CTPAT Members must have comprehensive written
cybersecurity policies and/or procedures to protect
information technology (IT) systems. The written IT policy,
at a minimum, must cover all of the individual
Members are encouraged to follow cybersecurity protocols that are
based on recognized industry frameworks/standards. The *National
Institute of Standards and Technology (NIST) is one such organization
that provides a Cybersecurity Framework
(https://www.nist.gov/cyberframework) that offers voluntary guidance
based upon existing standards, guidelines, and practices to help manage
and reduce cybersecurity risks both internally and externally. It can be
used to help identify and prioritize actions for reducing cybersecurity
risk, and it is a tool for aligning policy, business, and technological
approaches to managing that risk. The Framework complements an
organization’s risk management process and cybersecurity program.
Alternatively, an organization without an existing cybersecurity program
can use the Framework as a reference to establish one.
*NIST is a non-regulatory federal agency under the Department of
Commerce that promotes and maintains measurement standards, and it
is the technology standards developer for the federal government.
This is primarily a management item: meaning you have to have a set of policies and procedures. These policies and procedures then dictate IT requirements. The “individual Cybersecurity criteria” mentioned refers to “CTPAT section 4” and not the NIST Cyberframework. Building the policies and procedures thus requires comparing CTPAT 4.2 through 4.13 against the NIST Cyberframework to pull out the required elements. If you have other compliance programs to effect then you may have more work to do.
When you dig into the NIST Cyberframework (and/or related standards such as ISO) you will find a truckload of work to be done by the IT staff for full compliance.