Roles & Change Management (MoC)

Part of the IDENTIFY Playbook ← Return to Hub

Roles & Change Management

UR E26 Compliance Summary: To maintain the vessel’s resilience profile, owners must define key cybersecurity roles and implement a Management of Change (MoC) process (per §5.3.1). This ensures the asset inventory and Cyber Security Design Description (CSDD) remain accurate throughout the ship’s operational life.

1. Cybersecurity Roles

Compliance requires specific individuals to be tasked with maintaining the “Identify” database. Assign these duties within your Ship Cyber Security and Resilience Program (SCSRP).

Role	Core Responsibility (Identify Phase)
Company Cyber Security Officer (CCSO)	Fleet-wide policy oversight; approval of technical MoC requests and vendor clearances.
Shipboard Cyber Lead (Master/ETO)	Verifying physical inventory; logging local software changes and patching activities.
Technical Superintendent	Ensuring OEMs/Vendors provide CSDD updates and “As-Fitted” drawings after repairs.

Audit Alignment: The MoC Decision Matrix

Not every maintenance action requires a full MoC. Per UR E26 §5.3.1, you must distinguish between “Standard Maintenance” and “Modifications.”

Activity Type	MoC Required?	Inventory Update Action
“Like-for-Like” Sensor Replacement	NO	Update Serial Number only.
Firmware/Security Patch Update	YES	Update Version + Hash Value.
New Network Switch Addition	YES	Update CSDD, MAC Table, and IP Plan.

Technical Verification Steps (§5.3.1)

Before closing an MoC (Management of Change) file, the following technical verifications must be logged to prove “safe state” return:

Verification Protocol Requirement: Mandatory

Integrity Check Compare file hashes of installed software against OEM provided manifest to ensure no unauthorized code was introduced.

Boundary Check Verify firewall rules haven’t been “left open” (Permit All) after vendor testing. Confirm the conduit security gate is active.

Re-Baseline Update the Vessel Asset Inventory. Log all new firmware versions and hardware serial numbers in the central registry.

💡 Strategic Intelligence: Vendor Compliance

The “Hidden” Change: Beware of “Service Laptop” connections. Even if no hardware is changed, a vendor connecting to an OT network recalibrating a system changes the security state.

Pro-Tip: To satisfy UR E26 Operational Phase requirements, your MoC must include a “Vendor Laptop Clearance” record. This proves that you verified the vendor’s device was scanned for malware before it touched a Category II or III system.

2. Management of Change (MoC) Lifecycle

Per UR E26 §5.3.1, any modification to a Computer Based System (CBS) must be documented. A “Change” includes firmware patches, new firewall rules, or sensor replacements.

Phase A: Pre-Impact Analysis

Identify the Category (I, II, III) of the system.
Verify component is on the Approved Type list.
Consult the Interdependency Matrix for “downstream” risks.

Phase B: Verification & Logging

MAC Address Check: Required for firewall ACLs.
Software Hash/Version: Ensure it matches vendor security release.
CSDD Update: Align “As-Built” drawings with reality.

3. Audit Readiness: The MoC Paper Trail

During a survey, an auditor may select a random asset (e.g., an AIS unit) and request its change history. Ensure the following is available:

✅ Vendor security clearance for service tech.

✅ Post-maintenance functional test results.

✅ Updated IP and MAC address tables.

✅ Signed CCSO approval for modification.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; premium SOPs and fillable forms require the Pro Bundle.

TAG-OT-MOC-01

MoC Form Template

View Form

TAG-OT-LOG-04

Digital Asset Log

Unlock with Pro Bundle

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle

Includes Unlimited Intel Search

Instant access to IACS E26/E27 Templates

PREVIOUS:
System Interdependency Matrix

Next Section

CSDD & Exclusion Assessment

CSDD & Exclusion Assessment UR E26 §5.1.1 & §6: The Cyber System Definition Document (CSDD) is the mandatory technical...

CSDD & Exclusion Assessment →