CBP did not always protect MPC apps from cybersecurity threats. This occurred because app version updates were not always scanned for vulnerabilities and CBP did not always identify vulnerabilities detected in scans. CBP also did not complete seven required security and privacy compliance reviews of MPC apps because it did not establish a schedule for the reviews or track and centrally store review documentation. In addition, CBP did not obtain the information needed for the reviews, had competing priorities, and did not ensure app developers created a process for a required internal audit. Finally, CBP did not implement Department server configuration requirements for its MPC servers. We made eight recommendations that, when implemented, should improve the security of CBP’s MPC program. CBP concurred with all eight recommendations.