Roles & Change Management
UR E26 Compliance Summary: The “Identify” element mandates a detailed asset inventory (names/versions per §4.1.1) and a mapping of system interdependencies and data flows. To maintain the vessel’s resilience profile, owners must define key cybersecurity roles and implement a Management of Change (MoC) process (per §5.3.1) to ensure the inventory and CSDD remain accurate throughout the ship’s operational life.
1. Cybersecurity Roles
Compliance requires that specific individuals are tasked with maintaining the “Identify” database. Use this matrix to assign duties within your Ship Cyber Security and Resilience Program (SCSRP).
| Role | Core Responsibility (Identify Phase) |
|---|---|
| Company Cyber Security Officer (CCSO) | Fleet-wide policy oversight; approval of MoC requests. |
| Shipboard Cyber Lead (Master/ETO) | Verifying physical inventory; logging local software changes. |
| Technical Superintendent | Ensuring OEMs/Vendors provide CSDD updates after repairs. |
2. Management of Change (MoC) Procedure
When a system is repaired, replaced, or updated, the following workflow must be followed to maintain Class compliance:
Change Request: Document why the change is needed (e.g., hardware failure, mandatory firmware update).
Risk Assessment: Evaluate if the change introduces new protocols or network connections.
Inventory Update: Log new MAC addresses, Serial numbers, and Software versions in the Asset Inventory.
CSDD Revision: Update the Cyber System Definition Document to reflect the current “As-Built” state.
Next Security Phase
CSDD & Exclusion Assessment
CSDD & Exclusion Assessment UR E26 5.1.1 & 6: The Cyber System Definition Document (CSDD) is the mandatory technical file submitted for Class approval. Section 6 provides the framework for a Risk-Based Exclusion, allowing systems to be removed from t...