Crew Cyber Security Training - What Is Actually Required

The Regulatory Landscape for Crew Cyber Training

Two regulatory frameworks drive crew cyber security training requirements for most commercial vessel operators. Understanding the distinction between them is important because they impose different obligations with different enforcement mechanisms.

The USCG's 33 CFR 101 Subpart F is prescriptive. It mandates documented cybersecurity training for all vessel personnel, with specific requirements for the designated Cyber Security Officer (CySO). The training deadline of January 2026 has already passed, meaning any vessel calling at US ports should have completed crew training by now. This is not guidance - it is enforceable regulation with consequences for non-compliance including port state control deficiencies and potential vessel detention.

The IMO's MSC-FAL.1/Circ.3 takes a different approach. It recommends that companies develop cybersecurity awareness programs as part of their Safety Management System under the ISM Code. While the language is less prescriptive than the USCG rule, flag state auditors now routinely check for evidence of cyber awareness training during ISM audits. The practical effect is the same - operators need documented training programs.

Who Needs Training

Both frameworks distinguish between general crew awareness training and specialised training for designated personnel. Getting this distinction right is important for both compliance and practical effectiveness.

All crew members

Every person serving on the vessel needs basic cybersecurity awareness training. This applies to officers, ratings, cadets, and any other personnel with access to vessel systems - including personal devices that connect to vessel networks. The goal is not to turn every seafarer into a security expert. It is to ensure that everyone onboard can recognise common threats, follow basic security practices, and knows how to report suspicious activity.

The USCG rule under 33 CFR 101.640 requires that training be appropriate to the individual's role and responsibilities. A deck officer who uses ECDIS and bridge communication systems needs different awareness content than a cook who only uses crew WiFi. Training should be relevant to the systems each crew member actually interacts with.

CySO and designated personnel

The Cyber Security Officer requires substantially more training than general crew. Under USCG requirements, the CySO must hold documented qualifications demonstrating competence in cybersecurity risk management, incident response, and the specific regulatory requirements applicable to the vessel. This is a higher bar than general awareness - the CySO needs to understand how to conduct risk assessments, manage security controls, lead incident response, and interface with regulatory authorities during inspections.

Other designated personnel - which may include the master, chief engineer, ETO, and shore-based DPA - also need role-specific training that goes beyond basic awareness. The master needs to understand their authority and responsibilities during a cyber incident. The chief engineer needs to understand the cyber risks to engine management and automation systems. The DPA needs to understand their oversight role for cyber risk management at the company level.

What Topics Must Be Covered

Neither the USCG nor IMO provides a rigid syllabus, but both frameworks make clear what training should address. The following topics represent the minimum content that auditors and inspectors expect to see documented in your training program.

Phishing recognition

Phishing remains the most common initial attack vector in maritime cyber incidents. Crew training must cover how to recognise phishing emails, suspicious links, and fraudulent websites. This should include practical examples relevant to the maritime environment - fake port agent communications, fraudulent charter party documents, and spoofed emails from classification societies or flag state administrations are all common tactics used against vessel personnel.

USB device policies

USB devices are one of the primary vectors for introducing malware to air-gapped or semi-isolated vessel systems. Training must cover the company's policy on USB device use, including which devices are permitted, which systems they may be connected to, and what scanning or approval processes must be followed. Crew should understand why plugging a personal USB drive into a bridge workstation is a serious security risk, not merely a rule violation.

Password management

Training should cover the vessel's password policies, including minimum complexity requirements, rotation schedules, and the prohibition on sharing credentials. Crew members need to understand why default passwords on bridge equipment, engine monitoring systems, and navigation computers create critical vulnerabilities. Practical guidance on creating and managing strong passwords - including the use of passphrases - should be included.

Incident reporting procedures

Every crew member must know how to report a suspected cyber incident. Training should cover the specific reporting chain - who to notify first, what information to include in the initial report, and what immediate actions to take (or avoid taking). Crew should understand that reporting is expected and encouraged, even if the event turns out to be a false alarm. A culture where crew hesitate to report suspicious activity because they fear blame is a culture that will miss the early warning signs of a real attack.

Social engineering awareness

Social engineering attacks target people rather than systems. Training should cover common tactics including pretexting (someone posing as a port authority, service engineer, or company IT support), baiting (leaving infected USB drives in accessible locations), and tailgating (gaining physical access to restricted areas by following authorised personnel). Maritime-specific scenarios - such as a caller claiming to be from the flag state administration requesting remote access to vessel systems - should be included.

Drill Requirements

Training alone is not sufficient. Both USCG and IMO require regular drills and exercises to test the vessel's cyber incident response capabilities. Drills serve two purposes: they verify that procedures work in practice, and they reinforce training by giving crew hands-on experience with cyber incident response.

USCG drill mandates

The USCG under 33 CFR 101.645 mandates regular cybersecurity drills. These drills must be documented with the date, scenario, participants, findings, and any corrective actions identified. The regulation requires both tabletop exercises and functional drills.

Tabletop exercises are discussion-based sessions where the team walks through a cyber incident scenario and discusses their response. These are lower-effort to organise and are effective for testing decision-making processes, communication chains, and role understanding. A typical tabletop might present a ransomware scenario affecting ECDIS and ask participants to work through containment, communication, and recovery steps.

Functional drills are hands-on exercises that test specific response procedures. These might include isolating a compromised system from the network, switching to backup navigation equipment, executing the NRC notification process, or restoring a system from backup. Functional drills are more resource-intensive but provide much stronger evidence that procedures actually work.

The USCG expects drill frequency to align with the vessel's security plan. At minimum, cybersecurity drills should be conducted quarterly, with a comprehensive exercise annually. Drill findings must be documented and corrective actions tracked to closure.

IMO drill expectations

The IMO does not prescribe specific drill frequencies for cyber events, but the ISM Code's general requirements for drills and exercises extend to cyber risk management. Flag state auditors expect to see evidence that cyber scenarios have been included in the vessel's drill program, and that findings from drills have been used to improve procedures. Integrating cyber scenarios into existing safety drills - such as adding a cyber component to an emergency communication drill - is an effective approach.

The Documentation Challenge

The hardest part of crew cyber security training is not delivering the training itself. It is maintaining the documentation across crew rotations, multiple vessels, and changing regulatory requirements. Every crew member's training status must be tracked individually, with evidence of what training was completed, when, and by whom it was delivered. Certification expiry dates must be monitored. Drill records must be maintained with findings and corrective action status.

For operators managing a fleet with rotating international crews, this quickly becomes a significant administrative burden. Spreadsheet-based tracking systems break down when crew join from different manning agencies with different training backgrounds, when certificates expire at different intervals, and when auditors request evidence at short notice.

How NCoDE Command Tracks Training Compliance

NCoDE Command provides integrated modules specifically designed to solve the training documentation challenge for maritime cyber security.

Training Matrix

The Training Matrix tracks every crew member's cybersecurity training status against role-based requirements. When a new crew member joins the vessel, their existing training records are entered into the system and compared against the requirements for their role. Any gaps are immediately visible, allowing the vessel to address training deficiencies before the next port state inspection.

The system distinguishes between general awareness training, CySO-level training, and role-specific modules for masters, chief engineers, and ETOs. Each training record captures the course content, completion date, provider, and expiry date. Automatic alerts fire at 90, 60, and 30 days before any certification expires, giving the vessel and shore office time to arrange renewal training.

Certification expiry tracking

Integrated with the LDAP directory, NCoDE Command links training certifications directly to personnel identities. When crew rotate, their training records persist in the system. When they return for a subsequent rotation, their current training status is immediately available. This continuity across rotations solves one of the biggest pain points in maritime training management - the loss of training history during crew changes.

Drill records and findings

The Drill Scheduler module allows cybersecurity drills to be planned, executed, and documented within a single system. Each drill record captures the scenario, date, participants, observations, and findings. The Findings Tracker links drill findings to specific corrective actions with assigned owners and target completion dates. Drill frequency compliance is monitored automatically, alerting the vessel when drills are overdue.

Audit evidence generation

When a USCG examiner or flag state auditor requests evidence of training compliance, NCoDE Command can generate a complete training status report for every crew member currently onboard. This report shows their role, required training, completed training, certification status, and any gaps. Drill records with findings and corrective action status are available in the same system. This eliminates the scramble to assemble training evidence from multiple sources during an inspection.