Part of Pillar C: Governance & Certification ← Return to Identify Hub

CSDD & Exclusion Assessment

UR E26 §5.1.1 & §6: The Cyber System Definition Document (CSDD) is the mandatory technical file submitted for Class approval. Section 6 provides the framework for a Risk-Based Exclusion, allowing systems to be removed from the scope of UR E26 if they do not impact the safety of life or the environment.

1. Assembling the CSDD

The CSDD is the “Master Blueprint” of your ship’s cyber resilience. It is not a single document, but a compilation of the data collected in the previous pillars. Your CSDD must include:

Network Topologies

Logical and physical diagrams showing all CBS and their connections.

Asset Inventory

The full HW/SW list including Category II and III classifications.

Data Flow & Protocols

Description of interdependencies and protocols used for communication.

2. Section 6: Risk-Based Exclusions

Not every system needs to meet full UR E26 requirements. You can legally “exclude” systems (e.g., Entertainment systems, Non-critical IT) by following this justification logic:

The Exclusion Test Questions:

  • Does the system have ANY physical connection to Category II or III systems?
  • If compromised, could it cause a loss of propulsion or steering?
  • Could it cause a discharge to the environment (e.g., Oily Water Separator)?
  • Does it provide data required by SOLAS or other regulations?

If the answer to all is “No,” you can document a Formal Exclusion Assessment to present to the Surveyor.

Documentation Ready?

Now that you have defined your system scope and exclusions, the final step is to organize this data into official submission templates.

Final Step: Get Templates →

Scroll to Top