An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  1. Home
  2. Trade
  3. Cybersecurity Resiliency

Cybersecurity Resiliency

Global supply chains are increasingly interconnected, technology-enabled, and efficient, allowing businesses and consumers to access an unprecedented amount of goods quickly. These supply chains rely on technology to facilitate the movement of cargo and transmit data to U.S. Customs and Border Protection (CBP) for cargo clearance.

Several high-profile cyberattacks against trade entities demonstrate that supply chains can be disrupted, which may impact not only the economy, but also the efficient flow of critical products to consumers across the country. As supply-chain disrupting cyberattacks expand in complexity and frequency, CBP is committed to working with the trade community to enhance efforts to prevent and mitigate the impacts of future disruptions.

This page is a resource to help the trade community better prepare for potential cyberattacks.


What to do if You’re Experiencing a Cyberattack

If you suspect that your systems have been targeted by a cyberattack, please follow the steps below:

Impacted trade stakeholders should notify the SOC regardless of their trade role.

Note however that pursuant to 19 CFR 111.21(b), customs brokers must provide notification to SOC of any known breach of electronic or physical records relating to the broker's customs business. Notification must be electronically provided ( within 72 hours of the discovery of the breach, including any known compromised importer identification numbers.

Upon notifying the SOC, be prepared to share key details about the nature of the cyberattack, including but not limited to:

  • Time of incident
  • Cause of incident (if known)
  • Impact of incident
  • Affected parties
  • Exposed Personally Identifiable Information (if any)
  • Any known indicators of compromise
  • Location of infected site
  • Incident Type (Viruses, Malware, Ransomware, Spyware, etc.)
  • Containment status/information
  • Information on any connection to CBP’s automated systems:
    • Automated Broker Interface, Automated Manifest Systems, Automated Export Systems, and/or CBP portal.
    • Identify any electronic data interchange (EDI) connection and whether it is a direct connection or via a service bureau.
    • Related businesses with a CBP nexus that may or may not be impacted by this incident.
    • The company or filer’s identifier, such as Filer Code, SCAC, AES Filer, portal user, etc.
  • Cybersecurity POC - include name & title of contact with email address and phone number.

Establish communications with CBP Headquarters representatives in the Office of Trade (OT) and Office of Field Operations (OFO) by emailing If a member of CTPAT, also notify your designated Supply Chain Security Specialist. CBP Headquarters representatives will schedule a regular cadence of meetings with you to assess and continuously monitor cargo and systems impacts.

Establish and maintain early and regular communications with affected Ports of Entry, Centers of Excellence, and local PGA representatives in the event that your cargo is impacted.

Impacted trade stakeholders are encouraged to notify their clients, software providers, and/or other stakeholders whose cargo or systems may also be affected by the cyberattack to mitigate supply chain disruptions.

How to Identify a Cyberattack with Indicators of Compromise

An Indicator of Compromise (IOC) is forensic evidence on a computer or network that indicates the security of the network has been breached. IOCs act as flags that cybersecurity network administrators use to detect unusual activity that usually suggests an attack is in progress. IOCs also provide insight into actors’ intent and can provide early warning signs of possible future attacks.

  • Unusual inbound or outbound network traffic

    If inbound or outbound network traffic patterns are unusual, this can be indicative of a potential attack.

  • Anomalies in privileged user account activity

    If user account anomalies are identified, this could indicate that a user is trying to escalate the privileges of a particular account.

  • Geographical irregularities

    If network activity occurs outside of your company’s geographic location(s), this can be evidence of a cyber threat actor in another country trying to penetrate the system.

  • Increase in database read volume

    If an attacker tries to extract your data, their efforts may result in a swell in read volume.

For more information on Indicators of Compromise, please see the IOC Reporting Guidance document.

What to do if Your Cargo is Impacted by a Cyberattack

Downtime and enforcement discretion may be authorized by CBP Headquarters on a case-by-case basis.

Downtime refers to alternative cargo release processes which are authorized based on a determination by CBP OFO. Downtime may be authorized by CBP OFO when a cybersecurity incident prevents a broker from electronically filing in the Automated Commercial Environment (ACE) the entry documentation and information required by 19 C.F.R 142.3 to secure cargo release from customs custody on behalf of the broker’s clients.

Enforcement discretion refers to a determination made by OT and OFO that CBP will not issue or enforce certain liquidated damages claims. Enforcement discretion may be authorized by CBP when a cyberattack prevents a broker from filing the entry summary documentation and information, completing the deposit of estimated duties, taxes, and fees, and/or completing timely other post-release transactions on behalf of the broker’s clients.

See Broker Cybersecurity Incident Procedures for guidance on how to request and navigate Downtime and Enforcement Discretion as well as requirements for reporting entry transactions during and after the cyberattack.


Contact the SOC

Last Modified: Mar 29, 2024