This is the accessible text file for GAO report number GAO-05-404 entitled 'Cargo Security: Partnership Program Grants Importers Reduced Scrutiny with Limited Assurance of Improved Security' which was released on May 25, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: March 2005: Cargo Security: Partnership Program Grants Importers Reduced Scrutiny with Limited Assurance of Improved Security: GAO-05-404: Contents: Letter: Results in Brief: Background: C-TPAT Benefits Reduce Scrutiny of Shipments: CBP Grants Benefits before Verification of Security Procedures: Weaknesses in Process for Verifying Security Procedures: Incomplete Progress in Addressing Management Weaknesses: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Objectives: Scope and Methodology: Data Reliability: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contacts and Staff Acknowledgments: GAO Contacts: Staff Acknowledgments: Related GAO Products: Tables: Table 1: Roles of Trade Community Members in the Supply Chain: Table 2: Benefits for C-TPAT Members: Figures: Figure 1: CBP's Review Process for C-TPAT Membership: Figure 2: Status of Validating C-TPAT Members, as of November 2, 2004: Abbreviations: ATS: Automated Targeting System: CBP: Customs and Border Protection: CSI: Container Security Initiative: C-TPAT: Customs-Trade Partnership Against Terrorism: DHS: Department of Homeland Security: FAST: Free and Secure Trade: United States Government Accountability Office: Washington, DC 20548: March 11, 2005: The Honorable Susan M. Collins: Chairman: The Honorable Joseph Lieberman: Ranking Minority Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Norm Coleman: Chairman: The Honorable Carl Levin: Ranking Minority Member: Permanent Subcommittee on Investigations: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable John D. Dingell: Ranking Minority Member: Energy and Commerce Committee: House of Representatives: This report is a publicly available version of our report on the Customs-Trade Partnership Against Terrorism (C-TPAT). The Department of Homeland Security (DHS) designated our original report as Limited Official Use because of the sensitive and specific nature of the information it contained. U.S. Customs and Border Protection (CBP), the DHS bureau responsible for protecting the nation's borders at and between the official ports of entry, has the dual goals of preventing terrorists and terrorist weapons from entering the United States and also facilitating the flow of legitimate trade and travel. Approximately 90 percent of the world's cargo moves by container. Addressing the threat posed by the movement of containerized cargo across U.S. borders has traditionally posed many challenges for CBP, in particular balancing the bureau's border protection functions and trade enforcement mission with its goal of facilitating the flow of cargo and persons into the United States. CBP has said that the large volume of imports and its limited resources make it impossible to physically inspect all oceangoing containers without disrupting the flow of commerce, and it is unrealistic to expect that all containers warrant such inspection. To address its responsibility to improve cargo security while facilitating commerce, CBP employs multiple strategies. Among these strategies, CBP has in place an initiative known as C-TPAT, which aims to secure the flow of goods bound for the United States by developing a strong, voluntary antiterrorism partnership with the trade community. C- TPAT members commit to improving the security of their supply chain (flow of goods from manufacturer to retailer) and develop written security profiles that outline the security measures in place for the company's supply chain. In exchange for this commitment, CBP offers C- TPAT members benefits for participating that may reduce the level of scrutiny given to their shipments, potentially resulting in a reduced number of inspections of their cargo at U.S. borders. The program is promising, but previous work has raised concerns about its management and its ability to achieve its ultimate goal of improved cargo security. Specifically, in our July 2003 report on this program, we recommended that the Secretary of Homeland Security work with the CBP Commissioner to develop (1) a strategic plan that clearly lays out the program's goals, objectives, and detailed implementation strategies; (2) performance measures that include outcome-oriented indicators; and (3) a human capital plan that clearly describes how C- TPAT will recruit, train, and retain new staff to meet the program's growing demands as it implements new program elements.[Footnote 1] Given our past concerns about the program's effectiveness and in light of the program's rapid expansion, we examined selected aspects of the program's operation and management. This report addresses the following issues: 1. What benefits does CBP provide to C-TPAT members? 2. Before providing benefits, what approach does CBP take to determine C-TPAT members' eligibility for them? 3. After providing benefits, how does CBP verify that members have implemented their security measures? 4. To what extent has CBP developed strategies and related management tools for achieving the program's goals? To address all four objectives, we discussed program operations with CBP officials in Washington, D.C., with program responsibilities for C- TPAT and reviewed available data and documentation for the program. To ascertain the manner in which CBP validates security procedures for participating companies, we asked CBP to provide us with examples of participant files, including files of participants with responsibilities along various parts of the supply chain. While the files we reviewed were not a representative sample of files, we noted that in many cases these files were incomplete. We also reviewed CBP's database for tracking participant status in the program. Initial reliability testing of this database and interviews of staff with responsibility for the program led us to conclude that data used to track participant status had some serious reliability weaknesses. However, we found the data sufficiently reliable for limited use in describing the program's status. While we were able to review CBP's processes, because of the poor condition of member files we were unable to verify the extent that the bureau followed the processes in individual cases for individual members. We also examined the status of the agency's efforts to implement our prior recommendations for the program. We conducted our work from February through December 2004 in accordance with generally accepted government auditing standards. More details about the scope and methodology of our work are presented in appendix I. Results in Brief: In return for committing to making improvements to the security of their shipments by joining the program, C-TPAT members receive a range of benefits that reduce the level of scrutiny CBP provides to their shipments bound for the United States. These benefits may change the risk characterization of their shipments, thereby reducing the probability of extensive documentary and physical inspection. Other benefits include access to FAST lanes on the Canadian and Mexican borders, expedited cargo processing at FAST lanes, and an emphasis on self-policing and self-monitoring of security activities.[Footnote 2] In addition, CBP grants benefits to C-TPAT members that do not directly affect the level of scrutiny given to their shipments. These additional benefits include a single point of contact within CBP to serve as a liaison with the member on issues related to the program, access to the identities of other companies that have become C-TPAT members, and eligibility to attend CBP-sponsored antiterrorism training seminars. Before providing benefits, CBP uses a two-pronged approach to assess C- TPAT members. First, CBP has a certification process to review the self- reported information contained in applicants' membership agreements and security profiles. Second, CBP has in place a vetting process to try to assess the compliance with customs laws and regulations and violation history of and intelligence data on importers before granting them benefits. At the program's inception, CBP began granting benefits to C- TPAT applicants immediately upon receipt of their agreement to voluntarily participate in the program without any review of the security profiles submitted by potential member companies. In February 2004, CBP changed its policy to grant benefits to C-TPAT members only after CBP's review and certification of their security profiles and successful completion of the vetting process. CBP believes that this two-pronged approach provides adequate assurance before granting benefits. However, this approach grants benefits to members before they undergo the validation process. After providing benefits, CBP has a validation process to verify that C- TPAT members' security measures have been implemented and that program benefits should continue. However, we found several weaknesses in the validation process that compromise CBP's ability to provide an actual verification that supply chain security measures in C-TPAT members' security profiles are accurate and are being followed. First, the validation process is not rigorous enough to achieve its stated purpose, which is to ensure that the security procedures outlined in members' security profiles are reliable, accurate, and effective. For example, CBP officials told us that validations are not considered independent audits, and the objectives, scope, and methodology of validations are jointly agreed upon with the member company. CBP officials, as well as our review of case files, indicated that the validations only examine a few of the security measures outlined in members' security profiles. Related to this, CBP has no written guidelines for its supply chain specialists to indicate what scope of effort is adequate for the validation to ensure that the member's measures are reliable, accurate, and effective. In addition, CBP has not determined the extent to which validations are needed. While the original stated goal of the program was to validate all members within 3 years, CBP decided that it could not do so because of the rapid growth in membership. In 3 years of C-TPAT operation, CBP has validated about 10 percent of its certified members. While CBP has given up on its original goal to validate all members, it has not come up with an alternative goal for the number or percentage of members that should be validated. For validations that CBP does conduct, it prioritizes members for validation based on a variety of factors such as strategic threat, import volume, and past compliance violations. While CBP has recently completed a strategic plan, we found weaknesses in some of the tools it uses to manage the program that could hinder the bureau in achieving the program's dual goals of securing the flow of goods bound for the United States and facilitating the flow of trade. CBP's new strategic plan appears to provide the bureau with a general framework on which to base key decisions, including key strategic planning elements such as strategic goals, objectives, and strategies. However, CBP still lacks a human capital plan, a fact that has impaired its ability to manage its resources. CBP officials told us they are in the process of developing an implementation plan that will address human capital planning elements such as analyzing (1) current workload, (2) the projected annual growth rate of the program, (3) the time it takes to complete the average validation, and (4) the number of validations supply chain specialists can complete annually. Furthermore, CBP still has not developed a comprehensive set of performance measures and indicators, including outcome-based measures, to monitor the status of program goals. CBP officials told us they have developed some initial measures to capture the program's impact. Finally, the C-TPAT program lacks an effective records management system. CBP's record keeping for the program is incomplete, as key decisions are not always documented and programmatic information is not updated regularly or accurately. For example, member files we reviewed contained no documentation of communications between CBP and members regarding how the scope of a validation was determined, and their database tracking member status contained errors. We are making recommendations to the Secretary of the Department of Homeland Security to direct the U. S. Commissioner of Customs and Border Protection to improve the program's ability to meet its goals by providing appropriate guidance to specialists conducting validations, determining the extent to which members should be validated in lieu of the original goal to validate all members within 3 years of certification, and implementing performance measures, a human capital plan, and a records management system for the program. We provided a draft of this report to the Secretary of DHS for comment. In its response, from the Commissioner of U.S. Customs and Border Protection, CBP generally agreed with our recommendations and cited corrective actions they either have taken or planned to take. Notwithstanding its general agreement with our recommendations, CBP noted that C-TPAT is a voluntary partnership to improve the security of the United States and not a program to confirm importer compliance with a regulatory requirement. As such, CBP said our report places too much emphasis on the validation process without adequately reflecting other aspects of the program. As a whole, CBP said that as part of its multilayered approach, C-TPAT identifies companies that take security seriously, appropriately lowers the risk level of their cargo, and thus focuses CBP resources on other companies' high-risk cargo, all consistent with a risk management approach. We believe that having a multilayered approach to cargo inspection can be effective, provided that each layer is adequately utilized. Given that C-TPAT members enjoy benefits that could greatly reduce the likelihood of an inspection of their cargo, not having full assurance of a reliable, accurate, and effective validation process potentially weakens the overall effectiveness of the other control mechanisms in meeting CBP's fundamental responsibility to ensure security of all cargo entering the United States. We fully address CBP's comments in the body of the report. Background: CBP maintains two overarching goals: (1) increasing security and (2) facilitating legitimate trade and travel. Disruptions to the supply chain could have immediate and significant economic impacts.[Footnote 3] For example, in terms of containers, CBP data indicates that in 2003 about 90 percent of the world's cargo moved by container.[Footnote 4] In the United States, almost half of all incoming trade (by value) arrived by containers on board ships. Almost 7 million cargo containers arrive and are offloaded at U.S. seaports each year. Additionally, containers arrive via truck and rail. Therefore, it is vital for CBP to try to strike a balance between its antiterrorism efforts and facilitating the flow of legitimate international trade and travel. Vulnerability of the Supply Chain: The terrorist events of September 11, 2001, raised concerns about company supply chains, particularly oceangoing cargo containers, potentially being used to move weapons of mass destruction to the United States. An extensive body of work on this subject by the Federal Bureau of Investigation and academic, think tank, and business organizations concluded that while the likelihood of such use of containers is considered low, the movement of oceangoing containerized cargo is vulnerable to some form of terrorist action. Such action, including attempts to smuggle either fully assembled weapons of mass destruction or their individual components, could lead to widespread death and damage. The supply chain is particularly vulnerable to potential terrorists because of the number of individual companies handling and moving cargo through it. To move a container from production facilities overseas to distribution points in the United States, an importer has multiple options regarding the logistical process, such as routes and the selection of freight carriers. For example, some importers might own and operate key aspects of the overseas supply chain process, such as warehousing and trucking operations. Alternatively, importers might contract with logistical service providers, including freight consolidators and nonvessel-operating common carriers. In addition, importers must choose among various modes of transportation to use, such as rail, truck, or barge, to move containers from the manufacturer's warehouse to the port of lading. As shown in table 1, there are many players in the trade community, each with a role in the supply chain. Table 1: Roles of Trade Community Members in the Supply Chain: Trade community member: Air/rail/sea carriers; Role in the supply chain: Carriers transport cargo via air, rail, or sea. Trade community member: Border highway carriers; Role in the supply chain: Highway carriers transport cargo for scheduled and unscheduled operations via road across the Canadian and Mexican borders. Trade community member: Importers; Role in the supply chain: Importers, in the course of trade, bring articles of trade from a foreign source into a domestic market. Trade community member: Licensed customs brokers; Role in the supply chain: Brokers clear goods through customs. The responsibilities of a broker include preparing the entry form and filing it, advising the importer on duties to be paid, and arranging for delivery to the importer. Trade community member: Freight consolidators/ocean transportation intermediaries and nonvessel-operating common carriers; Role in the supply chain: A freight consolidator is a firm that accepts partial container shipments from individual shippers and combines the shipments into a single container for delivery to the carrier. A transportation intermediary facilitates transactions by bringing buyers and sellers together. A nonvessel-operating common carrier is a company that buys shipping space, through a special arrangement with an ocean carrier, and resells the space to individual shippers. Trade community member: Port authorities/terminal operators; Role in the supply chain: A port authority is an entity of state or local government that owns, operates, or otherwise provides wharf, dock, and other marine terminal investments at ports. Terminal operator responsibilities include the overseeing and unloading of cargo from ship to dock, checking the actual cargo against the ship's manifest (list of goods), checking documents authorizing a truck to pick up cargo, overseeing the loading and unloading of railroad cars, and so forth. Source: GAO. [End of table] According to research initiated by the U.S. Department of Transportation's Volpe National Transportation Systems Center, importers who own and operate the entire supply chain route from start to finish suffer fewer security breaches than others because they have greater control over their supply chains.[Footnote 5] However, relatively few importers own and operate all key aspects of the cargo container transportation process, relying instead on second parties to move containerized cargo and prepare various transportation documents. CBP's Layered Enforcement Strategy: CBP has implemented a layered enforcement strategy to prevent terrorists and weapons of mass destruction from entering the United States through the supply chain.[Footnote 6] A key element of this strategy is CBP's targeting and inspection of cargo that arrives at U.S. ports. For all arriving cargo containers, CBP uses a targeting strategy that employs its computerized targeting model, the Automated Targeting System (ATS). CBP uses ATS to review container documentation and help select, or target, shipments for additional documentary review or physical inspection. ATS is operated by CBP's National Targeting Center and is characterized by CBP as an expert system that uses hundreds of targeting rules to check available data for every arriving container, assigning a risk characterization to each container. The risk characterization helps to determine the type and level of scrutiny a container will receive. For example, CBP could review the container's bill of lading, examine the container with nonintrusive inspection equipment (that is, X-ray), or physically open the container. The extent of review varies, since according to CBP, the large volume of imports and CBP's limited resources make it impossible to physically inspect all containers without disrupting the flow of commerce. Initiated in November 2001, C-TPAT is another element of CBP's layered enforcement strategy. C-TPAT is a voluntary program designed to improve the security of the international supply chain while maintaining an efficient flow of goods. Under C-TPAT, CBP officials work in partnership with private companies to review their supply chain security plans to improve members' overall security. In return for committing to making improvements to the security of their shipments by joining the program, C-TPAT members may receive benefits that result in reduced scrutiny of their shipments (e.g., reduced number of inspections or shorter border wait times for their shipments). C-TPAT membership is open to U.S.-based companies in the trade community, including (1) air/rail/sea carriers, (2) border highway carriers, (3) importers, (4) licensed customs brokers, (5) air freight consolidators and ocean transportation intermediaries and nonvessel-operating common carriers, and (6) port authorities or terminal operators.[Footnote 7] According to CBP officials, program membership has grown rapidly, and continued growth is expected, especially as member importers are requiring their suppliers to become C-TPAT members. For example, as of January 2003 approximately 1,700 companies had become C-TPAT members. By May 2003, the number had nearly doubled to 3,355. According to CBP officials, as of November 2004, the C-TPAT program had 7,312 members. For fiscal year 2004, the C-TPAT budget was about $18 million, with a requested budget for fiscal year 2005 of about $38 million for program expansion efforts. As of August 2004, CBP had hired 40 supply chain specialists, who are dedicated to serve as the principal advisers and primary points of contact for C-TPAT members.[Footnote 8] The specialists are located in Washington, D.C., Miami, Florida, Los Angeles, California, and New York, New York. CBP has a multistep review process for the C-TPAT program. As figure 1 shows, applicants first submit signed C-TPAT agreements affirming their desire to participate in the voluntary program. Applicants must also submit security profiles--executive summaries of their company's existing supply chain security procedures--that follow guidelines jointly developed by CBP and the trade community. These security profiles are to summarize the applicant's current security procedures in areas such as physical security, personnel security, and education and training awareness.[Footnote 9] CBP established a certification process in which it reviews the applications and profiles by comparing their contents with the security guidelines jointly developed by CBP and the industry, looking for any weaknesses or gaps in the descriptions of security procedures. Once any issues are resolved to CBP's satisfaction, CBP signs the agreement and the company is considered to be a certified C-TPAT member, eligible for program benefits. Members that are not importers begin receiving benefits at this point, but members that are importers must undergo another layer of review, as described below. CBP encourages members to conduct self- assessments of their security profiles each year to determine any significant changes and to notify CBP. For example, members may be using new suppliers or new trucking companies and would need to update their security profiles to reflect these changes. Figure 1: CBP's Review Process for C-TPAT Membership: [See PDF for image] [End of figure] For certified importers, CBP has an additional layer of review called the vetting process in which CBP reviews information about an importer's compliance with customs laws and regulations and violation history. CBP requires the vetting process for certified importers as a condition of granting them key program benefits. As part of the vetting process, CBP obtains trade compliance and intelligence information on certified importers from several data sources. If CBP gives the importer a favorable review, benefits are to begin within a few weeks. If not, benefits are not to be granted until successful completion of the validation process (see below). The final step in the review process is validation. CBP's stated purpose for validations is to ensure that the security measures outlined in certified members' security profiles and periodic self- assessments are reliable, accurate, and effective. In the validation process, CBP staff meet with company representatives to verify the supply chain security measures contained in the company's security profile. The validation process is designed to include visits to the company's domestic and, potentially, foreign sites. The member and CBP jointly determine which elements of the member's supply chain measures will be validated, as well as which locations will be visited. Upon completion of the validation process, CBP prepares a final validation report it presents to the company that identifies any areas that need improvement and suggested corrective actions, as well as a determination if program benefits are still warranted for the member. We have conducted previous reviews of the C-TPAT program and CBP's targeting and inspection strategy. In July 2003, we reported that CBP's management of C-TPAT had not evolved from a short-term focus to a long- term strategic approach.[Footnote 10] We recommended that the Secretary of Homeland Security work with the CBP Commissioner to develop (1) a strategic plan that clearly lays out the program's goals, objectives, and detailed implementation strategies; (2) performance measures that include outcome-oriented indicators; and (3) a human capital plan that clearly describes how C-TPAT will recruit, train, and retain new staff to meet the program's growing demands as it implements new program elements. In March 2004, we testified that CBP's targeting system does not incorporate all key elements of a risk management framework and recognized modeling practices in assessing the risks posed by oceangoing cargo containers.[Footnote 11] C-TPAT Benefits Reduce Scrutiny of Shipments: CBP officials cite numerous benefits to C-TPAT members. As table 2 shows, these benefits may reduce the scrutiny of members' shipments. These benefits are emphasized to the trade community through direct marketing in presentations and via CBP's Web site. Although these benefits potentially reduce the likelihood of inspection of members' shipments, CBP officials noted that all shipments entering the United States are subject to random inspections by CBP officials or inspections by other agencies. Table 2: Benefits for C-TPAT Members: Benefit: A reduced number of inspections and reduced border wait times; Reduces amount of scrutiny provided for members? Yes. Benefit: Reduced selection rate for trade-related compliance examinations; Reduces amount of scrutiny provided for members? Yes. Benefit: Self-policing and self-monitoring of security activities; Reduces amount of scrutiny provided for members? Yes. Benefit: Access to the expedited cargo processing at designated FAST lanes (for certified highway carriers and certified importers along the Canadian and Mexican borders, as well as for certified Mexican manufacturers); Reduces amount of scrutiny provided for members? Yes. Benefit: Eligible for the Importer Self-Assessment Program and has priority access to participate in other selected customs programs (for certified importers only); Reduces amount of scrutiny provided for members? Yes. Benefit: A C-TPAT supply chain specialist to serve as the CBP liaison for validations; Reduces amount of scrutiny provided for members? No. Benefit: Access to the C-TPAT members list; Reduces amount of scrutiny provided for members? No. Benefit: Eligible to attend CBP-sponsored antiterrorism training seminars; Reduces amount of scrutiny provided for members? No. Source: CBP's C-TPAT Strategic Plan, January 2005. [End of table] CBP Grants Benefits before Verification of Security Procedures: CBP has in place a two-pronged process to review members' qualifications for program benefits. First, CBP has a certification process to review the applications and security profiles submitted by applicants for any weaknesses or gaps in security procedures. CBP officials told us that during the certification process, it compares the members' security profiles against the C-TPAT security guidelines. Under the process, if there are any missing or unclear items, CBP is supposed to contact the member for clarification of those items. If the issues are resolved, CBP considers the member to be certified. However, if CBP determines that the security profiles contain weaknesses, CBP is not supposed to certify the member. According to CBP, approximately 20 percent of applications are not immediately certified because of initial shortcomings with the security profiles. However, CBP has stated that a company will not be rejected from participating in C-TPAT if there are problems with its security profile. Instead, CBP says it will work with companies to try to resolve and overcome any deficiencies with the profile itself. Second, CBP has in place a vetting process to assess the compliance and violation history of importers before granting them benefits. If, in conducting the vetting process, CBP finds no prior negative compliance, violation, or intelligence information, it grants certified importers program benefits. According to CBP, to date most certified members who have been vetted have proven to have favorable or neutral importing histories. CBP officials told us that not many members have been denied benefits. At the program's inception in November 2001, CBP began granting benefits to applicants upon receipt of their application for C-TPAT membership without any review of the applicants' paperwork. In February 2004, CBP changed its policy to retroactively delay granting the benefits until after CBP reviewed and certified applicants' security profiles and completed the vetting process. By providing incentives to members to implement certain security measures and performing various levels of checks on these measures, the C-TPAT program aims to encourage the reduction of vulnerability throughout the supply chain. CBP established a certification process in which it reviews the applications and profiles by comparing their contents with the security guidelines jointly developed by CBP and the industry, looking for any weaknesses or gaps in the descriptions of security procedures. The vetting process, which is required for importers eligible to receive benefits, augments the certification process by providing information about past compliance and violations, which CBP officials told us may suggest whether members' security practices have historically been effective at reducing vulnerability to exploitation. In addition, the vetting process may disclose threat concerns by pulling in information contained in intelligence databases. Ultimately, however, neither the certification nor vetting process provides an actual verification that the supply chain security measures contained in the C-TPAT member's security profile are accurate and are being followed before CBP grants the member benefits. A direct examination of selected members security procedures is conducted later as part of CBP's validation process, as discussed below. Weaknesses in Process for Verifying Security Procedures: After providing benefits, CBP has a validation process to verify C-TPAT members' security measures have been implemented and that program benefits should continue. However, we found weaknesses in the validation process in that CBP has not taken a rigorous approach to conducting validations and has not determined the extent to which validations are needed. These weaknesses limit the bureau's ability to ensure that the program supports the prevention of terrorists and terrorist weapons from entering the United States. Validation Process Lacks Rigor to Achieve Stated Purpose: CBP's validation process is not rigorous enough to achieve its stated purpose, which is to ensure that the security procedures outlined in members' security profiles are reliable, accurate, and effective. While C-TPAT's stated purpose for validations is to ensure that the member's security measures are reliable, accurate, and effective, CBP officials told us that validations are not considered independent audits and the objectives, scope, and methodology of validations are jointly agreed upon with the member representatives. CBP has indicated that it does not intend for the validation process to be an exhaustive review of every security measure at each originating location; rather it selects specific facets of the members' security profiles to review for their reliability, accuracy, and effectiveness. For example, the guidance to ocean carriers for preparing a security profile directs the carriers to address, at a minimum, three broad areas (security program, personnel security, and service provider requirements), which contain several more specific security measures, such as facilities security and pre- employment screening. According to CBP officials, as well as our review of selected case files, validations only examine a few facets of members' security profiles. CBP supply chain specialists, who are responsible for conducting most of the validations, are supposed to individually determine which segments of a company's supply chain security will be suggested to the member for validation. To assist in this decision, supply chain specialists are supposed to compare a company's security profile, as well as any self-assessments or other company materials or information retrievable in national databases, against the C-TPAT security guidelines to determine which elements of the profile will be validated. Once the supply chain specialist determines the level and focus of the validation, the specialist is supposed to contact the member company with a potential agenda for the validation. The two parties then jointly reach agreement on which security elements will be reviewed and which locations will be visited. CBP has no written guidelines for its supply chain specialist to indicate what scope of effort is adequate for the validation to ensure that the member's security measures are reliable, accurate, and effective, in part because it seeks to emphasize the partnership nature of the program. Importantly, CBP has no baseline standard for what minimally constitutes a validation. CBP discourages supply chain specialists from developing a set checklist of items to address during the validation, as CBP does not want to give the appearance of conducting an audit. In addition, as discussed later in the management section of this report, the validation reports we reviewed did not consistently document how the elements of members' security profiles were selected for validation. CBP Has Not Determined the Extent to Which Validations Are Needed: CBP has not determined the extent to which it must conduct validations of members' security profiles to ensure that the operation of C-TPAT is consistent with its overall approach to managing risk. In 3 years of C- TPAT operation, CBP has validated about 10 percent of its certified members. CBP's original goal was to validate all certified members within 3 years of certification. However, CBP officials told us that because of rapid growth in program membership, it would not be possible to meet this goal. In February 2004, CBP indicated that approximately 5,700 companies had submitted signed agreements to participate in the program. As shown in figure 2, by November 2004, the number of members had grown to over 7,000, about 4,200 of which had been certified and thus eligible for validation. According to CBP, as of November 2004, CBP staff had completed validations of 409 companies, including 147 importers. Figure 2: Status of Validating C-TPAT Members, as of November 2, 2004: [See PDF for image] [End of figure] CBP has made efforts to hire additional supply chain specialists to handle validations for the growing membership. As of August 2004, CBP had hired a total of 40 supply chain specialists to conduct validations, with 24 field office managers also available to conduct validations. CBP officials told us the bureau is currently conducting as many validations as its resources allow. However, CBP has not determined the number of supply chain specialists it needs or the extent to which validations are needed to provide reasonable assurance that it is employing a good risk management approach for the program. CBP Considers Variety of Factors to Prioritize Validations: As noted above, CBP officials told us it would not be possible to meet the goal of validating every member within 3 years of certification. Instead, CBP is using what it calls a risk-based approach, which considers a variety of factors to prioritize which members should be validated as resources allow. CBP has an internal selection process it is supposed to apply to all certified members. Under this process CBP officials are supposed to prioritize members for validation based on established criteria but may also consider other factors. CBP officials noted that other factors could affect the prioritization of members for validation. For example, recent seizures involving C- TPAT members can affect validation priorities. If a member is involved in a seizure, CBP officials noted that the member is supposed to lose program benefits and be given top priority for a validation. In addition, CBP officials told us that an importer that failed CBP's vetting process would also be given top priority for a validation. CBP officials have taken this approach because any importer that fails the vetting process is not supposed to receive program benefits until after successful completion of the validation process. In August 2004, CBP began using a risk assessment tool developed for CBP's regulatory audits to assist in its prioritization of importers for validation. This tool ranks importers by risk according to factors such as value of imports, import volume, and method of transportation used by the importer for its goods.[Footnote 12] CBP tailored the tool to consider only those factors it deemed relevant to C-TPAT. Applying the tool with this revised set of factors, CBP officials told us they produced a list that ranked each certified importer according to its risk. However, these ranked importers are then re-evaluated, along with members from other trade sectors, using CBP's internal selection process criteria. CBP officials told us that the human element provided by their internal selection process was important in prioritizing members for validation. Incomplete Progress in Addressing Management Weaknesses: CBP continues to expand the C-TPAT program without addressing management weaknesses that could hinder the bureau from achieving the program's dual goals of securing the flow of goods bound for the United States and facilitating the flow of trade. In our July 2003 report, we recommended that the Secretary of Homeland Security work with the CBP Commissioner to develop (1) a strategic plan that clearly lays out the program's goals, objectives, and detailed implementation strategies; (2) a human capital plan that clearly describes how C-TPAT will recruit, train, and retain new staff to meet the program's growing demands as it implements new program elements; and (3) performance measures that include outcome-oriented indicators. While CBP agreed with our July 2003 recommendations, to date only one of them--the development of a strategic plan--has been implemented. According to CBP, the bureau is continuing to work on the July 2003 recommendations, which are in different stages of review. CBP Has Finalized Its Strategic Plan: While a draft of this report was with DHS for comment, CBP issued a final strategic plan for C-TPAT on January 13, 2005. Our brief review of this plan indicates that it appears to clearly articulate the goals of the program, their relationship to broader CBP goals, and strategies for achieving them. For example, according to the plan there are five goals for the C-TPAT program: 1. ensure that C-TPAT partners improve the security of their supply chains pursuant to C-TPAT security criteria, 2. provide incentives and benefits to include expedited processing of C- TPAT shipments to C-TPAT partners, 3. internationalize the core principles of C-TPAT through cooperation and coordination with the international community, 4. support other CBP security and facilitation initiatives, and: 5. improve administration of the C-TPAT program. While we have not fully reviewed the strategic plan, it is a step in the right direction, and we encourage CBP to ensure that future plans include all of the key elements of a strategic plan as described in the Government Performance and Results Act of 1993. Specifically, the formal strategic plan should include a description of performance goals and how they are related to the general goals and objectives of the program, as well as a description of program evaluations, which are useful for identifying key factors likely to affect program performance. CBP Has Not Completed a Human Capital Plan: As a companion to developing a strategic plan for C-TPAT, CBP is developing an implementation plan to address the lower-level strategies for carrying out the program's goals. CBP told us it is still developing the implementation plan for the program but that it will include those elements required in a human capital plan. For example, CBP said it has developed new positions, training programs and materials, and a staffing plan. Further, CBP said the C-TPAT program will continue to refine all aspects of its human capital plan to include headquarters personnel, additional training requirements, budget, and future personnel profiles. CBP Has Not Completed Development of Performance Measures: CBP has told us that it continues developing a comprehensive set of performance measures and indicators for C-TPAT. In support of the department's Future Years Homeland Security Program, CBP officials told us has identified 21 budget subactivities (programs, including C-TPAT) and has been tasked to develop two performance measures for each: (1) a main measure that would reflect program outcomes and (2) an efficiency measure that would reflect time or cost savings achieved through the program. CBP's Director, Strategic Planning and Audit Division, Office of Policy and Planning, noted that developing these measures for C- TPAT, as well as other programs in the bureau, has been difficult. The director noted that CBP lacks data necessary to exhibit whether a program has prevented or deterred terrorist activity. For example, as noted in the C-TPAT strategic plan, it is difficult to measure program effectiveness in terms of deterrence because generally the direct impact on unlawful activity is unknown. The plan also notes that while traditional workload measures are a valuable indicator, they do not necessarily reflect the success or failure of the bureau's efforts. CBP is working to collect more substantive information--related to C-TPAT activities (i.e., current workflow process)--to develop its performance measures. In commenting on a draft of this report, CBP indicated it has developed initial measures for the program but will continue to develop and refine these measures to ensure program success. CBP's Records Management Practices for C-TPAT Are Inadequate: CBP's record keeping for the program is incomplete, as key decisions are not always documented and programmatic information is not updated regularly or accurately. Federal regulations require that bureau record- keeping procedures provide documentation to facilitate review by Congress and other authorized agencies of government. Further, standards for internal control in the federal government require that all transactions be clearly documented in a manner that is complete, accurate, and useful to managers and others involved in evaluating operations. To get a better understanding of the validation process, we asked CBP to provide us with examples of company files for which validations had been completed. CBP selected six members' files for us to review for some of the initial validations the bureau conducted. During our review, it was not always clear what aspect of the security profile was being validated and why a particular site was selected at which to conduct the validation because there was not always documentation of the decision-making process. The aspects of the security profiles covered and sites visited did not always appear to be the most relevant. For example, one validation report we reviewed for a major retailer--one that imports the vast majority of its goods from Asia-- indicated that the validation team reviewed facilities in Central America. CBP officials noted that it recently revised its validation report format to better capture any justification for report recommendations and best practices identified. CBP then provided us with eight additional member files with more recently completed validation reports. After reviewing the more recent validation reports contained in these files, we noted that there appeared to be a greater discussion related to the rationale for validating specific aspects of the security profiles. However, these files did not consistently contain other documentation of members' application, certification, vetting, receipt of benefits, or validation. While files contained some of these elements, they were generally not complete. In fact, most files did not usually contain anything beyond copies of the member's C- TPAT agreement, security profiles, and validation report. When we asked if CBP required its supply chain specialists to document their communications with C-TPAT members, CBP officials told us there has been no requirement that communications be documented. For example, member files we reviewed contained no documentation of communications between CBP and members regarding how the scope of a validation was determined. Recently, supply chain specialists located at CBP headquarters (but not at field offices) have been asked to document all conversations with member companies on a spreadsheet, so that each supply chain specialist will be aware of the outcomes of conversations with member companies. CBP does not update programmatic information regularly or accurately. In particular, the reliability of CBP's database to track member status using key dates in the application through validation processes is questionable. The database, which is primarily used for documentation management and workflow tracking, is not updated on a regular basis. In addition, C-TPAT management told us that earlier data entered into the database may not be accurate, and CBP has taken no systematic look at the reliability of the database. CBP officials also told us that there are no written guidelines for who should enter information into the database or how frequently the database should be updated. We made several requests over a period of weeks to review the contents of the database to analyze workload factors, including the amount of time that each step in the C-TPAT application and review process was taking. The database information that CBP ultimately provided to us was incomplete, as many of the data fields were missing or inaccurate. For example, more than 33 percent of the entries for validation date were incomplete. In addition, data on the status of companies undergoing the validation process was provided in hard copy only and included no date information. CBP officials told us that they are currently exploring other data management systems, working to develop a new, single database that would capture pertinent data, as well as developing a paperless environment for the program. Conclusions: CBP's primary reliance on members' self-reporting about their security procedures to receive C-TPAT benefits places added importance on the validation process, which is CBP's method of verifying the effectiveness, efficiency, and accuracy of the security profile. However, the weaknesses in the validation process we found raise questions about its effectiveness. CBP's validation process, the purpose of which is to ensure that members' security measures are reliable, accurate, and effective, is not rigorous enough to achieve CBP's goals because of the bureau's consideration of the process as a joint, partnership review with the member company. In this vein, without guidelines for what constitutes a validation, CBP cannot be sure that it effectively and consistently verifies a standard set of security measures to ensure some minimally appropriate level of vulnerability reduction, nor can it apply a methodical approach to assessing the security procedures. In addition, CBP has not assessed the extent (in terms of numbers or percentage) to which it must conduct validations to ensure that the C-TPAT program is consistent with its overall approach to managing risk. Also, we found a lack of clear documentation for the validation process. Because of these weaknesses, CBP's ability to provide assurance that the program prevents terrorists and terrorist weapons from entering the United States is limited. Finally, CBP has not completed corrective actions from our July 2003 report, which were meant to change the management of the program from a short-term focus to a strategic focus. Specifically, CBP has not completed (1) developing performance measures with which to measure the program's success in achieving bureau goals and inform decisions for process improvement and (2) developing a human capital plan to account for how the program will recruit, train, and retain staff to achieve program goals. CBP also does not have a basic records management system to ensure adequate internal controls to manage the program. Because of these management weaknesses, CBP will have difficulty effectively planning, executing, and monitoring the program. Recommendations for Executive Action: To help CBP achieve C-TPAT objectives and address the challenges associated with its continued development, we recommend that the Secretary of Homeland Security direct the Commissioner of U.S. Customs and Border Protection to take the following five actions: * strengthen the validation process by providing appropriate guidance to specialists conducting validations, including what level of review is adequate to determine whether member security practices are reliable, accurate, and effective; * determine the extent (in terms of numbers or percentage) to which members should be validated in lieu of the original goal to validate all members within 3 years of certification; * complete the development of performance measures, to include outcome- based measures and performance targets, to track the program's status in meeting its strategic goals; * complete a human capital plan that clearly describes how the C-TPAT program will recruit, train, and retain sufficient staff to successfully conduct the work of the program, including reviewing security profiles, vetting, and conducting validations to mitigate program risk; and: * implement a records management system that accurately and timely documents key decisions and significant operational events, including a reliable system for (1) documenting and maintaining records of all decisions in the application through validation processes, including but not limited to documentation of the objectives, scope, methodologies, and limitations of validations, and (2) tracking member status. Agency Comments and Our Evaluation: We provided a draft of this report to the Secretary of DHS for comment. We received comments from the Commissioner of U.S. Customs and Border Protection that are reprinted in appendix II. CBP generally agreed with our recommendations and outlined actions it either had taken or was planning to take to implement them. CBP agreed with our two recommendations on validations and said it will readdress the validation process. Specifically, CBP said that it was developing standard operating procedures, guidance, and written baseline criteria for the validation process, as well as an automated validation tool to document validations. CBP also agreed to determine the extent to which C-TPAT members should be validated, stating that it will develop member selection criteria and an automated system to standardize and assist in the selection of companies for validation. If properly implemented, these actions should address the intent of these recommendations. Our draft report also included a recommendation to complete a formal strategic plan that clearly articulates goals, linkages, and strategies. While our draft report was with DHS for comment, CBP issued its final strategic plan on January 13, 2005. Our brief review of this strategic plan indicates that it appears to address the intent of our recommendation. Therefore, we removed the recommendation from this report. Nevertheless, as CBP further refines its strategic plan in the future, we encourage CBP to include all of the key elements of a strategic plan as described in the Government Performance and Results Act of 1993. Specifically, the formal strategic plan should include a description of performance goals and how they are related to the general goals and objectives of the program, as well as a description of program evaluations, which are useful for identifying key factors likely to affect program performance. CBP agreed with our recommendation on developing performance measures, and has developed initial measures relating to membership, inspection percentages, and validation effectiveness. CBP has developed new performance measures for use in the FY 2006 Fiscal Year Homeland Security Plan and plans to enlist the help of a contractor to develop other outcome-based performance measures and targets. If properly implemented, these plans should help address the intent of this recommendation. In addressing our recommendation to complete a human capital plan for the C-TPAT program, CBP told us it is still developing an implementation plan for the program that will include those elements required in a human capital plan. For example, CBP said it has developed new positions, training programs and materials, and a staffing plan. Further, CBP said the C-TPAT program will continue to refine all aspects of its human capital plan to include headquarters personnel, additional training requirements, budget, and future personnel profiles. If the final implementation plan contains these elements, the plan should address the intent of the recommendation. CBP agreed with our recommendation on implementing a records management system that accurately and timely documents key decisions and significant operational events. While its comments did not specify the nature or capabilities of a new system, CBP indicated that in the near future, it plans to automate every aspect of the C-TPAT program, both internally and externally. In automating its system, to fully meet the intent of this recommendation, CBP needs to ensure that the system addresses all aspects of C-TPAT operations and that tracking member status is done timely, accurately, and reliably. Notwithstanding its general agreement with the recommendations, CBP expressed some concerns regarding the report. In its general comments, CBP said that C-TPAT is a voluntary program that is not designed to confirm company compliance with regulatory requirements. Further, CBP said it is very difficult for the U.S. government to regulate supply chain security procedures outside the country. CBP also noted that it is looking to establish more broadly applicable minimum security standards that may build on C-TPAT requirements. Our report clearly notes that the program is of a voluntary nature, designed around security guidelines jointly developed by CBP and the trade community. The cooperation envisioned by the C-TPAT program can build productive relationships and encourage supply chain security. However, in accepting members into the program, CBP still has the responsibility for verifying that security measures planned or claimed by C-TPAT members are properly implemented and effective. This program goes beyond trade facilitation in that it awards benefits that can reduce the scrutiny given cargo containers arriving in the United States. This is not a matter of regulating supply chain security in other countries. Rather, it is a matter of providing a security benefit for containers arriving at our nation's ports. If CBP does not ensure that this important security-related benefit is deserved, it runs the risk of overlooking potentially dangerous cargo during the inspection process. CBP also said that the report's title is misleading, asserting that it creates the improper impression that only the validation process ensures adequate security for containerized cargo and does not place enough emphasis on the certification and vetting processes, as well as omits that C-TPAT cargo is not exempt from advance reporting requirements or enforcement and security inspections, such as random inspections and nonintrusive screening technology. Our report clearly describes the various steps CBP takes in the overall cargo inspection process and how the C-TPAT program fits into that process. The report also clearly describes the purpose of each process within the C-TPAT program, including the validation process that is to determine whether C-TPAT members' security procedures are accurate, reliable, and effective. We did modify the report's title and, where appropriate, the text to better reflect the report's focus on C-TPAT versus other programs in CBP's layered enforcement strategy for cargo security. However, any weakness in C-TPAT could weaken CBP's layered approach. Given that C-TPAT members enjoy benefits that reduce the likelihood of an inspection of their cargo, not having an effective validation process could serve to defeat the purposes of the other enforcement layers. Finally, CBP noted many benefits achieved under the C-TPAT program, including that thousands of companies working as part of C-TPAT have taken concrete steps to improve their security procedures and that C- TPAT has fostered an expanding international dialogue on best security practices. We agree that actions on the part of program members to shore up supply chain security are valuable and desirable. Again, with the threat of terrorism present in the global supply chain, we believe that verifying that planned improvements are actually implemented and ensuring that security controls are effective are important responsibilities that cannot be achieved only with members self- reporting about their security procedures. CBP also offered technical comments and clarifications, which we considered and incorporated where appropriate. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after its issue date. At that time, we will provide copies of this report to appropriate departments and interested congressional committees. We will also make copies available to others upon request. In addition, the report will be available on GAO's Web site http://www.gao.gov. If you or your staff have any questions about this report, please contact me at (202) 512-8777 or at stanar@gao.gov. Key contributors to this report are listed in appendix III. Signed by: Richard M. Stana: Director, Homeland Security and Justice Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Objectives: We addressed the following questions regarding the U.S. Customs and Border Protection's (CBP, formerly the U.S. Customs Service) Customs- Trade Partnership Against Terrorism (C-TPAT): * What benefits does CBP provide to C-TPAT members? * Before providing benefits, what approach does CBP take to determine C- TPAT members' eligibility for them? * After providing benefits, how does CBP verify that members have implemented their security measures? * To what extent has CBP developed strategies and related management tools for achieving the program's goals? Scope and Methodology: To address these questions, we visited CBP's headquarters in Washington, D.C., which manages the C-TPAT program. We interviewed CBP officials and reviewed available data and documentation for the program. We reviewed individual CBP files for a subset of C-TPAT members, including members with responsibilities along various parts of the supply chain. We also reviewed CBP's database for tracking member status in the program from the program's inception through July 2004. All records in this database were reviewed. We intended to use these data to select a random set of files to review and to conduct analyses of workloads, but the data were not reliable enough to do so (see below). Given the weaknesses in the files as well as the data reliability issues, our review focused on identifying C-TPAT's processes. Because of deficiencies in the files and database, we were unable to verify the extent CBP actually follows these processes for individual members. We also obtained the status of the agency's efforts to implement our prior recommendations for the program, including the completion of a strategic plan, a human capital plan, and performance measures. We conducted our work from February through December 2004 in accordance with generally accepted government auditing standards. Data Reliability: To assess the reliability of CBP's database for tracking member status in C-TPAT, we (1) reviewed existing documentation related to the data sources, (2) electronically tested the data to identify obvious problems with completeness or accuracy, and (3) interviewed knowledgeable bureau officials about the data. Initial reliability testing of this database and interviews of staff with responsibility for the program led us to conclude that data used to track participant status had some serious reliability weaknesses. We determined that using the data in certain cases, for example, to calculate average times for phases of the membership process, might have led to an incorrect or misleading message. However, we determined that the data were sufficiently reliable for limited use in descriptions of the program status, such as the approximate numbers of participants, because our analysis and discussions with CBP officials assured us that those data fields were reasonably complete and accurate. [End of section] Appendix II: Comments from the Department of Homeland Security: This version of our report is unrestricted based on a security review by CBP. [End of section] Appendix III GAO Contacts and Staff Acknowledgments: U.S. Department of Homeland Security: Washington, DC 20229: U.S. Customs and Border Protection: Commissioner: Mr. Richard M. Stana: Director, Homeland Security and Justice: Government Accountability Office: 441 G Street, N.W.: Washington, D.C. 20548: Dear Mr. Stana: Thank you for the opportunity to review and comment on the Government Accountability Office (GAO) draft report related to the Customs-Trade Partnership Against Terrorism (C-TPAT) program. U.S. Customs and Border Protection (CBP) and the Department of Homeland Security (DHS) appreciate the work done in this review to identify areas where actions can be taken by CBP to improve the C-TPAT program. Technical comments were provided to GAO under a separate cover; however, there are a few areas of the report that deserve comment. When C-TPAT was established in response to the attacks of September 11, the intent was to build a partnership to leverage the resources of the private sector so that the limited resources of the government could be focused on inspecting high-risk cargo shipments. Any evaluation of C- TPAT must recognize that it is a voluntary partnership to improve the security of the United States and not a program to confirm importer compliance with a regulatory requirement. The C-TPAT participants voluntarily share with the government details of sensitive corporate security plans and again, voluntarily, agree to allow government representatives access to their facilities to confirm that they are following their own security plans and that these plans meet or exceed C-TPAT supply chain security criteria. DHS believes that to date, thousands of companies working under the auspices of this partnership have taken concrete steps to improve their security procedures, thereby increasing global supply chain security and the security of the United States. The supply chain that facilitates the shipment of cargo to the United States is global. It is very difficult for our government to regulate the security procedures outside our country. However, C-TPAT importers are willing to use their business leverage over their foreign suppliers throughout the world to require their suppliers to improve security at the beginning of the supply chain. This free and open communication with industry has allowed Customs and Border Protection to further identify security baseline practices and best practices. This has been a leaming experience for all involved, and through this exchange C-TPAT has fostered an expanding international dialogue on best security practices. This has created an opportunity for DHS to work internationally to promote supply chain security. C-TPAT is a partnership program that has benefits for both the government and the industry participants. The title of the draft report, "DHS Grants Importers Reduced Scrutiny with Limited Assurance of Adequate Security", is misleading. The title creates the improper impression that only the validation process assures adequate security for containerized cargo. The report places excessive emphasis on the validation process without adequately reflecting the certification and vetting process within C-TPAT and the other layers of security put in place since the terrorist attacks three years ago. However, as noted below, we believe the shipments of a company which has committed to C- TPAT security levels represent less risk. That lessened risk is taken into account in our risk targeting rules. That said, C-TPAT cargo is not exempt from advance reporting requirements, enforcement and security inspections, random inspections, or non-intrusive screening technology such as radiation portals where we are moving to 100% screening of all in-bound cargo for WMD threats. The DHS cargo security strategy clearly identifies the screening of all containers for WMD's as its highest priority. The discussion of the benefits of C-TPAT, including the section "C-TPAT Benefits Designed to Reduce Scrutiny of Shipments" would be more accurate if it reflected that the benefits of the program were designed to create incentives for industry to improve supply chain security. Eligibility for the Importer Self-Assessment Program (ISA) for example, is included as a benefit that reduces the level of scrutiny. Further, CBP, in the context of the DHS cargo security strategy, is looking to establish more broadly applicable minimum security standards that may in some cases build on C-TPAT requirements. For example, CBP is currently working on a proposed regulatory standard that would require 100 percent of all loaded in-bound maritime containers to be outfitted with a high-security seal that would be verified before the cargo is loaded at the foreign port. The C-TPAT program currently includes guidelines for high security seals that meet or exceed this regulatory requirement. The movement of a C-TPAT guideline to a more broadly regulated minimum standard is another way to transition industry towards a stricter security framework. Finally, C-TPAT is part of our overall risk management approach. C-TPAT helps identify the importers that take security seriously. This information is factored into the risk assessment and lower risk cargo receives less scrutiny. That is how risk management works. The resources used to validate that low risk importers are truly low risk must be reasonable when balanced against the greater threat presented by higher risk cargo. That is not to say that the C-TPAT program cannot be improved. On the contrary, DHS concurs with the final recommendations in the report. As part of their corrective action plan, CBP will readdress the validation process, including establishing policies and procedures related to the extent to which C-TPAT members are validated. Actions that CBP plans to take regarding specific recommendations are below: Recommendation 1: Strengthen the validation process by providing appropriate guidance to specialists conducting validations, including what level of review is adequate to determine whether member security practices are reliable, accurate, and effective. Response: CBP has provided all Supply Chain Specialists (SCS) with a comprehensive training program developed by CBP's Office of Training and Development. SCS training includes specific instruction on validation scope and methodology, conducting pre-validation research, supply chain identification/selection, and report writing. CBP is developing Standard Operating Procedures and directives to provide further clarification and guidance for all SCS personnel conducting validations. This will include the need for appropriate documentation of the validation process. CBP will also develop an automated validation tool for SCS. Recognizing that no two international supply chains or validations are exactly the same, and that C-TPAT must remain flexible to meet the complex challenges of international trade, CBP will develop written baseline criteria for assisting the SCS in determining if member's security practices and processes are adequate and effective. Recommendation 2: Determine the extent (in terms of numbers or percentage) to which members should be validated in lieu of the original goal to validate all members within three years of certification. Response: Overwhelming response by the trade community forced CBP to reconsider its original goal to validate all certified members within a three-year period. Selection for validations were initially based upon risk management principles, i.e., strategic threat geographically, import volume/value, security related incidents, history of compliance/ violations, etc. CBP will further refine the risk management process and develop member selection methodology/criteria and an automated system to standardize and assist in the selection process. C-TPAT will determine and prioritize which sectors of membership will be selected for validations, select individual companies based upon a standardized risk assessment, and identify "company specific" high-risk supply chains to better focus our efforts and resources. The resource needs to support this approach will be reflected in the human capital plan. Recommendation 3: Complete a formal strategic plan that clearly articulates the goals of the C-TPAT program, their relationship to broader CBP goals, and strategies for achieving them. Response: As part of its ongoing industry outreach effort, C-TPAT has developed a strategic plan that was shared with the public during CBP's Trade Symposium on January 13 and 14, 2005 and is attached to this response. CBP is continuing its efforts to strategically strengthen C- TPAT and is working with the Department of Homeland Security to draft an implementation plan for the program. This implementation plan will build on the public dialogue associated with the strategic plan and specifically focus on developing performance metrics to adequately assess security and trade facilitation aspects, human resource requirements and a plan for transitioning C-TPAT requirements to minimum baseline standards (as may be appropriate), consistent with GAO's recommendations." Recommendation 4: Complete the development of performance measures, to include outcome-based measures and performance targets, to track the program's status in meeting its strategic goals. Response: C-TPAT has developed initial measures to determine the scope of the program (i.e., membership), measures to gauge the realization of benefits by certified members (i.e., inspection percentages), and measures to gauge the effectiveness of validations. C-TPAT has refined its measures in coordination with the Department. New measures have been developed for use in the FY 2006 Fiscal Year Homeland Security Plan. They include: compliance rate for C-TPAT members with the established C-TPAT security guidelines, C-TPAT validation labor efficiency rate, average CBP exam reduction ratio for C-TPAT member importers compared to non-C-TPAT importers, and time savings to process U.S./Mexico Border FAST lane transactions. In addition, CBP will be identifying a contractor to assist with the development of outcome- based measures and performance targets for the C-TPAT program. CBP will continue to develop and refine these and other measures as may be required to ensure program success. Recommendation 5: Complete a formal human capital plan that clearly describes how the C-TPAT program will recruit, train, and retain sufficient staff to successfully conduct the work of the program, including reviewing security profiles, vetting, and conducting validations to mitigate program risk. Response: To date, C-TPAT has developed the new SCS position, developed an official 2 week training program, developed a formalized SCS training manual, conducted two rounds of SCS selections, conducted two formal training programs, established four C-TPAT field offices, and developed a future continuing education program for C-TPAT personnel. In addition, CBP produced a detailed SCS staffing plan which analyzed current SCS workload, annual program growth rate, actual duties being performed by SCS, time to complete average validation, and the number of validations an SCS can complete in 1 year. C-TPAT will continue to refine all aspects of the human capital plan to include Headquarters personnel, additional training requirements, budget, and future personnel profiles. Recommendation 6: Implement a records management system that accurately and timely documents key decisions and significant operational events, including a reliable system for (1) documenting and maintaining records of all decisions in the application through validation processes, including but not limited to documentation of the objectives, scope, methodologies, and limitation of validations, and (2) tracking member status. Response: CBP's goal is to automate every aspect of the C-TPAT program, both internally and externally. In the near future, only electronic submissions will be accepted by C-TPAT. Trade partners will submit information through a web application. The information will be processed against internal risk criteria and accepted or denied immediate responses generated and validation time frames established. Internally, information will be easily stored, reports generated and risk analysis conducted. Externally, response times will decrease and more information will be readily available. Thank you for the opportunity to review and provide comments to the draft report. Our expectation is that this report will be handled appropriately as a "Limited Official Use Only" document due to the sensitivity of the information contained in the report. Yours truly, Signed by: Robert C. Bonner: Commissioner: Attachment: [End of section] GAO Contacts: Richard M. Stana (202) 512-8777; Stephen L. Caldwell (202) 512-9610: Staff Acknowledgments: In addition to those named above, Kristy N. Brown, Kathryn E. Godfrey, Wilfred B. Holloway, Stanley J. Kostyla, Shakira O'Neil, and Deena D. Richart made key contributions to this report. [End of section] Related GAO Products: Homeland Security: Process for Reporting Lessons Learned from Seaport Exercises Needs Further Attention. GAO-05-170. Washington, D.C.: January 14, 2005. Port Security: Planning Needed to Develop and Operate Maritime Worker Identification Card Program. GAO-05-106. Washington, D.C.: December 10, 2004. Maritime Security: Better Planning Needed to Help Ensure an Effective Port Security Assessment Program. GAO-04-1062. Washington, D.C.: September 30, 2004. Maritime Security: Substantial Work Remains to Translate New Planning Requirements into Effective Port Security. GAO-04-838. Washington, D.C.: June 30, 2004. Border Security: Agencies Need to Better Coordinate Their Strategies and Operations on Federal Lands. GAO-04-590. Washington, D.C.: June 2004. Homeland Security: Summary of Challenges Faced in Targeting Oceangoing Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March 31, 2004. Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail Security, but Significant Challenges Remain. GAO-04-598T. Washington, D.C.: March 23, 2004. Department of Homeland Security, Bureau of Customs and Border Protection: Required Advance Electronic Presentation of Cargo Information. GAO-04-319R. Washington, D.C.: December 18, 2003. Homeland Security: Preliminary Observations on Efforts to Target Security Inspections of Cargo Containers. GAO-04-325T. Washington, D.C.: December 16, 2003. Posthearing Questions Related to Aviation and Port Security. GAO-04- 315R. Washington, D.C.: December 12, 2003. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September 19, 2003. Maritime Security: Progress Made in Implementing Maritime Transportation Security Act, but Concerns Remain. GAO-03-1155T. Washington, D.C.: September 9, 2003. Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors. GAO-03-770. Washington, D.C.: July 25, 2003. Homeland Security: Challenges Facing the Department of Homeland Security in Balancing Its Border Security and Trade Facilitation Missions. GAO-03-902T. Washington, D.C.: June 16, 2003. Transportation Security: Federal Action Needed to Address Security Challenges. GAO-03-843. Washington, D.C.: June 30, 2003. Transportation Security: Post-September 11th Initiatives and Long-Term Challenges. GAO-03-616T. Washington, D.C.: April 1, 2003. Border Security: Challenges in Implementing Border Technology. GAO-03- 546T. Washington, D.C.: March 12, 2003. Customs Service: Acquisition and Deployment of Radiation Detection Equipment. GAO-03-235T. Washington, D.C.: October 17, 2002. Port Security: Nation Faces Formidable Challenges in Making New Initiatives Successful. GAO-02-993T. Washington, D.C.: August 5, 2002. FOOTNOTES [1] GAO, Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors, GAO-03-770, Washington, D.C.: July 25, 2003. [2] The Free and Secure Trade (FAST) program is a CBP program that allows Canadian and Mexican companies expedited processing of their commercial shipments at the border. [3] A supply chain consists of all stages involved in fulfilling a customer request, including the manufacturer, suppliers, transporters, warehouses, and retailers. [4] A container is a van, open-top trailer, or other similar trailer body on or into which cargo is loaded and transported. [5] Department of Transportation Volpe National Transportation Systems Center, Intermodal Cargo Transportation: Industry Best Security Practices (Cambridge, Mass.: June 2002). [6] The layered enforcement strategy encompasses CBP programs including C-TPAT (addressed in this report), as well as the Container Security Initiative (CSI). CSI is an initiative whereby CBP places staff at designated foreign seaports to work with foreign counterparts to identify and inspect high-risk containers for weapons of mass destruction before they are shipped to the United States. We are currently reviewing the CSI program and a report is forthcoming. [7] In addition, there are hundreds of foreign-based air, rail, sea, and truck carriers certified in C-TPAT. [8] For fiscal year 2004, CBP had authorization for 157 positions for supply chain specialists and support staff, but as of August 2004 had hired only 40 specialists. CBP officials noted that the bureau recognizes the need for additional permanent positions, and CBP plans to hire, train, and have in place an additional 30 to 50 supply chain specialists by the end of calendar year 2004. [9] CBP established security guidelines to assist companies in completing their security profiles. Each set of security guidelines is tailored according to member type. [10] GAO, Container Security: Expansion of Key Customs Programs Will Require Greater Attention to Critical Success Factors, GAO-03-770, Washington, D.C.: July 25, 2003. [11] GAO, Homeland Security: Summary of Challenges Faced in the Targeting of Oceangoing Cargo Containers for Inspection, GAO-04-557T, Washington, D.C.: March 2004. [12] CBP officials told us they are currently working to adapt the risk assessment tool so that it can be applied to C-TPAT members from additional trade sectors, such as brokers and carriers. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: