As of March 2020 the C-TPAT requirements were made more difficult for small businesses. It brought forward more IT requirements one of which was NIST Cyberframework to meet the first item in the Cybersecurity requirements.
This is what the Highway Carrier Security Criteria stated for IT as of September 2014:
Measures should be taken to protect electronic assets, including advising employees of the need to protect passwords and computer access. Automated systems must use individually assigned accounts that require
a periodic change of password. IT security policies, procedures and standards must be in place and provided to employees in the form of training.
A system must be in place to identify the abuse of IT including improper access, tampering or the altering of business data. All system violators must be subject to appropriate disciplinary actions for abuse.
Now, as of March 2020, the IT requirements include:
4.1 (MUST) CTPAT Members must have comprehensive written
cybersecurity policies and/or procedures to protect
information technology (IT) systems. The written IT policy,
at a minimum, must cover all of the individual
Members are encouraged to follow cybersecurity protocols that are based on recognized industry frameworks/standards. The National Institute of Standards and Technology (NIST) is one such organization that provides a Cybersecurity Framework (https://www.nist.gov/cyberframework) that offers voluntary guidance based upon existing standards, guidelines, and practices to help manage and reduce cybersecurity risks both internally and externally. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. The Framework complements an organization’s risk management process and cybersecurity program. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference to establish one.
4.2 (MUST) To defend Information Technology (IT) systems against
common cybersecurity threats, a company must install
sufficient software/hardware protection from malware
(viruses, spyware, worms, Trojans, etc.) and
internal/external intrusion (firewalls) in Members’
computer systems. Members must ensure that their
security software is current and receives regular security
updates. Members must have policies and procedures to
prevent attacks via social engineering. If a data breach
occurs or another unseen event results in the loss of data
and/or equipment, procedures must include the recovery
(or replacement) of IT systems and/or data.
4.3 (MUST) CTPAT Members using network systems must regularly test
the security of their IT infrastructure. If vulnerabilities are
found, corrective actions must be implemented as soon as
A secure computer network is of paramount importance to a business, and ensuring that it is protected requires testing on a regular basis. This can be done by scheduling vulnerability scans. Just like a security guard checks for open doors and windows at a business, a vulnerability scan (VS) identifies openings on your computers (open ports and IP addresses), their operating systems, and software through which a hacker could gain access to the company’s IT system. The VS does this by comparing the results of its scan against a database of known vulnerabilities and produces a correction report for the business to act upon. There are many free and commercial versions of vulnerability scanners available.
The frequency of the testing will depend on various factors including the company’s business model and level of risk. For example, companies should run these tests whenever there are changes to a business’s network infrastructure. However, cyber-attacks are increasing among all sizes of businesses, and this needs to be considered when designing a testing plan.
4.4 (SHOULD) Cybersecurity policies should address how a Member
shares information on cybersecurity threats with the
government and other business partners.
Members are encouraged to share information on cybersecurity threats with the government and business partners within their supply chain. Information sharing is a key part of the Department of Homeland Security’s mission to create shared situational awareness of malicious cyber activity. CTPAT Members may want to join the National Cybersecurity and Communications Integration Center (NCCIC – https://www.us-cert.gov/nccic). The NCCIC shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Cyber and industrial control systems users can subscribe to information products, feeds, and services at no cost.
4.5 (MUST) A system must be in place to identify unauthorized access
of IT systems/data or abuse of policies and procedures
including improper access of internal systems or external
websites and tampering or altering of business data by
employees or contractors. All violators must be subject to
appropriate disciplinary actions.
4.6 (MUST) Cybersecurity policies and procedures must be reviewed
annually, or more frequently, as risk or circumstances
dictate. Following the review, policies and procedures
must be updated if necessary.
An example of a circumstance that would dictate a policy update sooner than annually is a cyber attack. Using the lessons learned from the attack would help strengthen a Member’s cybersecurity policy.
4.7 (MUST) User access must be restricted based on job description or
assigned duties. Authorized access must be reviewed on a
regular basis to ensure access to sensitive systems is based
on job requirements. Computer and network access must
be removed upon employee separation.
4.8 (MUST) Individuals with access to Information Technology (IT)
systems must use individually assigned accounts.
Access to IT systems must be protected from infiltration
via the use of strong passwords, passphrases, or other
forms of authentication, and user access to IT systems
must be safeguarded.
Passwords and/or passphrases must be changed as soon as
possible if there is evidence of compromise or reasonable
suspicion of a compromise exists.
To guard IT systems against infiltration, user access must be safeguarded by going through an authentication process. Complex login passwords or passphrases, biometric technologies, and electronic ID cards are three different types of authentication processes. Processes that use more than one measure are preferred. These are referred to as two-factor authentication (2FA) or multi-factor authentication (MFA). MFA is the most secure because it requires a user to present two or more pieces of evidence (credentials) to authenticate the person’s identity during the log-on process.
MFAs can assist in closing network intrusions exploited by weak passwords or stolen credentials. MFAs can assist in closing these attack vectors by requiring individuals to augment passwords or passphrases (something you know) with something you have, like a token, or one of your physical features – a biometric.
If using passwords, they need to be complex. The National Institute of Standards and Technology’s (NIST) NIST Special Publication 800-63B: Digital Identity Guidelines, includes password guidelines (https://pages.nist.gov/800-63-3/sp800-63b.html). It recommends the use of long, easy to remember passphrases instead of words with special characters. These longer passphrases (NIST recommends allowing up to 64 characters in length) are considered much harder to crack because they are made up of an easily memorized sentence or phrase.
4.9 (MUST) Members that allow their users to remotely connect to a
network must employ secure technologies, such as virtual
private networks (VPNs), to allow employees to access the
company’s intranet securely when located outside of the
office. Members must also have procedures designed to
prevent remote access from unauthorized users.
VPNs are not the only choice to protect remote access to a network. Multi-factor authentication (MFA) is another method. An example of a multi-factor authentication would be a token with a dynamic security code that the employee must type in to access the network.
4.10 (MUST) If Members allow employees to use personal devices to
conduct company work, all such devices must adhere to
the company’s cybersecurity policies and procedures to
include regular security updates and a method to securely
access the company’s network.
Personal devices include storage media like CDs, DVDs, and USB flash drives. Care must be taken if employees are allowed to connect their personal media to individual systems since these data storage devices may be infected with malware that could propagate using the company’s network.
4.11 (SHOULD) Cybersecurity policies and procedures should include
measures to prevent the use of counterfeit or improperly
licensed technological products.
Computer software is intellectual property (IP) owned by the entity that created it. Without the express permission of the manufacturer or publisher, it is illegal to install software, no matter how it is acquired. That permission almost always takes the form of a license from the publisher, which accompanies authorized copies of software. Unlicensed software is more likely to fail as a result of an inability to update. It is more prone to contain malware, rendering computers and their information useless. Expect no warranties or support for unlicensed software, leaving your company on its own to deal with failures. There are legal consequences for unlicensed software as well, including stiff civil penalties and criminal prosecution. Software pirates increase costs to users of legitimate, authorized software and decrease the capital available to invest in research and development of new software.
Members may want to have a policy that requires product key labels and certificates of authenticity to be kept when new media is purchased. CDs, DVDs, and USB media include holographic security features to help ensure you receive authentic products and to protect against counterfeiting.
4.12 (SHOULD) Data should be backed up once a week or as appropriate.
All sensitive and confidential data should be stored in an
Data backups should take place as data loss may affect individuals within an organization differently. Daily backups are also recommended in case production or shared servers are compromised/lose data. Individual systems may require less frequent backups, depending on what type of information is involved.
Media used to store backups should preferably be stored at a facility offsite. Devices used for backing up data should not be on the same network as the one used for production work. Backing up data to a cloud is acceptable as an “offsite” facility.
4.13 (MUST) All media, hardware, or other IT equipment that contains
sensitive information regarding the import/export process
must be accounted for through regular inventories. When
disposed, they must be properly sanitized and/or
destroyed in accordance with the National Institute of
Standards and Technology (NIST) Guidelines for Media
Sanitization or other appropriate industry guidelines.
Some types of computer media are hard drives, removable drives, CDROM or CD-R discs, DVDs, or USB drives.
The National Institute of Standards and Technology (NIST) has developed the government’s data media destruction standards. Members may want to consult NIST standards for sanitization and destruction of IT equipment and media.
Whoa, what a difference a few years makes.
Bear in mind that a number of these requirements are also included in other compliance programs and/or memberships. Thankfully the people controlling PCI-DSS (credit cards) have supplied a “mapping” between the PCI-DSS items and the NIST Cyberframework items.
None of the above even touches on other items that IT may be involved in such as:
- security cameras
- access controls (i.e. door locks)
- mobile data management (MDM)
Other programs may include:
- PIP = Canada Customs
- Country specific customs programs
- Air Cargo = Canada specific
- Controlled Goods = Canada specific
I am working on a spreadsheet to correlate the requirements of multiple programs. This is a bit challenging as some programs do not publish the requirements publicly, you have to be a member to get them.