A new report from the Government Accountability Office raises concerns about U.S. Customs and Border Protection’s management of its Customs Trade Partnership Against Terrorism supply chain security program. The review found that while CTPAT participants have been involved in only a small fraction of overall cargo‑related security incidents, gaps in data collection, investigation practices, and statutory compliance undermine the program’s effectiveness.
The GAO found that between fiscal years 2020 and 2024 about four percent of CTPAT participants were involved in one or more security incidents in the cargo supply chain. Drug‑related incidents were the most common, accounting for 49 percent of cases involving participants. Air and sea carriers, while representing less than one percent of CTPAT’s membership, accounted for the largest share of incidents involving program participants.
However, the GAO found that CTPAT’s incident data are incomplete, inconsistent, and prone to duplication, largely due to manual data entry, missing information from field offices, and the exclusion of self‑reported incidents. In some cases, incident logs included misspelled port locations, incomplete commodity descriptions, or inconsistent categorizations, limiting CBP’s ability to identify trends or assess risk accurately.
Enforcement and investigative practices showed shortfalls as well, the report said. Although CTPAT guidance requires a post‑incident analysis for every participant involved in a security incident, CBP conducted only 35 such analyses during the five‑year period, or less than two percent of incidents involving CTPAT members. The GAO identified multiple cases in which CBP chose not to investigate or take enforcement action without documenting the rationale. In one example, a participant involved in a 2021 prescription drug seizure was not investigated and went on to be linked to dozens of additional incidents before being suspended two years later.
The report also found that (1) CBP’s enforcement data is unreliable, with incomplete entries, inconsistent location data, missing records, and as many as 18 percent of enforcement records appearing to be duplicates, and (2) while some participants involved in security incidents are suspended and removed from the program, CBP does not have clear, documented criteria to determine appropriate enforcement actions against such participants.
Beyond data and enforcement issues, the GAO said, CBP has not met several statutory requirements under the SAFE Port Act. Among other things, the agency has not conducted annual reviews of CTPAT minimum security criteria, lacks an annual workload resource plan for the program, and has not published a CTPAT‑specific five‑year strategic plan since 2004.
The GAO recommended a number of remedial steps, including developing controls to ensure complete incident data, updating investigation and enforcement guidance, fixing enforcement data integrity problems, creating a formal mechanism for annual reviews of minimum security criteria, establishing an annual workload plan, and producing a five‑year strategic plan.
Copyright © 2026 Sandler, Travis & Rosenberg, P.A.; WorldTrade Interactive, Inc. All rights reserved.