Industry standards alignment

BIMCO, TMSA 3 & SIRE — maritime cyber compliance mapping

How the Industry Guidelines on Cyber Security Onboard Ships (v5, 2024), TMSA 3 Element 13, and SIRE 2 cyber requirements relate to IMO MSC-FAL.1/Circ.3 and IACS UR E26 — so operators can understand how work done for one framework satisfies the others.

Industry Guidelines v5 (2024) TMSA 3 Element 13 SIRE 2.0 CDI assessments

Tanker · Bulk · Offshore

Who this page is for: Technical Superintendents, DPAs, and ETOs on tanker, bulk carrier, and offshore vessels where TMSA 3 vetting scores, SIRE 2 inspection results, and CDI assessments directly affect chartering contracts. A poor cyber score in these programmes costs commercial opportunity — this page explains how the frameworks relate and where the evidence overlaps.

The four frameworks — what each one is

Industry Guidelines on Cyber Security Onboard Ships — v5 (November 2024)

The leading industry guidance document produced jointly by BIMCO, ICS, INTERTANKO, OCIMF, and a coalition of other organisations. Version 5 was published in November 2024 and is the current edition — it supersedes v4 (2020). The guidelines are structured around the NIST Cybersecurity Framework functional elements and are not a regulatory requirement, but are widely referenced by P&I clubs, vetting inspectors, and flag state administrations as the practical standard for SMS cyber compliance.

Applies to: All vessel types · all flag states · voluntary but commercially expected

TMSA 3 — Element 13

The Tanker Management and Self Assessment (TMSA) programme is operated by OCIMF and used by oil majors to assess tanker operator safety management. Element 13 — introduced in TMSA 3 (effective January 2018) — covers maritime security including cybersecurity. TMSA scores directly affect access to oil major terminals and chartering contracts. There is no TMSA 4 — TMSA 3 with Element 13 remains the current and active standard as of 2026.

Applies to: Tanker operators · oil major chartering · OCIMF member terminals

SIRE 2.0

The Ship Inspection Report (SIRE) programme is OCIMF’s vessel inspection system. SIRE 2.0 introduced structured cyber security questions covering network segmentation, crew awareness, incident response planning, and the vessel’s SMS cyber annex. Inspection results are shared with charterers and can affect employment.

Applies to: Tankers · gas carriers · chemical tankers · OCIMF inspections

CDI — Chemical Distribution Institute

CDI inspections cover chemical tankers and similar vessels. Cyber security questions have been incorporated into CDI assessments in line with the Industry Guidelines. CDI scores affect access to chemical terminals and cargo contracts similarly to TMSA in the tanker sector.

Applies to: Chemical tankers · parcel tankers · CDI-assessed terminals

How the frameworks relate — shared foundations

All four frameworks draw from the same two sources: the NIST Cybersecurity Framework functional elements and IMO MSC-FAL.1/Circ.3. This means the evidence produced for one framework largely satisfies the others. The table below maps the shared functional elements across the verifiable frameworks.

NIST function	Industry Guidelines v5 focus area	IMO MSC-FAL.1 Rev.3	IACS UR E26	Tagsia playbook
Govern	Organisational accountability, senior management responsibility, policy framework	§3.5.1 Govern	§5.1 — CSRP framework	Roles & Change Management
Identify	Asset inventory, risk assessment, threat identification, system classification	§3.5.2 Identify	§4.1–§4.2	Asset Inventory · System Criticality
Protect	Access control, network segmentation, crew training, supply chain security, hardening	§3.5.3 Protect	§4.2–§4.3	PROTECT phase playbooks
Detect	Monitoring, anomaly detection, syslog, IDS, traffic baselining	§3.5.4 Detect	§4.4	DETECT phase playbooks
Respond	Incident response procedures, triage, isolation, communications, reporting	§3.5.5 Respond	§4.4.1–§4.4.3	RESPOND phase playbooks
Recover	Recovery planning, backup restoration, business continuity, plan updates	§3.5.6 Recover	§4.5	RECOVER phase playbooks

Note on TMSA 3 Element 13: Element 13 covers the same functional areas as the table above and maps directly to the NIST framework. Because the full TMSA 3 document is a paid OCIMF publication, specific internal KPI sub-references are not reproduced here. Evidence that satisfies the IMO MSC-FAL.1 and E26 columns above will generally satisfy the corresponding Element 13 level requirements. Operators with TMSA access should cross-reference against the actual KPI text in their copy of the document.

SIRE 2.0 — what inspectors ask and what evidence to show

SIRE 2 cyber questions are structured, not free-form. Inspectors work from a defined question set. The following functional areas are covered and the evidence that satisfies each.

SMS cyber annex

The vessel’s SMS must contain a documented cyber risk management programme covering all six MSC-FAL.1/Circ.3 Rev.3 functional elements. The inspector will ask to see the SMS document — not just confirm it exists verbally. Evidence: the SMS cyber annex or Ship Cyber Security Response Plan (SCSRP).

Network segmentation

Evidence of separation between IT and OT networks — a network diagram showing VLANs, a firewall between crew internet and bridge/engine systems, and no direct path from SATCOM to OT. Evidence: network architecture diagram from the CSDD or equivalent vessel documentation.

Crew awareness training

The ETO and OOW must be able to describe basic cyber threats and their role in incident response. Training records showing completion dates and subjects covered are required. P&I clubs increasingly review these records when assessing incident liability. Evidence: crew training log with dates, topics, and attendee signatures.

Incident response procedure

A documented procedure for responding to a cyber incident — who is notified, in what order, and what immediate actions are taken. The inspector may ask the ETO to describe what they would do if ECDIS behaved erratically. Evidence: SCSRP incident response section or the First 15 Minutes playbook implemented as vessel procedure.

Access control and USB policy

A documented policy for who can connect devices to vessel systems, how USB media is managed, and whether default passwords have been changed on all CBS. Evidence: OT Password Policy, USB Protection SOP, and vault form TAG-OT-SEP-01 (OT Access Request Form).

TMSA 3 Element 13 — the four achievement levels

TMSA is self-assessed by the operator and submitted to OCIMF. Oil majors review submissions before chartering decisions. Element 13 has four maturity levels — operators are expected to demonstrate progression across assessments. The descriptions below reflect publicly available OCIMF summaries and published industry commentary.

Level 1 — Basic awareness

Procedures for identifying cyber threats applicable to the vessel and shore sites are documented. Basic cyber risk awareness exists within the organisation.

Evidence: SMS cyber section · basic risk register · crew awareness records

Level 2 — Defined procedures

Guidance and mitigation measures are in place across all procedures. Cyber security good practice is actively promoted among vessel personnel.

Evidence: SCSRP · network diagram · training log · access control policy

Level 3 — Implemented and regularly updated

Security procedures are regularly reviewed and updated. Incident response is exercised. Backup and recovery capability is verified. Lessons learned feed back into the programme.

Evidence: drill records · backup verification log · post-drill lessons learned

Level 4 — Innovative and continual improvement

Novel or innovative methods for minimising cyber risk are evidenced. The programme is reviewed following incidents, near-misses, and regulatory changes. Performance metrics are tracked and reported to management.

Evidence: review records · threat intelligence subscription · management reporting

Fastest path to TMSA Element 13 Level 2 using Tagsia

Step 1 — Identify

Complete Asset Inventory and System Criticality Mapping. This produces the risk register evidence Level 1 and Level 2 require.

Step 2 — Protect

Implement Access Control, Crew Training, and USB Policy — produces Level 2 evidence for mitigation measures and crew awareness promotion.

Step 3 — Respond

Document the incident response procedure using the Severity Matrix and First 15 Minutes — satisfies the mitigation guidance requirement at Level 2.

Important limitations

The Industry Guidelines are not a regulation — they are voluntary industry guidance. Compliance with v5 does not replace the mandatory obligation under IMO MSC.428(98) to address cyber risk in the SMS. However they are the primary reference used by PSC officers and vetting inspectors when assessing what “adequate” SMS cyber compliance looks like in practice.
TMSA is self-assessed — oil majors may conduct independent verification before chartering. Self-assessment scores are not automatically accepted at face value. The quality of supporting evidence matters as much as the level claimed.
SIRE 2 questions evolve — OCIMF updates the question pool periodically. The functional areas described above are stable but specific question wording may change between inspection cycles. Always verify against the current SIRE 2 question set available through your vetting platform.
CDI requirements vary by terminal — individual terminals may apply additional cyber requirements beyond the CDI base programme. Verify with the specific terminal operator before assessments.
E26 does not satisfy TMSA automatically — E26 applies to newbuilds contracted from July 2024. For existing vessels, TMSA compliance requires SMS-based evidence independent of any Class notation.
TMSA 3 document access — the full TMSA 3 document including the complete Element 13 KPI text is a paid OCIMF publication available at ocimf.org. Operators should reference the original document for precise KPI wording when completing their self-assessment.