Roles & Change Management (MoC)

Part of the IDENTIFY Playbook ← Return to Hub

Phase 1: Identify All vessels

Satisfies: E26 §5.3.1 ISM Code §10 BIMCO v4 All vessels

Roles & Change Management

UR E26 Compliance Summary: To maintain the vessel’s resilience profile, owners must define key cybersecurity roles and implement a Management of Change (MoC) process (per §5.3.1). This ensures the asset inventory and Cyber Security Design Description (CSDD) remain accurate throughout the ship’s operational life.

1. Cybersecurity Roles

Compliance requires specific individuals to be tasked with maintaining the “Identify” database. Assign these duties within your Ship Cyber Security and Resilience Program (SCSRP).

Role	Core Responsibility (Identify Phase)
Company Cyber Security Officer (CCSO)	Fleet-wide policy oversight; approval of technical MoC requests and vendor clearances.
Shipboard Cyber Lead (Master/ETO)	Verifying physical inventory; logging local software changes and patching activities.
Technical Superintendent	Ensuring OEMs/Vendors provide CSDD updates and “As-Fitted” drawings after repairs.

2. The MoC Lifecycle (The What)

Per UR E26 §5.3.1, any modification to a Computer Based System (CBS) must follow a structured lifecycle to prevent the introduction of new vulnerabilities.

Phase A: Pre-Impact Analysis

Identify the Category (I, II, III) of the system.
Verify component is on the Approved Type list.
Analyze “downstream” risks to connected systems.

Phase B: Verification & Logging

Record MAC addresses and Software Hashes.
Confirm firmware matches vendor security releases.
Align “As-Built” drawings with the physical state.

3. The MoC Decision Matrix (The When)

Not every maintenance action requires a full MoC. Use this logic to distinguish between “Standard Maintenance” and “Modifications.”

Activity Type	MoC Required?	Required Action
“Like-for-Like” Sensor	NO	Update Serial Number only.
Security Patch	YES	Update Version + Hash Value.
New Network Switch	YES	Update CSDD and IP Plan.

4. Technical Verification Steps (The How)

Before closing an MoC file, these technical verifications prove the vessel has returned to a “Safe State”:

Verification Protocol Requirement: Mandatory

Integrity Check Verify software hashes to ensure no unauthorized code was introduced during the update.

Boundary Check Ensure firewall conduits haven’t been left in “bypass” mode after vendor testing.

💡 Strategic Intelligence: Vendor Compliance

The “Service Laptop” Risk: Even without hardware changes, a vendor connection recalibrating a system changes the security state.

Pro-Tip: To satisfy UR E26 auditors, your MoC must include a “Vendor Laptop Clearance” record proving the device was scanned for malware before connection.

5. Audit Readiness: The MoC Paper Trail

During a survey, Class will select random assets to inspect change history. Have these documents ready:

✅ Vendor security clearance record.

✅ Post-maintenance functional test.

✅ Updated MAC and Asset IP tables.

✅ Signed CCSO approval for mod.

Compliance Documentation Previews

Fillable templates to satisfy UR E26 §5.3.1.

TAG-OT-MOC-01

MoC Form Template

View Form

TAG-OT-SEP-03

Vendor Laptop Clearance Waiver

View Form

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle

Includes Unlimited Intel Search

Instant access to IACS E26/E27 Templates

PREVIOUS:
Risk Assessment Guide

Next Section

CSDD & Exclusion Assessment

Phase 1: Identify E26 vessels only Satisfies: E26 §5.1.1 E26 §6 CSDD & Exclusion Assessment UR E26 §5.1.1 & §6: The ...

CSDD & Exclusion Assessment →