From Awareness to Action:  A Deep Dive into CTPAT Training

In the global trade universe, where time holds huge importance, weak security practices in your international operations could be detrimental to your business.  Customs and Border Protection (CBP), the folks behind CTPAT, are getting serious about proof.  Your Supply Chain Security Specialist (SCSS) is like the detective, always asking, ‘Show me the money… er, I mean, the proof!’

Let’s zero-in and take a deeper dive into what this means for the Education and Training approaches that are critical components of modern business operations, and an essential factor in the CTPAT criteria.  As a CTPAT participant, you are certainly aware that security training for your business operations is not just a CTPAT centered initiative.  It is, and should be, instructed and practiced by all staff and employees for the protection of the business.  To move from awareness to action, it’s essential to understand your organization’s structure, identify its security needs, and adopt practices that promote good security habits. 

1. Identify and understand the internal supply chain and key reasons why security training is vital to their success.

An Internal Supply chain is identified by the activities that lead up to the delivery of a product or service.  Such as:

• • Production: manufacturers or producers  Purchasing: Sourcing, buying, and contracting. Operations: Inventory management, distribution, shipping & receiving, vendor management, and scheduling. Accounting and Finance:  Verifying  financial stability; Sanctions and Denied Party Screenings, identifying red flags in transactions.  Customer Service: includes Sales and Marketing and all Customer facing divisions. Human Resources: staffing – including contract labor, and temporary personnel. 
  • Areas of Security training that impact Internal Security include Physical Security, Access Control, Cybersecurity, Personnel Security, Suspicious persons, Internal Conspiracies, Incident Reporting, and identifying red flags in conversation and documents.

Training material should provide a full understanding of the organization’s unique security risks and empower all personnel to identify and mitigate threats throughout their daily activities.  Materials should cover:

Access Control: 

• Proper use of ID badges and biometrics (if used)
• Identification and protection of restricted areas
• Recognizing intrusion detection alarms and proper responses

Visitor Management: 

• Detailed visitor procedures –  reservation (if used), registration and escort practices

Emergency Response & Crisis Management:

• Clear emergency response plans and well-defined training

Internal Threat Awareness: 

• Recognizing signs of internal conspiracy or malicious activity
• Establishment and use of reporting mechanisms for suspicious behavior

Cybersecurity 

• Employee Access, restricted accounts, passwords, and Multi-factor authentication.
• Identifying and reporting threats associated with social engineering such as:  phishing, spam, pretexting, baiting,  Impersonation, quizzes and surveys, scareware etc. 
• Policy for social media practices  
• Tabletop exercises –  cyber incident scenarios – to allow practice for potential threats or unusual data activity

General Security Awareness: 

• Identification of potential security risks, such as unknown individuals, unattended items, and computer malfunctions
• Clear guidelines for escalating concerns to appropriate personnel

2. Certain work functions are required to have additional, specialized training. 

Specialized training should be provided to employees based on their roles and responsibilities. Training should provide context for why the processes exist, highlighting how they contribute to risk mitigation and minimize potential consequences for the company. 

Shipping & Receiving / Transportation Personnel

• Training on Container and Agricultural Inspections methods and recordkeeping
• Seal security, inventory,  assignment and application of seals to containers
• Document discrepancies and procedures to correct errors
• Reporting compromised containers or seals 
• This area should also include things like HAZMAT training, Dangerous goods handling, safe operation of material handling equipment, Warehouse Management Systems, barcode scanning, and loss prevention strategies.   

Procurement Personnel

• Training on foreign manufacturer or vendor requirements 
• How to evaluate risk for vendors and suppliers
• How and where to report concerns – Do Not Ignore Red Flags

3. Training Documentation: – Who and When

Whether you hold live training events, virtual interactive sessions,  or require employees to complete self-paced courses though Learning Management Systems (LMS), having a means to generate, maintain, and supply training records is part of the “Show me the proof” aspect of the program.  

Records

• LMS will keep the records for you.  Who signed it, what course they completed, and it will score it according to the parameters you determine. 
• Live events will require paper, or digital sign-in logs for those attending
• Virtual sessions can use registration and attendance logs produced by a host system like Zoom, Teams, Google Meet, etc. 
• Records for live or virtual sessions should also include subject matter of the training.

Recurrence

• Training in critical areas should be repeated, at least annually, or targeted as needed for review by certain groups or employees.  
• Management can periodically assess the inspection, quality, and document procedures by “unannounced observation.”  Witnessing various tasks carried out by employees.  Small group or individual instruction can be used to review processes and identify any areas for improvement.

Knowledge Check

• A knowledge check (quiz, or verbal feedback) can be a valuable tool to evaluate trainee comprehension of the material or if there are gaps that could require a follow-up. 

Expect that your Supply Chain Security Specialist (SCSS) will ask to see specifics on your training and awareness program as part of your next annual Security Profile update or re-validation meeting.  In addition to training logs, which have always been a requirement, you may be asked to communicate your current training materials, and steps for measuring training effectiveness.  You should have plans to review steps and update materials on a regular basis.  Consider using a scope of training that covers additional areas and targeted concerns. For example, focused Cyber training, internal conspiracies, or real-world scenario training and awareness, for employees involved in cargo handling, or trade financial transactions.  

Targeted training can and is often addressed with things like site posters, email bulletins and even the ten- minute department or team meeting to highlight new processes or have input discussions for ideas in addressing a recently identified gap.  Pictures of displayed posters and copies of email bulletins can be maintained by the CTPAT Point of Contact (POC)  in a security folder with examples uploaded to the portal for annual reviews.  

4. Identify and understand the external supply chains and the CTPAT member’s responsibility.

An External Supply Chain is best defined as a network, consisting of suppliers, manufacturers, vendors, and other partners working together to provide goods or services.  External supply chains are often complex, with many different stakeholders involved. Including:

• • Suppliers: raw materials and components.  Foreign Manufacturers: Sub-assemblies and Finished Product.  Operations: Foreign Shipping & Receiving, Consolidators, Transportation vendors, Ocean, Air and Rail Carriers.  Human Resources: staffing – including contract labor, and temporary personnel.  

Training materials or expectations to manufacturers, suppliers and vendors must provide an understanding of your organization’s Code of Conduct and Labor Practices along with the Security Awareness training.  Materials should cover:

• • All areas of security training addressed for internal supply chain
  • Additionally, expectations on Labor Practices should include:
    1. Policy for prohibited use of forced or indentured labor, as well as non-discrimination, and humane treatment of all workers
    2. Policy prohibiting child labor (as defined by the International Labor Organization)
    3. Wages and benefits
    4. Freedom of association, or freely chosen employment
    5. Working hours

From the CTPAT standpoint, it is important that you demonstrate that all supply chain partners receive an outline of training expectations, or even better an offer to distribute training materials to them.  I know, I know, that seems like overkill, but the goal is to present a complete supply chain life cycle to the Security Specialist, showing that all supply chain participants have received suitable training on CTPAT requirements and understand your standard operating security requirements. It is understood that you cannot guarantee that your partners will review the training material, but it is key to demonstrating reasonable care that you ensure they are aware of its existence and accessibility.  

Here are a couple of ways to accomplish this.

• • E-mail a checklist of security measures and labor practices that you expect the suppliers/manufacturers to include in their training materials and allow them to develop the instruction. 
  • Alternatively, you could convert your entire security and labor practices training material  into a PDF program covering the CTPAT security basics and email it to your suppliers and manufacturers. This may include translating the materials into the relevant languages.

Regardless of the approach, document your communication with supply chain partners by saving copies of all materials and emails. This will provide evidence of your implementation.

Training is an ongoing effort because threats to supply chain security are continuously evolving. As a good practice, companies can leverage internal communications systems to inform employees of latest trends in supply chain security threats. For example, sharing recent smuggling methods, or recently reported breaches, provides critical information while reinforcing the why behind the company’s processes and procedures.  

Ready to move from Awareness to Action? Let Braumiller Consulting Group help you with CTPAT training guidance, development, and solutions.  We’ve got you covered.