CSDD & Exclusion Assessment
UR E26 §5.1.1 & §6: The Cyber System Definition Document (CSDD) is the mandatory technical file submitted for Class approval. It defines the “Trust Boundary” of the vessel. Section 6 provides the framework for Risk-Based Exclusion, allowing non-critical systems to be removed from scope if they pose no threat to safety functions.
1. Assembling the CSDD (The Submission File)
The CSDD is your vessel’s “Master Blueprint.” It proves to the Auditor that you have Identified your assets correctly. Your CSDD must include these three core pillars:
Must show physical cabling (Ethernet/Serial) and logical zones. Highlight all “Conduits” crossing between IT and OT environments.
Comprehensive list including firmware versions. All software must be cross-referenced against the Vulnerability Feed.
Identify critical protocols (Modbus, NMEA, S7). This matrix defines the “Blast Radius” in the event of a cyber incident.
2. Section 6: Risk-Based Exclusions
To optimize compliance costs, owners can propose Exclusions for systems that do not affect the safe operation of the vessel (e.g., Crew Wi-Fi, Entertainment, Cabin HVAC).
Mandatory Exclusion Criteria:
A system is only excludable if it meets ALL 5 points:
- Isolation: No physical/logical link to Cat II or III.
- Safety: Failure cannot degrade propulsion/steering.
- Environment: No risk of a MARPOL/pollution incident.
- Regs: System is not required for SOLAS or Class.
- Access: Maintenance is air-gapped or strictly controlled.
💡 Auditor’s Tip
The most common reason for rejected exclusions is “Hidden Conduits.” Even if a system is for crew entertainment, if it shares the same physical switch as the Engine Room AMS, it cannot be excluded.
Exclusion Assessment Template
Standardized format for documenting non-critical system exclusions for Class approval.
Generate Exclusion AssessmentNext Section
Audit Evidence Templates
Audit Evidence Templates The Surveyor's View: During a Cyber Secure (Tier 1 or 2) audit, the inspector won't just look a...