Customs-Trade Partnership Against Terrorism (C-TPAT)

The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary supply-chain security program led by U.S. Customs and Border Protection (CBP) focused on improving the security of private companies' supply chains with respect to terrorism.

Who is C-TPAT for?

  • US importers of record
  • US/Canada and US/Mexico cross-border highway carriers
  • Mexico long-haul carriers
  • Rail, sea, and air carriers
  • US marine port authority and terminal operators
  • Consolidators (US air freight consolidators, ocean transportation intermediaries, and non-vessel operating common carriers)
  • Mexican and Canadian manufacturers
  • Certain invited foreign manufacturers
  • Licensed US customs brokers
  • Third-party logistics providers
  • Exporters
  • Brokers and agents
  • Agencies participating in the negotiation of business deals

About the C-TPAT Security Criteria

Importers must conduct a comprehensive assessment of their international supply chains based upon the following C-TPAT security criteria.

Where an importer outsources or contracts elements of their supply chain, such as a foreign facility, conveyance, domestic warehouse, or other elements, the importer must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain. The supply chain for C-TPAT purposes is defined from point of origin (manufacturer/supplier/vendor) through to point of distribution – and recognizes the diverse business models C-TPAT members employ.

C-TPAT recognizes the complexity of international supply chains and endorses the application and implementation of security measures based on risk analysis. Therefore, the program allows for flexibility and the customization of security plans based on the member’s business model.

Appropriate security measures, as listed throughout this document, must be implemented and maintained throughout the importer’s supply chains - based on risk.

This Statement details how specific features in your MRI OnLocation can assist you to align with the C-TPAT Security Criteria. We illustrate this in Table 1 below.


C-TPAT Criteria

How OnLocation Supports the Criteria

Physical Access Controls

Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets.

OnLocation provides a wide range of tools to support the management of authorized entry to facilities:

  1. Your facility’s gatekeepers (security, concierge, and receptionists) have full visibility of all authorized people (visitors, vendors, suppliers, and employees). They can sign them in, capturing proof of identification and other facility-centric information from them, creating an audit trail of all entries.
  2. With the location settings, administrators can define occupancy hours and set up alerts for entry outside of specific times.
  3. Users can set up Watchlists or send entry data to external Watchlists. When a match is found you can have the system automatically create warnings for any team member to act upon.
  4. Administrators can set rules in your OnLocation account which requires employees to pre-register visitors. Any person looking to sign-in to a facility without having being pre-authorized through the pre-registration process is denied access.
  5. Use the Host notification setting to share the visitor's name, organization, phone, email, photo with their employee host upon sign-in.
  6. Administrators can also set rules that require the host to authorize the visitor before entry is approved. We refer to this as Host Authorization.


Access controls must include the positive identification of all employees, visitors, and vendors at all entry points.

Security guards, concierge, and/or receptionists can capture personally identifiable information from any person as a condition of entry. This can include:

  • Name
  • Organization
  • Phone
  • Mobile | Cell
  • Email
  • Photo
  • Identification Type
  • Identification reference
  • *coming in September 18, Scanned Drivers License
  • And more…

Vendors, suppliers, contractors, and other service providers can be pre-approved in your OnLocation account. On arrival, their entry can be denied if their certifications, approvals, and qualifications have expired.

Physical Access Controls | Employees

An employee identification system must be in place for positive identification and access control purposes.

Whilst your OnLocation account stores a current list of approved employees that can be maintained manually by administrators, you can also use our SyncPortal to maintain your employee list with your  Active Directory (Active Directory Federation Services (AD FS).

All of the above results in a ‘current’ list of employees, and their profile info (name, department, title, photo, email, phone) being ‘read only’ visible to security, concierge, and reception operators when the respective employee requests entry to a facility.


Employees should only be given access to those secure areas needed for the performance of their duties.

OnLocation can integrate with your access control system. In addition, you can set up zones with a facility and then deploy Inter-Zone kiosks which require employees (as well as vendors and visitors) to sign in to when entering specific zones and areas in your facilities. Their presence is registered and triggers (alerts) can be set up for entry events that meet specific conditions.


Company management or security personnel must adequately control the issuance and removal of employee, visitor, and vendor identification badges.

OnLocation supports a facility’s policies concerning the issuance of visitor, vendor, and employee badges including alerts for those people still on-site or who have not signed out.


Procedures for the issuance, removal and changing of access devices (e.g. keys, key cards, etc.) must be documented.

OnLocation’s Asset Management feature supports the recording of who was assigned what asset, be that a key or a card, and when it was returned.

Physical Access Controls | Visitors

Visitors must present photo identification for documentation purposes upon arrival.


When the visitor presents their photo ID, security guards, concierge, and reception teams can capture the relevant identification info required for entry. From late September 2018 facilities will be able to ‘scan’ the drivers license, adding a new layer of identity verification to the service to support C-TPAT.


All visitors should be escorted and visibly display temporary identification.

OnLocation supports the issuance of visitor, employee, and vendor badges.

Badges can include:

  • Name
  • Organization
  • Date and time of visit
  • Photo
  • Type of Visitor
  • Host name
  • Barcode
  • QR Code
  • And more….

OnLocation supports visitor arrival notifications via email, SMS (and from September 1, 2018 ‘Push Notifications’ to our mobile app).

In addition, Administrators can force a rule in their OnLocation account that requires all employees receiving a visitor host notification to ‘authorize’ their visitor before they are issued with a Visitor Badge. We refer to this feature as Host Authorization.


The software if used correctly, i.e. requires a valid photo ID to be used to get visitor badge, and maintains historical record-keeping we can access; allows us to meet and document meeting that portion of C-TPAT requirements for Visitor Security

Records are retained of all entries and departures from facilities. Audit records are available indefinitely. Report users can report by date range, name, organization, frequency of visits, and more.

Physical Access Controls | Deliveries (including mail)

Proper vendor ID or photo identification must be presented for documentation purposes upon arrival by all vendors.

Vendor, or what we call ‘Contractor Management’, is a core feature of all OnLocation accounts and plans. Users can set up approved Vendor, supplier, contractor organizations and then set up those people that represent them. When setting up a vendor you can record the names of all approved personnel, including their contact details, qualifications, certifications, and photo.

 On arrival, security guards, concierge, and reception teams can demand proof of ID which is used to match against the approved record of the vendor.


Arriving packages and mail should be periodically screened before being disseminated.

Whilst OnLocation does not ‘screen’ deliveries the arrival and receipt of Deliveries can be managed by security guards, concierge, and reception teams. Deliveries reports are available from the reporting tool.

Physical Access Controls | Challenging and Removing Unauthorized Persons

Procedures must be in place to identify, challenge and address unauthorized/unidentified persons.

The watchlist feature within our Triggers Add-on allows you to automatically check visitors entered into the system against internally generated “lists" and alert nominated people of their presence.

The types of lists you can create are endless and are only as limited as your imagination. Some examples include banned employees, banned visitors, sex offender lists, terrorist screening lists, No-Fly lists (if you are an airport), VIP lists, Valued Customer Lists, etc. You can even download government watchlists if you can access the raw files and upload them as a watchlist list in your OnLocation account. Watchlist

Physical Security | Gates and Gate Houses

Gates through which vehicles or personnel enter or exit must be manned or monitored.

OnLocation supports multiple entry points and data sharing between security guards, concierge, and reception teams manning those entry points.

Information Technology Security | Password Protection

Automated systems must use individually assigned accounts that require a periodic password change. IT security policies, procedures, and standards must be in place and provided to employees through training.

OnLocation’s User Administration and User Access Policies support the requirements and compliance needs of publicly traded companies by ensuring robust password authentication and controlled system access to your OnLocation account. 

Further help

For further information and advice about this policy and any aspect of information security, contact OnLocation.