On January 22, 2026, Verisk CargoNet reported that US and Canadian cargo theft losses surged to roughly $725 million in 2025, a 60 percent jump from 2024. Average loss per theft hit $273,990. Organized crime groups did not break the supply chain by hacking it. They walked through the side door that a missing CTPAT 5 step risk assessment leaves open.
That same year, US Customs and Border Protection detained 6,636 shipments under the Uyghur Forced Labor Prevention Act in the first half of 2025 alone, surpassing the 4,619 detentions across all of FY2024. The UFLPA Entity List grew to 144 entities, up from 66 a year earlier. Importers without a current CTPAT 5 step risk assessment are now the ones absorbing the demurrage.
The CTPAT 5 step risk assessment is how a US importer, broker, or carrier inside CBP’s Customs Trade Partnership Against Terrorism program decides where the international supply chain is exposed and what to do about it. CBP built the five-step process to give 11,400-plus certified partners a shared method for evaluating threat, vulnerability, and mitigation across every link in the cargo flow.
This guide rebuilds the CTPAT 5 step risk assessment for a 2026 supply chain security director, customs compliance lead, or VP of trade at a US importer, foreign manufacturer, or licensed customs broker. The CBP 5-Step Risk Assessment Process Guide is the canonical reference; this article translates it into a working playbook against the 2025-2026 threat landscape.
Anchor standards include the CTPAT Minimum Security Criteria, the WCO SAFE Framework of Standards, ISO 28000:2022, NIST Cybersecurity Framework 2.0, and the CTPAT Trade Compliance forced labor requirements updated by CBP in November 2025.
Map every CTPAT 5 step risk assessment finding back to one or more of these standards, and tie the action plan into the broader managing supply chain risk program.
A working CTPAT 5 step risk assessment program reads against all of them. Critical findings flow into a supply chain risk register the security council reviews quarterly alongside the broader supply chain risk management plan.
Cadence matters as much as content. Programs that refresh quarterly catch the drift that annual reviews miss.
What the CTPAT 5 Step Risk Assessment Actually Means in 2026
What counts as a defensible CTPAT 5 step risk assessment shifted twice in the last 12 months. CBP’s November 2025 forced labor FAQ folded UFLPA evidence requirements into the existing 12 Minimum Security Criteria, and the WCO SAFE Framework 2024 update tightened mutual recognition arrangements with EU, Canada, and Asia-Pacific Authorized Economic Operator programs.
The practitioner definition: a CTPAT 5 step risk assessment is the structured method CBP requires for ranking how badly an international supply chain link could be compromised by terrorism, contraband smuggling, human smuggling, cargo theft, or forced labor, then deciding what mitigation to fund. URS, validation visits, security profile updates, and partner audits all scale to that ranking.
The five steps are not optional checkboxes. They are the structure CBP’s Supply Chain Security Specialists use during the four-year revalidation cycle.
A weak CTPAT 5 step risk assessment is the single most common reason for suspension or removal from the program. The chart below is the workflow CBP expects every member to walk through, in order, every year.
Figure 1. The CTPAT 5 step risk assessment is a sequenced workflow, not a checklist.
Why the CTPAT 5 Step Risk Assessment Conversation Changed in 2025
Three forces converged. Cargo theft moved from a regional nuisance to a $725 million national problem, forced labor enforcement under UFLPA escalated past 6,600 H1 2025 detentions, and the BSI 2025 Supply Chain Risks and Opportunities Report flagged digital supply-chain attacks as the fastest-growing threat vector.
Each one feeds back into a CTPAT 5 step risk assessment that used to focus mainly on physical and procedural security.
For a US trade compliance lead, the practical implication is direct: stop treating the CTPAT 5 step risk assessment as a once-a-year compliance binder.
Start treating it as a working file the team updates against the November 2025 CBP forced labor guidance, the 2024-2025 cargo theft data, and the cybersecurity expectations written into the revised MSC.
Inspectors will accept a leaner package, but only if the assessment behind it is defensible. The CBP 5-Step Process Guide gives explicit cover for scaling rigor down on low-risk lanes and up on high-risk Mexico, China, or Vietnam routes.
The CTPAT mutual recognition arrangements reward members whose CTPAT 5 step risk assessment can stand up against a foreign AEO audit too.
The Regulatory Stack Behind Every CTPAT 5 Step Risk Assessment
The CTPAT 5 step risk assessment is not one rule. It is a stack of overlapping CBP, DHS, ISO, WCO, and NIST requirements a US importer must satisfy at once. The 2024-2026 guidance wave did not remove any; it tightened how they connect. The table below is the must-cover list for any new assessment file or refresh.
| Standard | What it requires from the CTPAT 5 step risk assessment | US trigger |
| CBP CTPAT Minimum Security Criteria (2020 revision, current 2026) | Documented written CTPAT 5 step risk assessment as MSC category 2; coverage of all 12 MSC categories; Business Partner section requires risk-based screening of foreign manufacturers, carriers, and consolidators. | Required for any CTPAT-certified US importer, broker, carrier, or consolidator. |
| CTPAT Trade Compliance forced labor program (Nov 2025 FAQ) | Risk-based mapping of supply chain partners for UFLPA exposure; documented social compliance program; evidence the company can hand to CBP within five business days of a request. | Members must implement by 2026; non-members face higher detention risk under UFLPA. |
| WCO SAFE Framework of Standards (2024 update) | AEO-equivalent risk methodology; mutual recognition with EU, Canada, Mexico, Japan, Korea, Singapore, Israel, Jordan; common vocabulary for threat and vulnerability scoring. | Any US exporter shipping to mutual-recognition AEO countries. |
| ISO 28000:2022 Supply Chain Security Management | Risk-based security management system, plan-do-check-act cadence, top-management commitment, and integration with ISO 9001/14001/27001. | Voluntary but increasingly required by Tier 1 retail and aerospace customers. |
| NIST Cybersecurity Framework 2.0 (Feb 2024) | Six-function model (Govern, Identify, Protect, Detect, Respond, Recover); satisfies the CTPAT cybersecurity MSC; ties CTPAT 5 step risk assessment to broader IT risk programs. | Federal contractors and supply-chain critical infrastructure operators. |
| DHS UFLPA Strategy (2025 update) | 144 entities on the Entity List; five new high-priority sectors (caustic soda, copper, jujubes, lithium, steel) plus existing nine; rebuttable presumption against goods from XUAR. | Any US importer of goods touching XUAR-linked supply chains. |
| GAO CTPAT recommendations (multiple, 2008-2024) | Independent oversight findings on CTPAT validation effectiveness; SCSS workload pressures; the closed-loop expectation that risk assessments drive validation focus. | Cited by CBP when defending program rigor; useful as a benchmark for internal audit. |
The Five Actual Steps in the CTPAT 5 Step Risk Assessment
Across the CBP 5-Step Process Guide, the WCO SAFE Framework, and ISO 28000, the workflow is now consistent: map, threaten, score, fix, document. Labels vary; logic does not.
The five-step pattern below is what a US security director should be able to walk an SCSS auditor through in 15 minutes for any international lane in production. Anything more ornate is overhead, not assurance.
| Step | What you do in the CTPAT 5 step risk assessment | Output an SCSS auditor expects |
| 1. Map cargo flow | Document every node from foreign origin to US consignee. Capture mode (truck, ocean, air, rail, multimodal), business partners, transshipment points, and stuffing locations. Use a flowchart, not a paragraph. | Cargo flow diagram and business partner list, dated and signed by the CTPAT point of contact. |
| 2. Threat assessment | Score country, route, and commodity-level threats: terrorism, contraband, human smuggling, organized crime, civil unrest, and forced labor. Cite OSAC, CargoNet, BSI, and CBP advisories. Use a 1-3 scale matched to the MSC ratings. | Threat matrix with country/route scores and named source citations. |
| 3. Vulnerability assessment | Score each partner and each link against the 12 MSC categories. Mark gaps as High (does not meet Musts), Medium (meets Musts not Shoulds), or Low (meets/exceeds). Tie scoring to the most recent partner Security Profile. | Partner-level vulnerability matrix with documented scoring rationale. |
| 4. Action plan | For every High or Medium finding, write a mitigation task with named owner, deadline, evidence requirement, and verification method. Tie tasks to MSC categories and to the partner’s Security Profile. | Corrective action plan with status, owners, due dates, and closure evidence. |
| 5. Document the process | Capture the entire CTPAT 5 step risk assessment as a written SOP. Include the methodology, scoring rules, evidence file, refresh cadence, and review approvals. Annual refresh is the floor; quarterly is the practitioner standard. | Written CTPAT 5 step risk assessment SOP and annual review log signed by senior management. |
Step 1 of the CTPAT 5 Step Risk Assessment: Map the Cargo Flow
A US importer cannot score what it cannot see. Step 1 forces the CTPAT 5 step risk assessment to start with a flowchart, not a narrative.
Capture every business partner from the foreign shipper to the US consignee: factory, freight forwarder, ocean or motor carrier, customs broker, deconsolidator, warehouse, and final mile. Note the country, port, and mode at every node.
The CBP CTPAT Five Step Risk Assessment Process PDF calls this “mapping cargo flow.” In practice, it doubles as a supply chain risk identification exercise that surfaces which partners the company has never validated. A worked risk assessment flowchart speeds Step 1 and makes the next four steps repeatable.
Step 2 of the CTPAT 5 Step Risk Assessment: Threat Assessment
Step 2 scores threats at the country, route, and commodity level. The BSI Supply Chain Risk Insights platform, OSAC country reports, and CargoNet quarterly bulletins are the canonical inputs.
Score each lane on terrorism, contraband, human smuggling, cargo theft, forced labor, and civil unrest. The CTPAT 5 step risk assessment uses a 1 (Low), 2 (Medium), 3 (High) scale that mirrors the MSC ratings.
In 2025 the high-threat list shifted. Mexico continued to lead North American cargo theft frequency, California recorded 1,218 incidents (the highest US state total), and historically lower-risk Kern County, California saw an 82 percent jump in events.
Any CTPAT 5 step risk assessment that still scores California a Medium without naming county-level data is using stale inputs.
Figure 2. Cargo theft is now a $725M problem; the CTPAT 5 step risk assessment Step 2 must reflect that.
Step 3 of the CTPAT 5 Step Risk Assessment: Vulnerability Assessment
Step 3 turns the threat scores into partner-level scores against the 12 Minimum Security Criteria. For each business partner identified in Step 1, the CTPAT 5 step risk assessment compares observed practice to the MSC “Musts” and “Shoulds.”
Gaps land in one of three buckets: High (does not meet all Musts), Medium (meets Musts but not all Shoulds), or Low (meets or exceeds).
This is also where third-party risk lives. Foreign manufacturers in Mexico, Vietnam, and China carry the deepest vulnerability footprint for most US importers, and the November 2025 forced labor FAQ added UFLPA exposure to the Step 3 scoring.
The enterprise supplier risk management program framework gives the documentation backbone.
Figure 3. The 12 MSC categories are the spine of every CTPAT 5 step risk assessment vulnerability score.
Step 4 of the CTPAT 5 Step Risk Assessment: Action Plan
Step 4 closes the gaps. For every High or Medium finding from Step 3, the CTPAT 5 step risk assessment writes a mitigation task with a named owner, deadline, evidence requirement, and verification method.
Tasks tie back to MSC categories and the partner Security Profile. CBP’s expectation is closed-loop: action plans drive Profile updates, which drive next year’s risk assessment, which drive the next plan.
Step 4 most often fails on owners without authority. A mitigation task assigned to a contract manufacturer in Vietnam without a US-based escalation contact will sit open at the next revalidation.
The supply chain risk management incident response plan template ties Step 4 to a risk mitigation plan with documented escalation paths.
Step 5 of the CTPAT 5 Step Risk Assessment: Document the Process
Step 5 is the one most US programs underweight. CBP requires a written description of how the CTPAT 5 step risk assessment is conducted: methodology, scoring rules, evidence file, refresh cadence, review approvals, and version history.
Annual refresh is the floor. Practitioners refresh quarterly and after any material event: new supplier, new lane, new mode, mass theft incident, or regulatory change.
Document the rationale in the CTPAT 5 step risk assessment SOP, including the specific scoring boundaries, MSC interpretations, and any supply chain integrations with adjacent risk frameworks.
The step by step guide to risk assessment template walks through the documentation discipline that an SCSS audit will probe first.
The 2025 Threat Picture That Reset Every CTPAT 5 Step Risk Assessment
Cargo theft, forced labor, and cyber-physical convergence rewrote the inputs to every CTPAT 5 step risk assessment in 2025. CargoNet recorded 3,594 supply chain crime events across the US and Canada, with 2,646 confirmed cargo thefts (up 18 percent year over year).
Average loss per theft hit $273,990, a 36 percent jump that reflects organized crime targeting higher-value loads.
UFLPA enforcement amplified the pressure. CBP detained 6,636 shipments in H1 2025 alone, exceeding the 4,619 detained in all of FY2024.
The UFLPA Entity List grew to 144 entities and DHS designated five new high-priority sectors: caustic soda, copper, jujubes, lithium, and steel. Any CTPAT 5 step risk assessment without UFLPA exposure scoring is now incomplete.
Figure 4. UFLPA enforcement now drives Step 3 vulnerability scoring as much as MSC physical security does.
Targeted commodity patterns shifted as well. Food and beverage thefts jumped 47 percent (708 incidents), metal theft (driven by copper) rose 77 percent, and electronics-and-computer-component theft rose 38 percent.
A US importer in any of those segments needs a supply chain key risk indicators dashboard tied to the CTPAT 5 step risk assessment, not a static annual file.
Figure 5. The 2025 cargo theft mix should reshape every CTPAT 5 step risk assessment Step 2 threat score.
How the CTPAT 5 Step Risk Assessment Connects to the 12 MSC Categories
Step 3 vulnerability scoring runs against all 12 Minimum Security Criteria. The CTPAT 5 step risk assessment is itself MSC category 2; the other 11 are what Step 3 scores against and what Step 4 fixes.
A defensible program threads the assessment through every category, not as a standalone deliverable. The list below is the full stack with the practitioner read on where Step 3 most often finds gaps.
| MSC Category | What the CTPAT 5 step risk assessment scores | Where Step 3 most often finds gaps |
| 1. Corporate Security & Statement of Support | Senior management accountability, risk culture, dedicated CTPAT point of contact, signed corporate commitment. | Companies that delegate CTPAT to a single coordinator with no executive sponsor. |
| 2. Risk Assessment (the 5 Step process) | Mapping, threat, vulnerability, action plan, documentation; annual refresh and event-driven updates. | Programs that ran a one-time exercise and treat the SOP as evergreen. |
| 3. Business Partner Security | Risk-based screening, written security questionnaires, MSC compliance evidence, sanctions screening, UFLPA mapping. | Tier 2 and Tier 3 suppliers with no documented security verification. |
| 4. Cybersecurity | Network segmentation, multi-factor authentication, vendor patching cadence, incident response, alignment to NIST CSF 2.0. | OT/ICS systems at the warehouse and yard that no IT team owns. |
| 5. Conveyance & IIT Security | Truck, container, rail-car, and air ULD inspections; GPS tracking; route deviation alerts; bonded carrier verification. | Drayage moves where the carrier subcontracts without notifying the importer. |
| 6. Seal Security | ISO 17712 high-security bolt seals, seal inventory control, broken-seal procedures, photographic evidence at stuffing. | Origins where seal control sits with the freight forwarder and not the manufacturer. |
| 7. Procedural Security | Documented procedures for receiving, manifesting, sealing, releasing, anomalous-event reporting, and PAPS/ACE submissions. | Older import lanes that still rely on paper-based EDI or fax handoffs. |
| 8. Agricultural Security | Pest contamination prevention at stuffing, cleaning protocols, pallet and dunnage controls, USDA APHIS alignment. | Bulk and break-bulk lanes from Asia and South America. |
| 9. Physical Security | Perimeter fencing, lighting, CCTV with retention, alarm monitoring, gatehouse procedures. | Foreign manufacturer sites where physical security audits have not happened in 24 months. |
| 10. Physical Access Controls | Visitor management, contractor controls, employee identification, badging, key/lock controls. | Sites that rely on shared badges or unenforced sign-in books. |
| 11. Personnel Security | Pre-employment background checks consistent with local law, periodic re-screening, terminated-employee credential revocation. | Temporary or contracted labor pools that move between sites without re-screening. |
| 12. Education, Training & Awareness | Annual security training, role-specific modules for drivers and warehouse staff, anomaly-reporting drills, training records. | Drivers and stuffers who never receive role-specific seal-and-tamper training. |
Where CTPAT 5 Step Risk Assessment Programs Stall, and How to Unstick Them
Procedural drift, not technical depth, is what most often kills a CTPAT 5 step risk assessment at revalidation. The pitfalls below repeat across CBP suspension cases, GAO program reviews, and the Verisk-CargoNet 2024-2025 incident reports.
Every one is preventable with a written SOP, defined cadence, and senior-management ownership. None of them require additional headcount.
| Pitfall | Root cause | Remedy |
| Treating the CTPAT 5 step risk assessment as an annual binder | No event-driven trigger; coordinator runs it once and shelves it. | Build a quarterly refresh cadence; add new-supplier, new-lane, and major-incident triggers to the SOP. |
| Threat scoring stuck in 2022 | OSAC and CargoNet inputs not refreshed; California still scored Medium. | Subscribe to CargoNet, BSI Connect, and OSAC; require Step 2 inputs dated within 90 days. |
| Tier 2 and Tier 3 suppliers invisible | Step 1 cargo-flow map only goes to Tier 1. | Extend the Step 1 map to every node that touches GxP, regulated, or high-value cargo; require Tier 2 questionnaires. |
| Action plan owners without authority | Tasks assigned to foreign factory contacts with no escalation path. | Pair each foreign owner with a US-based escalation contact and document the pair in the action plan. |
| UFLPA exposure absent from Step 3 | Forced labor scored only as a separate compliance check, not in the CTPAT 5 step risk assessment. | Add UFLPA Entity List, XUAR sourcing, and high-priority sector exposure as explicit Step 3 sub-scores. |
| Cybersecurity scored at the IT level only | OT and yard systems excluded from the assessment. | Map every OT/ICS system in the cargo flow; align Step 3 cyber scoring to NIST CSF 2.0 functions. |
| No written CTPAT 5 step risk assessment SOP | Step 5 skipped; the assessment lives in a coordinator’s head. | Write the SOP; have senior management sign it; store it in the same evidence repository as the security profile. |
| Action plans closed without verification | Closure relies on partner attestation, not on independent evidence. | Require photo, audit, or document evidence at closure; sample 10 percent of closures during the annual review. |
Frequently Asked Questions About the CTPAT 5 Step Risk Assessment
How often should a US importer conduct a CTPAT 5 step risk assessment?
CBP requires the CTPAT 5 step risk assessment annually at minimum, plus an event-driven refresh after any material change: new business partner, new lane, new mode, major incident, or regulatory shift. Practitioners run a quarterly refresh on Steps 2 and 3, with full re-runs of all five steps at least once per year. Quarterly cadence catches threat-score drift that annual cycles miss and makes revalidation faster.
Is the CTPAT 5 step risk assessment legally required for US importers?
CTPAT itself is a voluntary CBP program, so the CTPAT 5 step risk assessment is not legally mandated for all importers. It is mandatory for any company that joins or wants to maintain CTPAT certification. Members keep the trade-facilitation benefits (fewer exams, FAST lanes, expedited clearance, UFLPA detention prioritization) only while the assessment is current and the action plan is closing.
Can a US importer outsource the CTPAT 5 step risk assessment to a consultant?
Yes, a US importer can outsource execution of the CTPAT 5 step risk assessment to a CTPAT-experienced consultant. CBP allows external support, but the importer remains accountable: the SOP must be signed by a company officer, the action plan owners must be company employees with authority to act, and the SCSS auditor will interview internal staff during the validation visit, not the consultant.
What is the difference between the CTPAT 5 step risk assessment and a security profile?
The CTPAT 5 step risk assessment is the methodology that produces the partner-level vulnerability scores and action plans. The Security Profile is the document, submitted through the CTPAT Portal, that describes how a company meets every Minimum Security Criteria. The 5 step risk assessment feeds the Security Profile: scores in the assessment justify the controls described in the profile, and CBP cross-checks them during validation.
How does UFLPA enforcement change the CTPAT 5 step risk assessment in 2026?
UFLPA enforcement now lives inside Step 3 of the CTPAT 5 step risk assessment, not next to it. The November 2025 CTPAT Trade Compliance forced labor FAQ requires risk-based mapping of all supply chain partners for forced labor exposure. Every partner gets scored against the 144-entity UFLPA Entity List, the five new high-priority sectors, and XUAR sourcing patterns. Members get advance notice of detentions and prioritized review.
What are the consequences of skipping or failing a CTPAT 5 step risk assessment?
CBP can suspend, postpone validation, or remove a partner from CTPAT entirely if the CTPAT 5 step risk assessment is missing, stale, or fails validation. Removed members lose FAST lane access, expedited clearance, and UFLPA prioritization. Cargo theft exposure, demurrage, and detention costs rise. Average cargo theft loss now sits at $273,990 per incident, far above the cost of a defensible 5 step risk assessment.
Where the CTPAT 5 Step Risk Assessment Is Heading Through 2027
Three shifts will rewrite the CTPAT 5 step risk assessment playbook between now and 2027. First, UFLPA scope continues to expand: the DHS strategy update is on a 12-month refresh cycle, and the Entity List has more than doubled in the past 18 months.
Importers should plan for a 2027 list north of 200 entities and additional high-priority sectors beyond the current five.
Second, cyber-physical convergence will pull the cybersecurity MSC into the same scoring weight as physical security.
Yard management systems, GPS units, telematics, and OT controls at warehouses and ports are now part of the cargo flow Step 1 must map. NIST CSF 2.0 alignment will become the practical baseline. The cybersecurity risk management framework is the most direct bridge.
Third, mutual recognition will consolidate. The WCO SAFE Framework 2024 update and ongoing CBP arrangements with EU, Canada, Mexico, Japan, Korea, Singapore, Israel, and Jordan will turn the CTPAT 5 step risk assessment into a passport, sitting alongside a resilient supply chain build-out the buyer-side compliance team can verify.
The discipline through 2027 is the same. Stop treating the CTPAT 5 step risk assessment as a CBP compliance artifact.
Treat it as the operating layer for the entire international supply chain risk program, with quarterly refresh, written SOP, and senior-management accountability. The cost of a defensible assessment is a fraction of a single cargo theft event or UFLPA detention episode.
Need a CTPAT 5 step risk assessment that holds up in revalidation? riskpublishing.com helps a US importer stand up the full five-step assessment, close MSC gaps with named owners and deadlines, and document the UFLPA mapping a CBP SCSS auditor will probe first. See our risk advisory services or contact the team to walk through your current Step 5 SOP.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.