IMO Resolution MSC.428(98)  ·  In force since 1 Jan 2021

IMO cyber security requirements
for every ship — explained.

MSC-FAL.1/Circ.3 is not a voluntary guideline for new ships. It is the implementation framework behind Resolution MSC.428(98) — a mandatory requirement under the ISM Code that has applied to every SOLAS vessel since 1 January 2021. Here is exactly what it requires and how to satisfy it.

2021
Mandatory for all
ISM ships since Jan 1
Rev.3
Latest version approved
MSC 108, May 2024
5
Functional elements
required in your SMS
PSC
Port State Control
enforceable — can detain
This applies to your vessel today — regardless of build year

Resolution MSC.428(98) requires that all companies with ships under the ISM Code incorporate cyber risk management into their Safety Management System (SMS) by the first annual Document of Compliance (DOC) verification after 1 January 2021. If your SMS does not address cyber risk, your vessel is non-compliant right now. IACS UR E26 applies only to newbuilds — this resolution applies to every ship under SOLAS.

The regulatory framework

Two documents you need to know

Most shipping professionals confuse the resolution and the circular. They are two separate documents that work together — the resolution creates the obligation, the circular provides the implementation guidelines.

The mandate

Resolution MSC.428(98)

Adopted by the Maritime Safety Committee in June 2017. This resolution creates the legal obligation — it requires all ISM-certified companies to address cyber risks within their existing SMS. It is enforced via the ISM Code audit process and Port State Control. This is the document that makes compliance mandatory.

Mandatory — ISM Code
The guidelines

MSC-FAL.1/Circ.3 (Rev.3, May 2024)

The companion circular that provides the implementation guidelines — the “how.” It defines the five functional elements (Identify, Protect, Detect, Respond, Recover) that must be addressed in your SMS, and describes the specific controls required under each. Rev.3 was approved by MSC 108 in May 2024 and extends scope to cover physical security aspects under the ISPS Code.

Guidelines — NIST-aligned
Scope

Which vessels does this apply to?

The resolution applies broadly to all vessels that fall under the ISM Code. If your company holds a Document of Compliance (DOC) and your vessels have Safety Management Certificates (SMC), this applies to you — regardless of flag state, vessel age, or Class society.

🚢
Cargo ships ≥500 GT
All cargo vessels on international voyages above 500 gross tonnes
Passenger ships
All passenger ships on international voyages including cruise ships and ferries
🛢️
Tankers
All tankers on international voyages regardless of size
⛏️
Bulk carriers
All bulk carriers subject to the ISM Code
🏗️
Offshore units
Mobile offshore drilling units (MODUs) and offshore support vessels under ISM
🔵
High-speed craft
High-speed craft on international voyages subject to the HSC Code
Note on IACS UR E26: E26 applies only to vessels with keellaid on or after 1 January 2024. MSC-FAL.1/Circ.3 applies to every vessel above — including your entire existing fleet — right now.
What the circular requires

The five functional elements — and how to satisfy them

MSC-FAL.1/Circ.3 requires that five functional elements are addressed within your SMS cyber risk programme. These map directly onto the NIST Cybersecurity Framework and correspond exactly to TAGSIA’s five playbook phases. For each element below, we list the specific controls the circular requires and link to the playbooks that implement them.

1
Identify
MSC-FAL.1/Circ.3 §3.1 — Asset identification & risk assessment

Identify and document all Computer Based Systems (CBS) whose failure could impact vessel operations, safety, or security. Assess the threats and vulnerabilities to those systems.

Specific requirements from the circular
  • Documented inventory of all CBS including hardware, software, and firmware versions
  • Identification of which systems are critical to vessel safety and operations
  • Mapping of system interdependencies and communication flows
  • Formal risk assessment covering threats, vulnerabilities, and consequences
  • Defined cybersecurity roles and responsibilities (DPA, ETO, Master)
TAGSIA playbooks: Asset Inventory Criticality Mapping Risk Assessment Interdependency Matrix Roles & MoC
2
Protect
MSC-FAL.1/Circ.3 §3.2 — Risk control processes & measures

Implement technical and procedural controls to reduce the risk to CBS and ensure continuity of vessel operations in the event of a cyber incident.

Specific requirements from the circular
  • Unique credentials for all users — no shared accounts, no default passwords
  • Strong password policy and consideration of multi-factor authentication
  • Network segmentation to isolate critical OT systems from IT and crew networks
  • Control of removable media and physical access to OT systems
  • Patch and software update management process
  • Control of remote access by OEMs and third parties
  • Backup and recovery procedures for critical systems
TAGSIA playbooks: Segmentation Password Policy MFA USB Controls Remote Access Patch Management Backups
3
Detect
MSC-FAL.1/Circ.3 §3.3 — Detection of cyber events

Implement continuous monitoring capabilities to detect cyber events affecting CBS before they escalate to safety-critical incidents.

Specific requirements from the circular
  • Monitoring of network activity for unauthorised access or anomalous behaviour
  • Procedures for detecting malicious software and unauthorised devices
  • Security event logging with defined retention periods
  • Baseline of normal network behaviour to identify deviations
TAGSIA playbooks: Asset Monitoring Traffic Baselining Rogue Devices Log Retention IDS/IPS
4
Respond
MSC-FAL.1/Circ.3 §3.4 — Incident response & contingency planning

Establish contingency plans and response procedures so the crew can act immediately to contain a cyber incident without compromising vessel safety.

Specific requirements from the circular
  • Documented cyber incident response procedures accessible to crew at sea
  • Defined escalation and internal communication procedures during an incident
  • Procedures for isolating and containing affected systems
  • Reporting obligations to company, flag state, and port authorities
  • Crew training on incident response roles and procedures
TAGSIA playbooks: Severity Matrix First 15 Minutes Network Isolation Crisis Comms Shore Reporting
5
Recover
MSC-FAL.1/Circ.3 §3.5 — Recovery plans & lessons learned

Establish recovery plans to restore compromised systems and incorporate lessons from incidents into the SMS to prevent recurrence.

Specific requirements from the circular
  • Verified backups of critical system configurations and data
  • Defined restoration procedures and recovery time objectives
  • Post-incident review and root cause analysis process
  • Mechanism for updating the SMS based on incident findings
  • Lessons learned documentation shared with relevant personnel
TAGSIA playbooks: Golden Images Offline Backups Debriefing Updating the SMS
What your SMS must contain

The cyber annex your SMS needs

The circular does not require a separate Cyber Security Management System. It requires that cyber risk management is incorporated into your existing SMS — typically as an annex or procedure set. The table below shows the specific elements a Port State Control officer or ISM auditor will look for, and the TAGSIA resource that produces each one.

SMS element required Circular reference TAGSIA resource
CBS asset inventory with criticality classification §3.1.1 Asset Inventory Guide →
Cyber risk assessment document §3.1.3 Risk Assessment Guide →
Network segmentation diagram and zone definitions §3.2.2 Network Segmentation →
Access control and credential management procedure §3.2.1 Password Policy & RBAC →
Removable media and USB control procedure §3.2.3 USB Protection →
Remote access control procedure §3.2.4 Remote Access →
Patch and software update management procedure §3.2.5 Patch Management →
Cyber incident response procedure §3.4.1 First 15 Minutes →
Shore-side reporting procedure §3.4.3 Shore Reporting →
Backup and recovery procedure §3.5.1 Backup Verification →
Cybersecurity roles and responsibilities §2.2 Roles & MoC →
Management of Change (MoC) procedure for cyber systems §2.3 MoC Form Template →
Enforcement

What Port State Control inspectors look for

PSC officers increasingly include cyber security checks as part of ISM Code inspections. The following are the most commonly cited deficiencies. Each one maps directly to a TAGSIA playbook.

Most common deficiency

No cyber risk section in the SMS

The single most common finding. Many vessels have updated their SMS for other requirements but have never added a cyber risk annex. An inspector asks to see the cyber section — if there isn’t one, it is an immediate ISM non-conformity.

Common deficiency

No asset inventory or it is outdated

Inspectors ask to see the CBS inventory. If it cannot be produced, or was last updated three years ago, this is a deficiency. The inventory must be current and must include software versions and firmware.

Increasing frequency

Default or shared credentials on OT systems

During onboard checks, inspectors have begun checking for default manufacturer passwords on bridge systems and ECR workstations. Shared “admin” accounts with no individual accountability are a direct violation of §3.2.1.

Increasing frequency

No incident response procedure accessible to crew

The response procedure must be documented, accessible to the ETO and Master without internet access, and the crew must be able to demonstrate they know it. A procedure that exists only on a shore-side server does not satisfy this requirement.

Emerging area

Uncontrolled USB and removable media

Physical media controls are increasingly checked. If technicians or crew can freely plug USB drives into bridge or engine room systems without authorisation or scanning procedures, this is a deficiency under §3.2.3.

Emerging area

Unmanaged OEM remote access

Always-on VPN connections to OEM vendor systems with no logging, no time-limiting, and no revocation procedure are increasingly flagged. Remote access must be authorised per-session and logged under §3.2.4.

Common questions

Frequently asked questions

The circular itself is technically advisory, but Resolution MSC.428(98) — which the circular implements — is mandatory. The resolution requires ISM-certified companies to incorporate cyber risk management into their SMS. The circular describes what that means in practice. In a PSC inspection, an officer checking for compliance with the resolution will use the circular as the benchmark. Practically speaking, the circular is the mandatory standard.
Rev.3 was approved by MSC 108 in May 2024. The key change is the extension of scope to cover physical security aspects of cyber security under the ISPS Code — specifically requiring that Ship Security Plans (SSP) address physical security elements of OT and IT systems. This means your SSP, not just your SMS, now needs to reference cyber security. Rev.3 also updated the guidelines to reflect advances in OT/IT convergence and supply chain risks. If your SMS cyber annex was written before 2024, it should be reviewed against Rev.3.
MSC-FAL.1/Circ.3 applies to every vessel under the ISM Code — including your existing fleet — and focuses on embedding cyber risk management into the SMS. IACS UR E26 applies only to vessels with keellaid on or after 1 January 2024, and goes much further — requiring a Cyber System Definition Document (CSDD), formal Class approval of your network architecture, and a prescriptive set of technical controls. Think of MSC-FAL.1 as the floor every ship must meet, and E26 as the ceiling for new builds. TAGSIA’s playbooks are written to satisfy both.
No. The IMO explicitly states in the resolution and in Rev.3 of the circular that a company does not need to establish a separate cyber security management system operating in parallel with the SMS. The requirement is that cyber risk management is incorporated into the existing SMS. For most companies this means adding a cyber annex or procedure set to the existing SMS documentation structure.
Yes. A PSC officer who finds that the SMS has no cyber risk management elements can issue a deficiency under ISM Code Chapter 1.2.3 (functional requirements of the SMS). Significant deficiencies can result in detention. Paris MOU and Tokyo MOU have both documented cyber SMS gaps as inspection findings. While mass detentions for cyber non-compliance are not yet common, they are increasing in frequency as PSC regimes update their inspection protocols to include cyber checks.
For a single vessel starting from scratch, a reasonable programme using TAGSIA playbooks would take 8–12 weeks to complete the documentation, implement the key technical controls, and train the crew. The asset inventory (Phase 1) typically takes 1–2 weeks. Network segmentation (the highest-impact single control) can take 2–4 weeks depending on the existing network topology. The full SMS cyber annex documentation can be completed in parallel. For a fleet of 10+ vessels, the TAGSIA Fleet Enterprise bundle provides master templates that significantly reduce per-vessel time.

Start implementing MSC-FAL.1/Circ.3 today

64 free playbooks — all tagged with the IMO, ISM Code, and BIMCO requirements they satisfy. No consultant required.

Start with Identify → Existing fleet guide

Login
Login
Scroll to Top