top of page

Axiotrop Blog

CTPAT Added Cybersecurity Criteria to Their Minimum Security Criteria - What Now?

Since the United States Customs and Border Protection's Trade Partnership Against Terrorism (CTPAT) added cybersecurity criteria to their “Minimum Security Criteria” (MSC) in 2021, there has been a lot of confusion. Although trade and transportation companies are very adept at physical security protocols, cybersecurity controls are a completely different domain.

With growing trade activity, cyber-attacks are also increasing. The DHS Intelligence and Analysis group is providing frequent warnings of cyber espionage and attacks which could negatively impact trade and transportation companies.

Although CTPAT provides each industry sub-sector with their own list of cybersecurity criteria, the lists are all very similar and are all derived from the NIST SP 800-53 “Security Controls” standard which is used extensively in government supply chains.

When we map the MSC’s to the NIST controls, twenty-five (25) of the 110 controls in NIST SP 800-171 are required to meet the CTPAT MSC. If you want to see the NIST mapping, click here.

These 25 cybersecurity controls are among the most basic, essential controls. We expect that over time, CTPAT will add more controls to increase the cybersecurity maturity posture of the trade and transportation supply chain and the sensitive information needed to be protected.

All trade and transportation companies should consult with a cybersecurity expert to assess the current state of their cybersecurity program so they can understand their current state and take next steps to improve their cybersecurity maturity posture.


AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.


bottom of page