removing unauthorized or unidentified persons from the premises. Personnel must know the challenge and removal protocol.
7.25Should
Provide an anonymous mechanism — such as a hotline — for reporting security-related concerns. Investigate every allegation and take corrective action where warranted. Retain reports as evidence.
7.27Must
Investigate and resolve all shortages, overages, and other significant discrepancies or anomalies.
7.28Should
Reconcile arriving cargo against the cargo manifest, and verify departing cargo against purchase or delivery orders.
7.29Should
Transmit seal numbers to the consignee prior to departure.
7.30Should
Electronically print seal numbers on the bill of lading or other shipping documents.
7.37Must
Initiate an internal investigation immediately after becoming aware of any security-related incident (terrorism, narcotics, stowaways, absconders, etc.). Do not impede any government investigation. Document the internal investigation, complete it as soon as feasibly possible, and make it available to CBP/CTPAT and other law enforcement upon request.

8. Agricultural Security

Agricultural Security exists because invasive pests — insects, seeds, soil, plant or animal material — can hitchhike on cargo, containers, and Wood Packaging Materials (WPM). Eliminating this contamination reduces CBP cargo holds, delays, and returns, and helps protect a critical U.S. industry.
8.1Must
Maintain written procedures designed to prevent visible pest contamination throughout the supply chain, including compliance with Wood Packaging Materials (WPM) regulations under IPPC ISPM 15. WPM — pallets, crates, boxes, reels, dunnage — must be debarked, heat-treated or fumigated with methyl bromide, and stamped with the IPPC mark of compliance ("wheat stamp"). Products made from paper, metal, plastic, or processed wood panels (OSB, plywood, hardboard) are exempt.

9. Physical Security

Physical Security is about the barriers, lighting, cameras, alarms, and other deterrents that prevent unauthorized access to facilities, cargo, and sensitive areas. CTPAT is intentionally flexible here — not every facility needs every measure. Several technology-related criteria (cameras, alarms, access control devices) are Should, not Must. But if a member chooses to deploy them, the rules governing how they are used, tested, and monitored become Must requirements.
A note on security technology: Criteria 9.7 and 9.12 make cameras and alarms a Should — meaning they are strongly recommended but not required. However, once a member deploys that technology, the written policies, testing, positioning, review, and physical protection of the systems (criteria 9.8, 9.10, 9.13, and 9.15) become Must requirements. In practice, most CTPAT-certified foreign manufacturers operate CCTV and alarm systems — and once they do, the associated Musts apply.
9.1Must
Equip all cargo handling and storage facilities, trailer yards, and offices with physical barriers or deterrents that prevent unauthorized access.
9.2Should
Enclose cargo handling and storage areas with perimeter fencing, use interior fencing to segregate cargo types (domestic, international, high-value, hazardous), inspect fencing regularly for damage, and repair damage as soon as possible. Walls or natural features such as cliffs or dense vegetation are acceptable alternatives.
9.4Must
Man or monitor all gates and other points of egress. Keep the number of gates to the operational minimum. Search individuals and vehicles as permitted by local and labor laws.
9.5Should
Prohibit private passenger vehicles from parking in or adjacent to cargo handling and storage areas, or near conveyances. Locate parking outside fenced or operational areas.
9.6Must
Provide adequate lighting inside and outside the facility — entrances, exits, cargo handling and storage areas, fence lines, and parking areas. Automatic timers and light sensors are useful additions.
9.7Should
Use security technology to monitor premises and prevent unauthorized access to sensitive areas — intrusion detection systems (IDS), access control devices, video surveillance (CCTV or IP cameras), and recording devices.
9.8Must
If security technology is deployed, maintain written policies and procedures covering its use, maintenance, and protection. At minimum: restrict access to locations where the technology is managed, define testing and inspection procedures, verify that equipment works and is positioned correctly, document inspection results and corrective actions, and retain results for audit. If using a third-party off-site monitoring station, document functionality and authentication protocols. Review and update policies at least annually.
9.9Should
Use licensed or certified resources when designing and installing security technology. In the U.S., 33 states require licensing for security and alarm installers; comparable due diligence applies abroad.
9.10Must
Physically secure all security technology infrastructure from unauthorized access — computers, software, control panels, cameras, recordings, and power and hard drive components.
9.11Should
Configure security technology systems with an alternative power source — auxiliary generator or backup batteries — so they continue operating during a power loss.
9.12Should
If camera systems are deployed, monitor the premises and sensitive areas (cargo handling, shipping/receiving, IT servers, IIT storage, inspection areas, seal storage) with cameras, and use alarms to alert the company to unauthorized entry.
9.13Must
If camera systems are deployed, position cameras to cover the key import/export process areas — cargo handling, shipping/receiving, cargo loading, sealing, conveyance arrival/exit, IT servers, container inspections, seal storage — at the highest picture quality reasonably available, recording on a 24/7 basis.
9.14Should
If camera systems are deployed, include an alarm or notification feature that signals a "failure to operate/record" condition and notifies designated personnel.
9.15Must
If camera systems are deployed, conduct periodic random reviews of camera footage (by management, security, or designated personnel) to verify that cargo security procedures are being followed. Summarize the review in writing — date of review, date of footage, camera/area, findings, and corrective actions — and retain results for audit purposes.
9.16Should
If cameras are deployed, retain footage covering key import/export processes for a period sufficient to complete an investigation — CBP recommends at least 14 days after a monitored shipment reaches its first point of distribution (where the container is opened after clearing Customs).

10. Physical Access Controls

Access controls manage who enters the facility, where they can go, and how their identity is verified. This includes employees, visitors, vendors, contract service providers, and truck drivers picking up or delivering cargo.
10.1Must
Maintain written procedures for how identification badges and access devices are granted, changed, and removed. Where applicable, operate a positive identification and access control system. Restrict access to sensitive areas based on job duties, and remove access devices immediately upon employee separation. An identification system is generally required for companies with more than 50 employees.
10.2Must
Require visitors, vendors, and service providers to present photo identification upon arrival, and maintain a log that records the date of the visit, name, verification of photo ID (type), time of arrival, point of contact, and time of departure. Escort all visitors where practical and issue visibly displayed temporary identification.
10.3Must
Positively identify drivers delivering or receiving cargo before cargo is received or released. Drivers must present government-issued photo ID, or — where this is not feasible — a recognizable form of photo ID issued by the driver's employer.
10.4Must
Maintain a secure cargo pickup log that records driver name, date and time of arrival, employer, truck and trailer numbers, time of departure, and the seal number affixed to the shipment at departure. Drivers must not have access to the log. A visitor log may serve this purpose if it captures all required fields.
10.7Should
Require carriers to notify the facility in advance of the estimated time of arrival, driver name, and truck number. Where operationally feasible, allow deliveries and pickups by appointment only. This helps defeat fictitious pickup schemes that use fake IDs or fictitious carriers to steal cargo.
10.8Should
Periodically screen arriving packages and mail for contraband (explosives, illegal drugs, currency) before admitting them.
10.10Must
If security guards are used, document their work instructions in written policies and procedures. Management must periodically verify compliance and appropriateness through audits and policy reviews.

11. Personnel Security

People are both a company's greatest asset and its most common point of compromise. Internal conspiracies — one or more employees colluding to circumvent security — are a leading cause of supply chain breaches. Personnel Security focuses on screening, periodic checks, and a Code of Conduct that sets clear expectations and consequences.
11.1Must
Maintain written processes to screen prospective employees and periodically check current employees. Verify application information — employment history, references — prior to employment, to the extent permitted by local law.
11.2Should
Conduct employee background screenings — identity and criminal history at city, state, provincial, and country levels — to the extent permitted by local law and the availability of criminal record databases. Extend vetting to temporary workforce and contractors based on position sensitivity, and perform periodic re-investigations for cause or by position.
11.5Must
Maintain an Employee Code of Conduct that sets expectations, defines acceptable behaviors, and states penalties and disciplinary procedures. Employees and contractors must sign an acknowledgement that they have read and understood the Code, and the acknowledgement must be kept in the employee file.

12. Education, Training & Awareness

Layered security only works if people know what the layers are. Training is what turns written procedures into real-world compliance. CTPAT expects a comprehensive program covering all of the MSC, with specialized training for personnel in sensitive positions — cargo handlers, drivers, dispatchers, security guards, seal controllers, IT administrators, and anyone managing security technology.
12.1Must
Establish and maintain a security training and awareness program that covers all CTPAT requirements and addresses the vulnerabilities of facilities, conveyances, and cargo at each supply chain point. Deliver specialized training to sensitive positions — shipping, receiving, mailroom, drivers, dispatch, security guards, load assignment, conveyance tracking, seal controls. Retain training records (date, attendees, topics), and train new hires during orientation.
12.2Must
Train drivers and personnel who conduct security and agricultural inspections on how to inspect empty conveyances and IIT. Cover signs of hidden compartments, concealed contraband in naturally occurring compartments, and signs of pest contamination. Provide refresher training periodically, after incidents, or when procedures change.
12.4Should
Verify that training met its objectives — through exams, quizzes, simulation exercises, drills, or regular audits of procedures.
12.8Must
Train personnel (as applicable to their functions) on the company's cybersecurity policies and procedures, including protecting passwords/passphrases and computer access. Deliver cybersecurity training formally rather than only through emails or memos.
12.9Must
Provide operations and maintenance training to personnel who operate or manage security technology systems. Prior experience with similar systems is acceptable, and self-training via operational manuals is permitted.
12.10Must
Train personnel on how to report security incidents and suspicious activities — what to report, to whom, how to report, and what to do after the report. Include this in general security training and expand it in specialized modules for sensitive positions.

What This Means for Your Certification Readiness

Reading the list above is one thing. Demonstrating compliance when applying to obtain the CTPAT certification or during a CBP validation is something else. CBP's Supply Chain Security Specialist will assess your program in three ways:

  • Document review — written policies, procedures, risk assessments, training records, seal logs, inspection checklists (7-point, 8-point, 17-point), business partner documentation, and cybersecurity policies mapped against each Must in the criteria.
  • Interviews — conversations with employees at multiple levels, often through an interpreter, to verify that documented procedures are understood and followed in practice on the plant floor.
  • Physical inspection — walk-throughs of the manufacturing facility, cargo handling and staging areas, seal storage, IT environments, perimeter and access controls, and the conveyance/IIT inspection process to verify controls operate as documented.

A foreign manufacturer can have strong documentation and still fail validation if employees cannot demonstrate procedures in real time, or if physical controls do not match what is on paper. The MSC is evaluated as a whole — gaps compound across categories, and for foreign manufacturers the validation is almost always conducted on-site at the plant.

How Secure Trade Advisors Helps Foreign Manufacturers Meet the MSC

We work with foreign manufacturers at every stage of CTPAT compliance against the Minimum Security Criteria:

  • MSC gap assessments — a full comparison of your current program against every criterion in the MSC, with a prioritized remediation roadmap separating Musts (for certification) from Shoulds (for program maturity).
  • Security Profile development and rewrite — drafting the MSC responses CBP actually wants to see, or rebuilding a rejected profile from scratch.
  • Policy and procedure development — written procedures for each of the 12 MSC categories, customized to your plant's operations, including seal controls, 7/8/17-point inspection checklists, business partner screening, cybersecurity, and agricultural/WPM compliance.
  • CTPAT validation preparation — mock validations, interview prep (including in the local language of plant staff), document readiness reviews, and on-site walk-throughs before CBP arrives.
  • Ongoing CTPAT program management — annual risk assessments, training delivery, business partner monitoring, and MSC maintenance year-round.

Ready to build a CTPAT program that gets your plant certified — and passes validation?

We'll assess your program against every Must and Should in the MSC, identify gaps, and build the documentation and evidence CBP expects to see at a foreign manufacturing facility. Contact Secure Trade Advisors for a consultation.

Related Resources

This page summarizes the CTPAT Minimum Security Criteria for Foreign Manufacturers (CBP, October 2021) for informational purposes. Each criterion's Must/Should designation is taken directly from the official CBP document. For complete criteria language and implementation guidance, consult the official PDF. For guidance tailored to your company's operations and supply chains, contact Secure Trade Advisors.