A practical guide for importers, manufacturers, customs brokers, carriers, warehouses, and logistics providers.
International trade is entering a period in which supply chain security, importer accountability, and documented compliance are becoming inseparable.
For companies participating in the movement of goods into the United States, security can no longer be treated as an isolated warehouse responsibility. It now reaches importer governance, business partner selection, customs broker oversight, cargo integrity, cybersecurity, employee training, risk assessment, and executive accountability.
This is the environment in which the Customs Trade Partnership Against Terrorism, commonly known as CTPAT or C-TPAT, has become increasingly important.
CTPAT is a voluntary partnership administered by U.S. Customs and Border Protection (CBP). Participating companies agree to assess their international supply chains, identify vulnerabilities, and implement security practices appropriate to their business type. CBP states that participation is voluntary, there is no government application or membership fee, and the application is completed online through the CTPAT Portal.
CTPAT should not be understood as a certificate that a company obtains once and places on a wall. It is an ongoing operational program supported by procedures, risk assessments, training records, business partner reviews, physical controls, management oversight, and evidence showing that the program is actually being implemented.
Why CTPAT Matters After Executive Order 14411
On June 3, 2026, the President issued Executive Order 14411, Strengthening Customs Enforcement. The order was published in the Federal Register on June 10, 2026.
The order directs the Department of Homeland Security and CBP to strengthen importer eligibility standards, increase importer identification and disclosure requirements, revise bonding expectations, establish importer risk tiers, enhance recurrent vetting, increase customs enforcement activity, and address noncompliance involving forced labor, misclassification, undervaluation, and illegal transshipment.
The order also directs CBP to implement additional conditions for foreign Importers of Record making formal entry. Under the order, a foreign IOR would need to be validated in CTPAT when CBP determines that the importer is eligible, or use a CTPAT-validated licensed customs broker to file entries. The order also directs restrictions on informal entries and continuous bonds for foreign IORs, subject to the rules, policies, and exceptions CBP ultimately implements.
An important distinction is that an executive order can direct agencies to issue or revise regulations, policies, and guidance, but the detailed operating requirements may depend on later CBP implementation. Companies should therefore separate the direction of the order from the final procedures that CBP publishes.
Even with that distinction, the direction is clear: companies should expect greater emphasis on verifiable controls, accurate importer information, business transparency, financial accountability, supply chain data, and documented security practices.
What Are the Different Types of CTPAT Certification?
The phrase “CTPAT certification” is often used broadly. In practice, companies should understand three separate concepts:
- The CTPAT program in which the company participates.
- The company’s certification or validation status within the program.
- The business entity category under which the company applies.
These concepts are related, but they are not interchangeable.
1. CTPAT Security
CTPAT Security is the core supply chain security program. It focuses on protecting the international supply chain against terrorism, smuggling, cargo tampering, unauthorized access, theft, and other security threats.
Companies participating in CTPAT Security must address the Minimum Security Criteria established by CBP for their approved business entity. The applicable criteria differ because the risks faced by an importer are not identical to those faced by a highway carrier, customs broker, foreign manufacturer, warehouse, or third-party logistics provider.
CTPAT Security commonly addresses:
- Corporate security responsibility and management oversight
- Supply chain risk assessments
- Business partner screening and monitoring
- Physical security and access controls
- Personnel security
- Cargo, conveyance, container, trailer, and seal integrity
- Procedural security
- Agricultural security
- Cybersecurity
- Security training and threat awareness
- Incident reporting and escalation
- Internal reviews, corrective actions, and continuous improvement
The exact requirements must be taken from the Minimum Security Criteria applicable to the company’s approved entity type.
2. CTPAT Trade Compliance
CTPAT Trade Compliance is a separate voluntary program intended for qualifying importers that have already demonstrated maturity within CTPAT Security.
It focuses more directly on customs and trade compliance management, including the systems used to identify, disclose, correct, and prevent import compliance errors.
Current CBP program requirements generally call for an applicant to be a qualifying importer, maintain Tier II or Tier III status in the CTPAT Security Program, remain in good standing, and satisfy additional import history and compliance requirements.
A company therefore does not normally begin with CTPAT Trade Compliance. The typical progression is:
CTPAT Security application → certification → validation → Trade Compliance eligibility
The Trade Compliance application is initiated from the company’s existing CTPAT account and follows its own portal workflow, documentation requirements, review process, and continuing obligations.
3. CTPAT Certification and Validation Tiers
CTPAT status is also described through certification and validation levels.
Tier I: Certified
Tier I generally refers to an importer whose application and Security Profile have been accepted by CBP. At this stage, CBP has reviewed the written submission, but the company has not yet completed its initial validation.
Certification is therefore not the end of the process. It is the beginning of the formal partnership.
Tier II: Certified and Validated
Tier II status is achieved after CBP completes the validation process and determines that the company has implemented the applicable Minimum Security Criteria.
Validation is the process through which CBP compares the company’s written Security Profile with its actual practices, records, facilities, personnel, and controls. CBP describes validation as a verification process rather than a traditional customs audit.
Tier II status is especially important because it is one of the threshold requirements for CTPAT Trade Compliance.
Tier III: Certified, Validated, and Exceeding
Tier III is the highest status commonly discussed within the CTPAT tier structure.
It applies where an eligible company not only meets the Minimum Security Criteria but demonstrates approved practices that exceed the minimum requirements.
Tier III should not be treated as a self-declared designation. A company must demonstrate measurable practices beyond the minimum and receive CBP recognition.
Which Types of Companies Can Apply?
CTPAT eligibility is based on the company’s actual legal and operational role in the supply chain.
CBP identifies eligible participant categories that include, depending on the specific requirements of each category:
- U.S. importers
- U.S. exporters
- Licensed U.S. customs brokers
- Highway carriers
- Rail carriers
- Sea carriers
- Air carriers
- Marine port authorities and terminal operators
- Freight consolidators
- Ocean transportation intermediaries and eligible NVOCCs
- Eligible foreign manufacturers
- Mexican long-haul carriers
- Certain third-party logistics providers
A company must select the correct entity type when applying. A business should not apply as a carrier merely because it hires carriers, or as a manufacturer merely because it sells manufactured products. Eligibility must be supported by the company’s actual operations, registrations, licenses, identifiers, and responsibilities.
Some organizations may qualify under more than one entity type. In those cases, the company should evaluate whether an additional business type can be added to the existing Security Model or whether a separate trade account or structure is appropriate.
Where Is the CTPAT Application Submitted?
The application and supporting information are submitted through the official CTPAT Portal 3.0.
Current portal address: CTPAT Portal 3.0
Users access the portal through Login.gov.
Each user should create and maintain their own credentials rather than sharing a login.
The CTPAT Portal is not the same system as the ACE Secure Data Portal.
ACE supports customs entry, account, reporting, and trade data functions. The CTPAT Portal is used to apply for and administer CTPAT Security and CTPAT Trade Compliance participation.
How to Submit a CTPAT Application
The online application contains two core components:
- The Company Profile
- The Security Profile
The exact screens and questions depend on the selected business entity.
Step 1: Create the Portal User Account
The individual responsible for initiating the application must establish Login.gov access and enter the CTPAT Portal.
The company should avoid duplicate or uncontrolled accounts. Portal access should be assigned only to personnel with a legitimate responsibility for maintaining the program.
CBP portal guidance has advised users to access their accounts regularly because inactive user accounts may be deactivated.
Internal ownership should therefore include a backup administrator and a process for access continuity when personnel change.
Step 2: Create or Select the Trade Account and Security Model
Inside the portal, the applicant creates or selects the company’s Trade Account and begins the CTPAT Security Model for the appropriate business entity.
The entity selection controls which eligibility questions, business identifiers, locations, and Minimum Security Criteria appear in the application.
Before starting, the company should confirm the legal name, addresses, importer numbers, EIN, SCAC, broker license, MID, facilities, and other identifiers that may be required for its selected category.
Step 3: Complete the Company Profile
The Company Profile contains the organization’s identifying and operational information. Depending on the entity type, the company may need to enter or confirm:
- Legal company name and trade names
- Physical, mailing, and operational addresses
- Website and telephone information
- Business structure and corporate details
- Importer, exporter, carrier, broker, manufacturer, or logistics identifiers
- Company locations and facilities
- Primary points of contact and administrators
- Company Officer
- Description of business activities
- Supply chain, cargo, routing, and transportation information
The Company Profile should match current corporate records. Inconsistent names, inactive addresses, old employees, or outdated identifiers can create avoidable delays.
Step 4: Assign the Company Officer
The Company Officer is not simply another portal user. This person acts with authority on behalf of the company and is responsible for formal certifications, submissions, and program agreements.
The person selected should have sufficient authority to understand and support the representations being made to CBP. The Company Officer should also have access to the people responsible for security, customs, logistics, human resources, information technology, facilities, and executive management.
Step 5: Complete the Security Profile
The Security Profile is the substantive portion of the application. The company must respond to the Minimum Security Criteria applicable to its business entity and explain how each control operates in practice.
A strong response should identify:
- The policy or procedure being followed
- The person or department responsible
- The facility, lane, process, or business partner to which the control applies
- How frequently the activity occurs
- What records are created and retained
- How exceptions are reported and escalated
- How management verifies implementation
- What evidence supports the response
Generic statements such as “we comply,” “management reviews security,” or “employees are trained” are usually weak because they do not explain how the control operates or how the company proves implementation.
What Information and Documents Should Be Uploaded?
Supporting evidence should be current, controlled, relevant, and connected to the specific criterion it supports.
Depending on the company’s entity type and operations, evidence may include:
- CTPAT policies and standard operating procedures
- Organizational charts and responsibility matrices
- Supply chain maps and process flowcharts
- Five-step risk assessments
- Business partner screening procedures
- Security questionnaires and partner evaluations
- CTPAT or recognized foreign AEO status verification records
- Visitor, employee, contractor, and driver access procedures
- Facility inspection records and site photographs
- CCTV, fencing, gates, lighting, restricted area, and key-control evidence
- Cargo, container, trailer, and conveyance inspection procedures
- Seal issuance, storage, reconciliation, and discrepancy logs
- Shipping, receiving, staging, and loading records
- Employee background screening procedures
- Security awareness and role-specific training records
- Cybersecurity policies, access controls, and incident response records
- Agricultural security inspections and contamination controls
- Security incident reporting procedures
- Internal audit or self-assessment records
- Corrective action plans and closure evidence
- Management review records
The objective is not to upload the largest possible volume of documents. The objective is to provide the most relevant evidence showing that the written response is implemented in the operation.
Documents should be clearly titled, dated, version-controlled where appropriate, and reviewed for confidential or unnecessary personal information before submission.
Where and How Should Evidence Be Uploaded in the Portal?
In Portal 3.0, evidence should normally be uploaded from the Security Profile question or criterion that it supports. The portal uses Upload and Associate functions so the file is connected to the relevant Minimum Security Criterion.
A practical upload sequence is:
- Open the applicable Security Profile section and criterion.
- Enter the company’s narrative response.
- Select the upload function.
- Choose the supporting file from the company’s controlled document repository.
- Identify the document type or description, when requested.
- Use the associate function to connect the file to the criterion.
- Confirm that the document appears as associated evidence.
- Save the response and verify that it remains visible after refreshing the page.
Documents uploaded through the Security Profile or validation response are stored in the portal’s Partner Document Exchange and are tagged to the location from which they were uploaded.
A company should not assume that uploading a file to a general document area automatically connects it to every applicable criterion. When one document supports several requirements, it may need to be associated with each relevant criterion.
A useful internal naming convention is: MSC number – document title – facility or process – effective date – version. This makes portal review, annual updates, and validation preparation significantly easier.
How Is CTPAT Trade Compliance Information Submitted?
A qualifying company begins the Trade Compliance application from its existing CTPAT account. The portal then presents the additional eligibility, profile, questionnaire, and supporting-document requirements for the Trade Compliance Program.
The required materials may include organizational information, compliance program documentation, risk assessments, internal control evidence, forced-labor compliance materials, and other records requested by CBP.
Trade Compliance is not simply an additional checkbox within the Security Profile. It is a separate program layer with its own eligibility standards, documentation, review, annual requirements, and continuing obligations.
What Happens After the Application Is Submitted?
Once the Company Officer submits the completed application and Security Profile, CBP reviews the information. CBP states that the program may take up to 90 days to certify the company or reject the application.
If the company is certified, it is assigned a CTPAT Supply Chain Security Specialist who reviews the submission and provides program guidance.
CBP states that a certified company will generally be validated within one year of certification. During validation, CBP compares the company’s written Security Profile with actual operations.
The company should be prepared to demonstrate that its procedures, records, training, facilities, access controls, cargo controls, cybersecurity practices, and business partner management match what was submitted through the portal.
Certification Is Not the Final Step
CTPAT requires continuing maintenance. The Security Profile must be reviewed and updated at least annually, and the portal should be updated when material changes occur.
Material changes may include:
- New facilities or closed locations
- New supply chains, routes, products, or transportation modes
- Changes in executive or program responsibility
- New critical business partners
- Changes in warehouse or access procedures
- New cybersecurity systems or significant incidents
- Security breaches, theft, seal discrepancies, or cargo anomalies
- Corrective actions and new control measures
- Changes to company contacts, identifiers, or legal structure
The portal should reflect the company’s current operation, not the operation that existed when the original application was filed.
Common CTPAT Application Mistakes
Many weak applications fail for operational reasons rather than because the applicant lacks security controls.
- Selecting the wrong business entity type
- Starting the application before the Minimum Security Criteria are implemented
- Submitting generic narrative responses
- Uploading policies without evidence of implementation
- Failing to identify an owner, frequency, record, or escalation process
- Using outdated procedures, photographs, or training records
- Uploading files without associating them to the correct criterion
- Describing controls that employees do not consistently follow
- Failing to update contacts or portal access after personnel changes
- Treating certification as the final objective rather than an operating system
CTPAT as a Business Framework
The greatest value of CTPAT is not found in the certificate itself. It is found in the discipline required to obtain and maintain it.
A mature CTPAT program gives management a clearer view of the supply chain, establishes ownership, formalizes partner expectations, strengthens cargo security, improves incident readiness, and creates evidence before a customs question, security incident, or validation occurs.
In the current enforcement environment, that preparation has consequences beyond security. It supports importer accountability, customs broker oversight, customs readiness, business continuity, customer confidence, and a more reliable cross-border operation.
TradeFlex Perspective
At TradeFlex, we are strengthening our own CTPAT framework through documented procedures, defined ownership, risk assessments, business partner controls, training, internal review, management participation, and verifiable evidence.
The objective is not simply to prepare an application. The objective is to build a program that accurately represents the operation and can be sustained after certification.
A policy describes what a company intends to do. Evidence demonstrates what the company actually does.
Under a more demanding customs enforcement environment, that difference matters.
Frequently Asked Questions
Is CTPAT mandatory?
CTPAT remains a voluntary CBP partnership, and CBP does not charge a government application or membership fee. Executive Order 14411, however, directs CBP to implement additional requirements affecting foreign Importers of Record, including CTPAT validation when eligible or the use of a CTPAT-validated licensed customs broker for formal entries. The detailed operating requirements will depend on CBP’s implementing regulations, policies, and guidance.
Where do companies apply?
Applications are completed through CTPAT Portal 3.0 using Login.gov credentials. Use the official CTPAT Portal 3.0 access page.
What is the difference between certification and validation?
Certification means CBP has accepted the written application and Security Profile. Validation is the later verification process used to confirm that the security measures described in the profile are implemented in practice.
What is the difference between CTPAT Security and CTPAT Trade Compliance?
CTPAT Security focuses on international supply chain security. CTPAT Trade Compliance is an additional program for qualifying importers with established CTPAT Security status and a demonstrated customs compliance management system.
Should every company document be uploaded?
No. Companies should upload relevant, current, and controlled evidence that supports their responses. Each file should be associated with the applicable Security Profile criterion.
Can one company apply under more than one business type?
Potentially. A company may qualify under more than one category when its actual operations meet the applicable eligibility requirements. The company should evaluate whether to expand an existing Security Model or use another account structure, and should coordinate with CBP when the correct structure is unclear.
Conclusion
In global trade, trust is no longer assumed. It must be documented.
CTPAT helps companies build that trust through stronger supply chain security, clear internal ownership, documented procedures, partner screening, training, risk assessment, evidence, and continuous improvement.
For importers, manufacturers, brokers, carriers, warehouses, and logistics providers, now is the time to review readiness.
The companies that prepare now will be better positioned to operate with confidence, resilience, and speed.
CTPAT helps transform compliance into clarity, security into trust, and preparation into performance.
Official Sources and Further Reading
- Executive Order 14411 — Strengthening Customs Enforcement, Federal Register
- CBP — Customs Trade Partnership Against Terrorism
- CBP — CTPAT Portal
- CTPAT Portal 3.0
- CBP — Applying for CTPAT
- CBP — CTPAT Minimum Security Criteria
- CBP — CTPAT Trade Compliance
- CBP — CTPAT Portal Manual
Informational notice: This article provides general information and does not constitute legal advice. Companies should monitor CBP publications for regulations, guidance, portal changes, and implementation measures issued under Executive Order 14411.


