Is MSC-FAL.1/Circ.3 mandatory or just guidance?

The circular is technically advisory guidelines. However, Resolution MSC.428(98) — which it implements — is mandatory, requiring ISM-certified companies to incorporate cyber risk management into their SMS. PSC officers use the circular's six functional elements as the benchmark for compliance.

How is MSC-FAL.1/Circ.3 different from IACS UR E26?

The circular is high-level guidelines describing what functional outcomes the SMS must achieve. IACS UR E26 is highly prescriptive, specifying exact technical architecture and Class approval processes. The circular applies to all ISM vessels since January 2021; E26 applies only to newbuilds contracted from 1 July 2024.

IMO Resolution MSC.428(98) · In force since Jan 2021

IMO cyber security requirements
for every ship — explained.

Q: What changed in Rev.3 of MSC-FAL.1/Circ.3?

Rev.3 is dated 4 April 2025. Key changes include: the addition of Govern as a sixth functional element; updated supply chain security requirements in §3.5.3.8; strengthened crew training requirements including cybersecurity familiarisation for all crew on engagement; and references to IACS UR E26 and E27 added to the additional standards list.

Q: Do we need a separate Cyber Security Management System?

No. Resolution MSC.428(98) explicitly requires cyber risk management within the existing SMS, not a parallel system. The practical approach is to add a cyber annex to your existing SMS covering the six functional elements.

MSC-FAL.1/Circ.3 is not a voluntary guideline for new ships. It is the implementation framework behind Resolution MSC.428(98) — a mandatory requirement under the ISM Code that has applied to every SOLAS vessel since 1 January 2021. Here is exactly what it requires and how to satisfy it.

2021

Mandatory for all
ISM ships since Jan 1

Rev.3

Latest version dated
4 April 2025

Functional elements
required in your SMS

PSC

Port State Control
enforceable — can detain

This applies to your vessel today — regardless of build year

Resolution MSC.428(98) requires that all companies with ships under the ISM Code incorporate cyber risk management into their Safety Management System (SMS) by the first annual Document of Compliance (DOC) verification after 1 January 2021. If your SMS does not address cyber risk, your vessel is non-compliant right now. IACS UR E26 applies only to newbuilds — this resolution applies to every ship under SOLAS.

IMO maritime cyber requirements regulatory timeline from MSC-FAL.1/Circ.3 voluntary guidance in 2017 through MSC.428(98) ISM integration to mandatory IACS UR E26 Rev.1 and UR E27 entry into force on 1 July 2024 for vessels contracted for construction

Why the regulatory timeline matters

Maritime cyber compliance did not arrive as a single regulation — it evolved over seven years across multiple IMO resolutions and IACS unified requirements, each building on the last.

The timeline shows how MSC-FAL.1/Circ.3 (voluntary guidance, 2017) became the foundation for MSC.428(98) (mandatory SMS integration, enforced from January 2021), which then informed the IACS UR E26 and E27 technical standards that became mandatory for newbuilds contracted from 1 July 2024.

The most important practical point: MSC.428(98) applies to every SOLAS vessel today regardless of build year. IACS UR E26 applies only to newbuilds contracted on or after 1 July 2024. These are two separate compliance obligations with different scopes, different enforcement mechanisms, and different timelines — and confusing one for the other is one of the most common mistakes in maritime cyber compliance planning.

<< Click the diagram to expand at full resolution.

The regulatory framework

Two documents you need to know

Most shipping professionals confuse the resolution and the circular. They are two separate documents that work together — the resolution creates the obligation, the circular provides the implementation guidelines.

The mandate

Resolution MSC.428(98)

Adopted by the Maritime Safety Committee in June 2017. This resolution creates the legal obligation — it requires all ISM-certified companies to address cyber risks within their existing SMS. It is enforced via the ISM Code audit process and Port State Control. This is the document that makes compliance mandatory.

Mandatory — ISM Code

The guidelines

MSC-FAL.1/Circ.3/Rev.3 (4 April 2025)

The companion circular that provides the implementation guidelines — the “how.” It defines six functional elements (Govern, Identify, Protect, Detect, Respond, Recover) that must be addressed in your SMS. Rev.3 was approved by MSC 108 (May 2024) and FAL 49 (March 2025), with the final circular dated 4 April 2025.

High-level guidelines

Important note on the circular’s structure: MSC-FAL.1/Circ.3 is a high-level guidelines document. It does not prescribe specific technical controls with granular sub-section numbers in the way that IACS UR E26 does. The six functional elements in §3.5 each contain broad principles — the specific technical implementation is left to the shipowner, guided by industry standards such as IACS UR E26/E27 and BIMCO. References to this circular should be at the functional element level (§3.5.2 Identify, §3.5.3 Protect, etc.) — not fabricated sub-section numbers.

Scope

Which vessels does this apply to?

The resolution applies broadly to all vessels that fall under the ISM Code. If your company holds a Document of Compliance (DOC) and your vessels have Safety Management Certificates (SMC), this applies to you — regardless of flag state, vessel age, or Class society.

🚢

Cargo ships ≥500 GT

All cargo vessels on international voyages above 500 gross tonnes

⚓

Passenger ships

All passenger ships on international voyages including cruise ships and ferries

🛢️

Tankers

All tankers on international voyages regardless of size

⛏️

Bulk carriers

All bulk carriers subject to the ISM Code

🏗️

Offshore units

Mobile offshore drilling units and offshore support vessels under ISM

🔵

High-speed craft

High-speed craft on international voyages subject to the HSC Code

Note on IACS UR E26: E26 applies only to vessels with keellaid on or after 1 July 2024. MSC-FAL.1/Circ.3 applies to every vessel above — including your entire existing fleet — right now.

What the circular requires

The six functional elements — and how to satisfy them

MSC-FAL.1/Circ.3/Rev.3 §3.5 defines six functional elements that must be addressed within your SMS cyber risk programme. These are high-level principles — the circular explicitly states they are not sequential and should be concurrent and continuous. For each element, we list what the circular actually says and link to the TAGSIA playbooks that implement it.

Source accuracy note: All references below use the actual section numbering from MSC-FAL.1/Circ.3/Rev.3 (4 April 2025). The circular uses §3.5 followed by the functional element number (.1 through .6) and sub-point number. Where no sub-point exists for a specific control, only the functional element is cited.

Govern

§3.5.1 — Strategy, roles and responsibilities

Establish and monitor risk management strategy, expectations and policies. Define personnel roles and responsibilities. Ensure business continuity including backup management, disaster recovery, and crisis management.

What the circular actually requires (§3.5.1)

§3.5.1.1 — Designate a person or entity accountable for planning, resourcing and execution of cybersecurity activities
§3.5.1.2 — Ensure the designated person has the necessary authority, support, knowledge and expertise in cyber risk management

TAGSIA playbooks: Roles & MoC

Identify

§3.5.2 — Determine current cyber risk

Determine the current cyber risk to ships and ship/port interfaces by identifying systems, assets, interdependencies and carrying out a risk assessment.

What the circular actually requires (§3.5.2)

§3.5.2.1 — Identify systems, assets, services, data and capabilities whose disruption poses risks to ship operations, human safety, or the environment — including software and hardware supply chains
§3.5.2.2 — Establish and maintain an inventory of digital systems on board. Identify internal and external system dependencies and network connections
§3.5.2.3 — Carry out a risk assessment of critical systems. Identify cyber-related threats and vulnerabilities. Assess likelihood and impact of a cyber incident on safety, availability, integrity and confidentiality

TAGSIA playbooks: Asset Inventory Criticality Mapping Risk Assessment Interdependency Matrix Software Tracking

Protect

§3.5.3 — Risk control processes and measures

Implement risk control processes and measures to protect CBSs and ensure business continuity of shipping operations, human safety, and safety of the vessel.

What the circular actually requires (§3.5.3)

§3.5.3.1 — Unique credentials for all users. Separate user and privileged accounts. Deactivate accounts for departing users
§3.5.3.2 — Change all default passwords. Enforce a strong password policy. Consider MFA or continuous authentication. Secure communications systems
§3.5.3.3 — Limit exploitable internet services. Hardware and software approval process. Securely store logs for intrusion detection. Segment OT networks from IT networks
§3.5.3.4 — Security measures (firewall, antivirus) for systems with internet or intranet access. Cryptography policies and procedures
§3.5.3.5 — Controls to protect systems from unauthorised removable media
§3.5.3.6 — Mandatory annual basic cybersecurity training for all employees. OT-specific training for OT users. Cybersecurity familiarisation for all crew on engagement. Knowledge testing through drills and exercises
§3.5.3.7 — Regular system backups, software updates, and incident response plan development and maintenance
§3.5.3.8 — Software and hardware supply chain security policies for critical systems
§3.5.3.9 — Policies to assess effectiveness of cyber risk measures through audits and periodic review

TAGSIA playbooks: Segmentation Password Policy MFA USB Controls Patch Management Supply Chain Backups Crew Awareness

Detect

§3.5.4 — Detection of cyber incidents

Develop, implement and practise activities necessary to detect a cyber incident in a timely manner. Implement measures to detect unintended activity on CBS.

What the circular actually requires (§3.5.4)

§3.5.4.1 — Maintain a list of relevant threats, threat actor tactics, techniques and procedures. Actively monitor systems for those threats
§3.5.4.2 — Annual basic cybersecurity training for all employees should include training on recognising and detecting an ongoing cyber incident

TAGSIA playbooks: Asset Monitoring Traffic Baselining Rogue Devices Log Retention IDS/IPS

Respond

§3.5.5 — Incident response and containment

Develop, implement and practise activities and plans to provide resilience and restore systems necessary for shipping operations impaired by a cyber incident.

What the circular actually requires (§3.5.5)

§3.5.5.1 — Report incidents to necessary parties within required time frames as defined by the Administration
§3.5.5.2 — Records of cyber incidents should be kept
§3.5.5.3 — Annual basic cybersecurity training for all employees should include training on responding to a cyber incident

TAGSIA playbooks: Severity Matrix First 15 Minutes Network Isolation Crisis Comms Shore Reporting

Recover

§3.5.6 — Recovery and lessons learned

Identify and implement measures to restore onboard CBS and networks necessary for shipping operations impacted by a cyber incident.

What the circular actually requires (§3.5.6)

§3.5.6.1 — Develop, maintain and implement strategies for recovery and reinstatement of essential or mission-critical assets and systems impacted by a cyber incident
§3.5.6.2 — Annual basic cybersecurity training for all employees should include training on recovering from a cyber incident
§3.5.6.3 — Carry out root cause analysis of cyber incidents to resolve underlying issues and prevent similar recurrence

TAGSIA playbooks: Golden Images Offline Backups Debriefing Updating the SMS

What your SMS must contain

The cyber annex your SMS needs

The circular does not require a separate Cyber Security Management System — it requires cyber risk management incorporated into your existing SMS. The table below shows the practical SMS elements that satisfy the circular’s functional elements, with the correct section references from Rev.3.

SMS element required	Circular reference	TAGSIA resource
Designated cyber responsible person with authority and expertise	§3.5.1.1 / §3.5.1.2	Roles & MoC →
CBS asset inventory with system interdependencies	§3.5.2.1 / §3.5.2.2	Asset Inventory Guide →
Cyber risk assessment of critical systems	§3.5.2.3	Risk Assessment Guide →
Unique credentials and account management procedure	§3.5.3.1 / §3.5.3.2	Password Policy & RBAC →
OT/IT network segmentation	§3.5.3.3	Network Segmentation →
Removable media control procedure	§3.5.3.5	USB Protection →
Annual crew cybersecurity training programme with drills	§3.5.3.6	Crew Cyber Awareness →
System backup and incident response plan	§3.5.3.7	Configuration Backups →
Supply chain security policy for critical systems	§3.5.3.8	Supply Chain Security →
Threat monitoring and detection activities	§3.5.4.1	Traffic Baselining →
Incident reporting procedure (to Administration within required timeframes)	§3.5.5.1	Shore Reporting →
Cyber incident log / records	§3.5.5.2	Incident Severity Matrix →
Recovery strategy for critical systems	§3.5.6.1	Golden Image Management →
Root cause analysis procedure for cyber incidents	§3.5.6.3	Post-Incident Debriefing →

Enforcement

What Port State Control inspectors look for

PSC officers increasingly include cyber security checks as part of ISM Code inspections. The following are the most commonly cited deficiencies.

Most common deficiency

No cyber risk section in the SMS

The single most common finding. Many vessels have updated their SMS for other requirements but have never added a cyber risk element. An inspector asks to see the cyber section — if there isn’t one, it is an immediate ISM non-conformity.

Common deficiency

No CBS inventory or it is outdated

Inspectors ask to see the digital systems inventory required by §3.5.2.2. If it cannot be produced, or was last updated years ago, this is a deficiency. The inventory must be current and include system interdependencies.

Increasing frequency

No designated responsible person

§3.5.1.1 requires a designated person accountable for cybersecurity activities. If the company cannot identify who is responsible, and demonstrate their authority and competence, this is a governance deficiency.

Increasing frequency

No crew training records

§3.5.3.6 requires annual basic cybersecurity training for all employees and familiarisation for all crew on engagement. Inspectors ask to see training records. A policy that exists but has never been executed is a deficiency.

Emerging area

Default or shared credentials on OT systems

§3.5.3.1 and §3.5.3.2 require unique credentials and elimination of default passwords. During onboard checks, inspectors have begun checking for shared “admin” accounts on bridge and ECR workstations.

Emerging area

No incident response procedure

§3.5.5.1 requires procedures for reporting incidents within required timeframes. The procedure must be accessible to the Master and ETO at sea without internet access, and crew must be able to demonstrate familiarity with it.

Common questions

Frequently asked questions

The circular itself is technically advisory guidelines — it says so explicitly in the document. However, Resolution MSC.428(98) — which the circular implements — is mandatory. The resolution requires ISM-certified companies to incorporate cyber risk management into their SMS. Port State Control officers use the circular as the benchmark for what that means in practice. The six functional elements in §3.5 are the effective standard against which compliance is assessed.

Rev.3 was approved by MSC 108 (May 2024) and the Facilitation Committee at its forty-ninth session (March 2025), with the final circular dated 4 April 2025. The key changes in Rev.3 include: the addition of “Govern” as a sixth functional element (the previous version had five); updated supply chain security requirements in §3.5.3.8; strengthened crew training requirements in §3.5.3.6 including cybersecurity familiarisation for all crew on engagement; and references to IACS UR E26 and E27 added to the list of additional standards in §4.2. If your SMS cyber annex was written before April 2025, review it against Rev.3.

The circular is intentionally high-level — it describes what functional outcomes your SMS must achieve, not the specific technical architecture. IACS UR E26 is highly prescriptive — it specifies exactly how the vessel’s network must be designed, what documents must be submitted to Class, and what technical controls must be in place at each CBS. The circular says “segment OT from IT networks” (§3.5.3.3); E26 specifies the exact zone architecture, conduit documentation, and Class approval process to achieve that. The circular applies to all ISM vessels; E26 applies only to newbuilds contracted from 1 July 2024.

No. The circular states in §2.3.2 that it is designed to have “widespread application” and can be incorporated into existing risk management processes. Resolution MSC.428(98) explicitly requires cyber risk management in the existing SMS — not a parallel system. The practical approach is to add a cyber annex to your existing SMS covering the six functional elements, with supporting procedures for each.

Yes. A PSC officer who finds that the SMS has no cyber risk management elements can issue a deficiency under ISM Code Chapter 1.2.3 (functional requirements of the SMS). Significant deficiencies can result in detention. Paris MOU and Tokyo MOU have both documented cyber SMS gaps as inspection findings. Detentions specifically for cyber non-compliance are still relatively rare but are increasing in frequency as PSC regimes update their inspection protocols.

Start implementing MSC-FAL.1/Circ.3 today

64 free playbooks — all tagged with the functional elements they satisfy. No consultant required.

Start with Identify → Existing fleet guide

IMO cyber security requirementsfor every ship — explained.