Supply Chain Security: Actions Needed to Improve CBP Management of the Customs Trade Partnership Against Terrorism Program
Fast Facts
Customs and Border Protection's Customs Trade Partnership Against Terrorism program aims to balance supply chain efficiency and security. It provides benefits like reduced inspections of U.S.-bound cargo to "low-risk" private companies that voluntarily comply with certain security standards.
We found that 480 program participants were involved in about 2,200 security incidents from FYs 2020 to 2024. These incidents included introducing restricted or prohibited cargo, such as narcotics, into the supply chain. CBP didn't collect complete data on these incidents and didn't consistently investigate them.
Our recommendations address this and more.
A large cargo ship transporting stacks of shipping containers on a body of water, with buildings and trees on the shoreline behind the ship.
Highlights
What GAO Found
U.S. Customs and Border Protection (CBP) has implemented the Customs Trade Partnership Against Terrorism (CTPAT) program as part of a layered, risk-informed approach to supply chain security. CTPAT provides private companies in the supply chain with certain benefits (e.g., reduced cargo inspections or expedited processing) in exchange for voluntary adherence to additional security requirements. CBP monitors CTPAT participants’ involvement in security incidents, such as smuggling cargo that contains narcotics, which could result in participants’ suspension or removal from the program.
According to CBP data, about 4 percent of CTPAT program participants were involved in one or more security incidents. Specifically, 480 CTPAT program participants were involved in approximately 2,200 security incidents (about 1 percent of all incidents) in the cargo supply chain in fiscal years 2020 through 2024. The most common type of security incident that participants were involved in were drug-related, accounting for just under 50 percent of all incidents. However, CBP does not collect complete data on security incidents involving program participants, such as on incidents self-reported by participants. Ensuring data on CTPAT security incidents are complete and consistent would position CBP to better identify and understand possible risks to the cargo supply chain.
Customs Trade Partnership Against Terrorism (CTPAT) Participant Involvement in Security Incidents That Occurred in the Cargo Supply Chain, Fiscal Years 2020-2024
Note: These data are estimates. While GAO determined that these data are sufficiently reliable to report approximate numbers, limitations in these data exist. For more details, see GAO-26-107893. The total number of CTPAT participants is as of August 2025.
CBP did not consistently investigate security incidents involving CTPAT participants or take enforcement actions against them. For example, GAO found several cases where CBP documented that they would not investigate a security incident involving a program participant and did not take enforcement action against them, but did not explain these decisions. In one instance, CBP did not take enforcement action against a participant involved in a security incident in 2021. This same participant was subsequently involved in dozens of additional incidents before it was suspended 2 years later. Without clear, documented decision criteria to determine appropriate enforcement actions against CTPAT participants involved in security incidents, CBP risks leaving the nation and supply chain vulnerable to additional security incidents.
Why GAO Did This Study
The U.S. economy depends on the quick and efficient flow of millions of tons of cargo each day throughout the global supply chain. However, U.S.-bound cargo can present security concerns, as there is a risk that terrorists could use cargo shipments to transport a weapon of mass destruction or other contraband into the U.S.
The Customs Trade Partnership Against Terrorism Pilot Program Act of 2023 includes a provision for GAO to assess the effectiveness of the program. This report examines (1) the number and types of security incidents that occurred in the cargo supply chain in fiscal years 2020 through 2024 and the extent to which CTPAT participants were involved; (2) enforcement actions against CTPAT participants involved in security incidents during this timeframe; and (3) the extent to which CBP meets certain statutory requirements in its management of the CTPAT program.
GAO analyzed CBP data on CTPAT participant involvement in security incidents and CTPAT’s enforcement actions against these participants in fiscal years 2020 through 2024. GAO also reviewed CBP procedures for addressing program participant involvement in security incidents and interviewed CBP headquarters officials.
Recommendations
GAO is making six recommendations to CBP, including to improve the completeness, consistency, and accuracy of the CTPAT program’s data and update guidance to include clear, documented decision criteria for determining enforcement actions against CTPAT participants involved in security incidents. The Department of Homeland Security concurred with our recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Customs and Border Protection | The Commissioner of CBP should develop a plan and assign responsibility for overseeing the completeness and consistency of its security incident data involving CTPAT participants, such as through regular evaluations of security incident data and ensuring that security incidents reported from CTPAT field offices or self-reported by participants are included in its data. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| United States Customs and Border Protection | The Commissioner of CBP should update the operating guidance for investigating and taking enforcement action against CTPAT participants involved in security incidents. The update should include (1) decision-making criteria based on a risk-based approach to inform decisions on methods to investigate participants, (2) decision-making criteria based on a risk-based approach to inform decisions on enforcement actions against participants, and (3) requirements that those decisions be documented. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| United States Customs and Border Protection | The Commissioner of CBP should improve the completeness and accuracy of the CTPAT program's enforcement actions data in the CTPAT Portal by addressing (1) incomplete data entries, (2) inconsistent or inaccurate data entries, (3) missing data entries, and (4) the potential for duplicate records. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| United States Customs and Border Protection | The Commissioner of CBP should develop a formal mechanism to ensure it annually reviews and updates as necessary the CTPAT program's minimum security requirements, as required by the SAFE Port Act. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| United States Customs and Border Protection | The Commissioner of CBP should develop and document internal policies and procedures to ensure the agency develops an annual plan for each fiscal year to match available resources to the projected workload of the CTPAT program, as required by the SAFE Port Act, including resources to address program participant involvement in security incidents. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| United States Customs and Border Protection | The Commissioner of CBP should develop a 5-year plan with outcome-based goals and performance measures of the CTPAT program, as required by the SAFE Port Act. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|