When it comes to the government security initiative known as C-TPAT, everyone's a critic. Some say it's too lax, charging that thousands of companies have obtained security clearance based on nothing more than their word. Others complain that its requirements are so vague as to be nearly useless. Yet others revile its standards as too stringent and unnecessary. Who's to be believed?

To understand the problem, you need to know a little about the program's background. The Customs-Trade Partnership Against Terrorism (C-TPAT) was conceived in the wake of the catastrophic events of 9/11, when Americans woke up to the fact that we have enemies out there with not only the inclination, but also the lethal capability to exploit weaknesses in domestic security. As U.S. officials scrambled to plug holes in national security in the days following the attacks, they quickly homed in on the commercial supply chain as an area of vulnerability.

U.S. businesses bring approximately 20 million trailers, railcars, air containers and ocean containers into the country each year, each one a target for terrorists bent on smuggling in material that is radioactive, explosive or biologically hazardous.

Right now, the Bureau of Customs and Border Protection (CBP) inspects less than 3 percent of those 20 million inbound shipments. And although there have been calls from Congress to step up inspections, anyone with even a passing familiarity with global supply chains understands the futility of that effort. No matter how much equipment or how many people were allocated to the project, it would be physically impossible to inspect every one of those boxes without choking off commerce. For an idea of the economic impact of widespread delays, you need look no further than the 2002 West Coast port labor dispute. While labor and management wrangled, ocean liners stacked up in the Pacific for as far as the eye could see, weighted down with goods that couldn't be offloaded. American companies, including distributors, logistics service providers, and retailers, felt the financial sting to the tune of $2 billion a day.

Unable to police the global supply chain on its own, CBP came up with an alternative plan: get U.S. companies to shoulder some of the burden. Customs could significantly increase the effectiveness of the small percentage of inspections taking place if it could focus its resources on the high-risk shipments. CBP has no clout over foreign companies, clearly one of the most vulnerable links in the global supply chain. But U.S. importers have plenty of leverage with their suppliers. If those U.S. importers would commit to upgrading their supply chain security programs and persuading their overseas business partners to do the same, Customs would reward them by reducing their risk of being targeted for inspections. We know that program as C-TPAT.

C-TPAT comes under fire
In its nearly four years of existence, C-TPAT has drawn some flak. Some, for example, have voiced concerns about what they see as inadequate enforcement, charging that certification has been awarded to thousands of companies based solely on the submission of their security Profile Report.

That's a legitimate concern. However, it's also necessary to be pragmatic. After 9/11, the agency was faced with the need to act swiftly. Had Customs waited until it could recruit and fully train hundreds of additional inspectors and procure all the high-tech screening equipment it would need, the C-TPAT program would probably have been delayed 18 to 24 months. In my opinion, that delay would have posed a significantly greater risk than allowing companies to receive certification without being validated.

To be sure, there may have been importers, manufacturers and carriers who were guilty of misrepresentation and neglect. But I believe that a larger percentage of companies applying for C-TPAT certification were serious about identifying their deficiencies, developing and implementing improved safeguards, training their personnel to recognize security threats, and communicating the need to upgrade supply chain safeguards to their overseas suppliers and vendors. As a result, this enormous project got under way sooner rather than two years later.

Another criticism leveled at C-TPAT is that security standards communicated by CBP haven't been detailed or consistent. While it's true that many of the recommended safeguards appear to be generic, security experts understood that it simply wasn't possible to produce a "one size fits all" standard when dealing with thousands of businesses of various types and sizes, all with different logistics and operating practices.

My company is frequently asked to assess corporate supply chains and help companies develop programs compliant with C-TPAT standards. Over the years, we've learned that even companies in the same field and of similar size require customized security solutions rather than broad boilerplate fixes, which tend to be both superficial and ineffective.

Nonetheless, CBP responded to its critics, introducing new and stiffer standards for C-TPAT certification on March 25. Companies seeking C-TPAT certification will need to meet or exceed the new security criteria, which cover areas like container integrity, personnel background checks and IT security. Companies that have already obtained certification have been allowed to bring their operations into compliance in phases.

Still, it appears that CBP can't win. The same parties that had clamored for clearer, better-defined standards jumped all over the new C-TPAT standards, branding them as extreme and unnecessary. I would disagree. Although I may not concur with the requirements on every point, I still think it's necessary to take a broader view of what the C-TPAT program is designed to accomplish as well as the formidable obstacles that must be faced each day.

To those who protest that the new standards are too stringent, I'd like to point out that shipments from C-TPAT certified companies are precisely the shipments most likely to be targeted by terrorist cells. It's no secret that shipments to certified companies stand a much lower than average chance of being opened by CBP inspectors. For that reason, it's imperative that certified companies follow the very best security practices, support their practices with state-of-the-art technology, and diligently check and test their procedures on a regular basis. Anything less creates vulnerabilities.

Making progress
For all the criticism, the good news is that CBP, through programs like C-TPAT and the Container Security Initiative, has made considerable progress, in a relatively short period of time, securing America's borders. Many of America's largest importers have embraced the C-TPAT program and strengthened their supply chain security. Not only has this reduced their exposure to smuggling and cargo theft (itself a multi-billion dollar problem annually), but most C-TPAT-certified companies have also reaped significant financial benefits. To begin with, their risk of shipment delays caused by security inspections has dropped drastically. In addition, their participation in C-TPAT makes them eligible for expedited clearance via Customs' FAST (Free and Secure Trade) program at the Mexican and Canadian borders, and has given them added leverage in negotiating insurance premiums.

Despite its imperfections, I support the concept of C-TPAT. And I'm convinced others will embrace it as well. Consider this: Despite all the complaints, no company that I'm aware of has voluntarily given up its C-TPAT certification. And other countries are now developing security programs for their inbound supply chains that are modeled on America's C-TPAT program.

I certainly don't see C-TPAT going away. To the contrary, I expect that C-TPAT, much like ISO certification, will become a widely recognized standard in the international business community and a reflection of a company's commitment to operational excellence.

Editor's note: This is the first of two parts. Next month's SecurityBrief column will discuss best practices and strategies for obtaining—and keeping—C-TPAT certification.