Security Regulations: Chaos in a Three-Ring Binder

Longtime CSO Bob Hayes has documented the reams of regulatory red tape growing in the shadows of 9/11. Is security soon to become a highly regulated activity?

Hayes snaps the document back into the binder and starts turning more pages, from one law or regulatory body to the next. It's not just the dreaded R wordregulationsthat he's talking about, although there are plenty of those on the state, national and international level. Take the section on the U.S. Customs Service, for instance. Customs, which touches every company that imports or exports supplies or goods to or from the United States, used to be primarily concerned with keeping drugs, illegal aliens and counterfeit products out of the country. But since 9/11, the Customs Service has changed more than its name (it's now called Customs and Border Protection) and its position within the U.S. bureaucracy (it's now part of the Department of Homeland Security).

The government's cry for homeland defense has given Customs vastly expanded powers, the most controversial of which is the authority to declare what's known as the 24-hour manifest rule. Before, a ship crossing the Atlantic was required to submit a list of its cargo before entering a U.S. port. As of last December, carriers headed for the United States must submit a list of cargo 24 hours before it's loaded on board. "Compliance with the 24-hour rule is a matter of National Security," warns a stern statement at the Customs website, threatening to fine offenders and keep them from loading their vessels. But complying with this rule is no small task for a carrier's customers, who may not know until the last minute exactly what they need to ship.

If that's the stick, then this is the carrot: Customs Trade Partnership Against Terrorism, or C-TPAT. This voluntary program uses the same concept as the "trusted traveler" program for airlines. Carriers who choose to participate go through a security "validation" (Customs is careful not to use the word audit) to prove they have covered every aspect of supply chain security, from sealing containers to installing adequate lighting at loading docks to giving employees incentives for paying attention to security. Companies that obtain the validation move through Customs more quickly, leaving agents free to focus on vessels that are more likely to pose security risks.

Hayes says that the security director of the company on whose leafy grounds we're meeting has gone through the C-TPAT validation process. (As a condition of the interview, he asked me not to name the company because he's there as a consultant, not an employee, and because, I sense, he wants to make it clear that this is his project, not theirs.) "It took him about six months," Hayes says. "It was a major effortand it's one of hundreds [of such efforts]."Somebody Said to Do SomethingOutside in the company parking lot, windblown trees shake a fine yellow dusting of pollen over asphalt and cars. A few stragglers return from lunch, and the April afternoon clouds are too threatening to tempt anyone to sneak out for an early tee time. Inside, Hayes is just getting warmed up. He takes a drink of water and opens a binder with a whole other set of guidelines, these with a much murkier reach: presidential directives and executive orders, which the president uses to manage the executive branch, government agencies and, by extension, any company with government contracts.