What Are the CTPAT Minimum Security Criteria (MSC)?
Introduction
The CTPAT Minimum Security Criteria (MSC) outline the security expectations U.S. Customs and Border Protection (CBP) uses to evaluate companies seeking CTPAT certification. While certain MSC elements are mandatory requirements, others are recommended best practices designed to strengthen supply chain security.
The MSC define what CBP expects a company to implement, document, and maintain as part of a compliant supply chain security program. Companies pursuing certification must demonstrate that they meet the applicable required criteria and have implemented reasonable, risk-aligned controls based on their business model and role in the supply chain.
In practical terms, the MSC serve as the framework CBP uses to evaluate whether your company’s security procedures, internal controls, and supporting documentation are sufficient to meet CTPAT program expectations—both during initial certification and during ongoing CBP validation.
What Does MSC Mean in CTPAT?
MSC stands for Minimum Security Criteria. These criteria are organized into security categories that address how companies secure their facilities, people, cargo, information systems, and business relationships.
The MSC are used to:
- guide the development of a company’s supply chain security program
- structure the Security Profile responses in the CTPAT Portal
- determine whether documentation and evidence support program claims
- evaluate readiness for validation and ongoing compliance
Why the MSC Matter
- security procedures that align to the MSC
- evidence that those procedures are implemented consistently
- documentation uploaded and organized correctly in the portal
Many companies experience delays or validation findings because their Security Profile answers do not match operational reality, or because they have procedures in place but cannot produce documentation that supports implementation.
Using the MSC as the starting point helps companies build a program that is defensible, consistent, and aligned with CBP expectations.
What Areas Do the MSC Cover?
The CTPAT Minimum Security Criteria (MSC) is organized into focus areas that cover corporate governance, partner oversight, cybersecurity, transportation controls, and facility-level security. CBP expects members to address the criteria that apply to their role in the supply chain and to maintain written procedures, supporting evidence, and ongoing review processes.
First Focus Area: Corporate Security
- Security Vision & Responsibility – Upper management commitment, accountability, and written review programs.
- Risk Assessment – A documented risk assessment that identifies threats, vulnerabilities, and mitigation measures.
- Business Partners – A written, risk-based process to screen and monitor partners and verify security compliance.
- Cybersecurity – Written cybersecurity policies, system protections, access control, and incident readiness.
Second Focus Area: Transportation Security
- Conveyance & Instruments of International Traffic (IIT) Security – Inspection procedures, secure storage, and tracking/monitoring measures.
- Seal Security – High-security seal procedures, seal control logs, verification steps (VVTT), and tamper response protocols.
- Procedural Security – Cargo handling controls, document integrity, incident reporting, and internal investigations.
- Agricultural Security – Controls to prevent visible pest contamination and compliance with wood packaging material requirements (ISPM 15).
Third Focus Area: People and Physical Security
- Physical Security – Facility barriers, access deterrents, lighting, security technology, monitoring, and camera review practices.
- Physical Access Controls – Badge and visitor controls, driver identification, logs, and cargo pickup procedures.
- Personnel Security – Screening, verification, and vetting for employees in sensitive positions.
- Education, Training & Awareness – Required training for employees, inspections, incident reporting, and cybersecurity awareness.
The MSC is not designed as a “one-size-fits-all” model. Each company is expected to implement and maintain the criteria based on its business model, role in the supply chain, and risk level — and to maintain documentation showing that procedures are actually being carried out.
How the MSC Are Used in the CTPAT Security Profile
The MSC provide the structure behind the Security Profile sections in the CTPAT Portal. Each response should:
- Clearly describe what your company does operationally
- Align to the MSC for your entity type
- Include supporting documentation and evidence
- Match actual practices across your facilities and partners
CBP evaluates the quality of alignment between:
- Security Profile responses
- Supporting documentation
- Operational reality
Strong alignment reduces delays and strengthens readiness for validation.
Common MSC Compliance Gaps
Even strong companies often face gaps such as:
- Procedures exist but are not documented
- Evidence is missing (logs, training records, inspections)
- Security controls differ across locations
- Business partner screening is not documented
- Security Profile answers are overly general and do not match evidence
- Risk assessment is generic or not aligned to actual operations
A structured review against the MSC helps identify and correct these issues before CBP review.
How Secure Trade Advisors Helps
Next Steps
The MSC are the foundation of CTPAT compliance. Companies that use them as a roadmap—rather than treating them as a checklist—are more likely to achieve certification efficiently and avoid validation findings later.
If you are preparing for certification, validation, or a program review, Secure Trade Advisors can help you assess MSC readiness and build a security program that aligns with CBP expectations.
We also offer a CTPAT Security Intensive Training.
Need Help Interpreting or Meeting the MSC?
Complete the form below and Secure Trade Advisors will contact you within 1 business day to discuss your current program, identify gaps, and outline practical next steps aligned with CBP expectations.
"*" indicates required fields