Applies to all ISM-audited vessels. In effect since January 2024.
IMO Resolution MSC.428(98) requires cyber risk management to be incorporated into the Safety Management System (SMS) no later than the first annual verification of the Document of Compliance after 1 January 2021. MSC-FAL.1/Circ.3 provides the guidelines — based on the NIST Cybersecurity Framework — for how to do it. NCoDE Command turns those guidelines into operational controls, auditable evidence, and automated SMS chain reporting.
MSC-FAL.1/Circ.3 recommends adopting the NIST Cybersecurity Framework as the foundation for maritime cyber risk management. The framework defines five core functions, each with specific outcomes that must be addressed within the vessel’s Safety Management System. NCoDE implements all five with maritime-specific controls.
The Identify function requires understanding the cyber risks to systems, people, assets, data, and capabilities. NCoDE’s Asset Management module maintains an inventory of all shipboard IT and OT systems — from bridge navigation computers to engine room PLCs. Each asset is classified by criticality and linked to the personnel responsible for it. The LDAP integration maps crew roles to system access, ensuring that the organisation understands who has access to what. Risk entries in the Risk Register tie each identified threat to the specific systems it affects, creating the foundation for all subsequent risk management activities. This feeds directly into the ISM Code’s requirement for hazard identification under the SMS.
The Protect function develops and implements safeguards to limit the impact of a potential cybersecurity event. NCoDE addresses this through multiple layers: role-based access control (RBAC) via LDAP ensures crew members only access systems appropriate to their role. The Software Allowlist prevents unauthorised applications from running on shipboard workstations. The Vendor Management module controls third-party access with session logging and DPA tracking. Backup Verification monitors backup schedules with RPO/RTO targets and restore testing records, ensuring that contingency plans are not just documented but verified. The Change Control Board manages all system modifications through a structured workflow, preventing unauthorised changes that could introduce vulnerabilities.
The Detect function implements activities to identify cybersecurity events in a timely manner. NCoDE integrates with Wazuh, an open-source SIEM platform, to provide continuous monitoring of all managed shipboard endpoints. The PC Security Overview dashboard displays the real-time security status of every workstation — patch level, vulnerability count, last check-in time, and active alerts. Automated vulnerability scanning identifies new CVEs across the fleet of shipboard PCs, creating actionable patch lifecycle entries. The Audit Log captures every significant event across the platform, providing the detection evidence that auditors and flag state inspectors require. This continuous monitoring capability is what separates genuine IMO compliance from a paper exercise.
The Respond function develops and implements activities to take action regarding a detected cybersecurity event. For maritime operations, this means activating the SMS reporting chain. NCoDE’s Incident Response module provides a guided decision tree that classifies the incident and determines the appropriate reporting obligations. When a cyber incident is created, the system automatically generates SMS chain notifications with deadline tracking: the Captain reports immediately per standing orders, the DPA is notified per SMS procedures, the Company Security Officer is informed, and flag state notification deadlines are created. Each step in the chain is tracked with timestamps, status, and evidence — proving to auditors that the SMS was followed. The incident timeline captures every action, communication, and decision made during response.
The Recover function develops and implements activities to maintain resilience and restore capabilities after a cybersecurity incident. NCoDE supports this through Backup Verification — tracking backup status, restore testing, and recovery time objectives for all critical systems. When an incident is resolved, the system captures lessons learned, root cause analysis, and corrective actions. These feed back into the Risk Register as updated risk entries, closing the loop between incident response and ongoing risk management. The Change Control Board tracks any system modifications made during recovery, ensuring that emergency changes are properly documented and reviewed. Recovery evidence is linked to the incident record, creating a complete audit trail from detection through resolution.
The ISM Code requires a clear chain of reporting for all safety-related events, including cyber incidents that could affect vessel safety. NCoDE automates the entire SMS notification chain, creating deadlines at each stage and tracking completion.
Immediate notification per standing orders. NCoDE creates the incident record and timestamps the Captain’s initial report.
Designated Person Ashore notified per SMS procedures. NCoDE tracks notification time and acknowledgement.
CSO informed for ISPS and cyber assessment. NCoDE logs the notification and tracks response actions.
Notification to flag state administration as required. NCoDE creates deadline and tracks submission status.
A single cyber incident on a vessel can trigger three reporting obligations simultaneously: the IMO SMS chain (Captain → DPA → Company → Flag State), NIS2 Article 23 three-stage reporting (24h early warning → 72h detailed notification → 30d final report), and USCG NRC notification for vessels operating in US waters. NCoDE manages all three in parallel from a single incident record. Each framework has its own deadline tracker, notification status, and evidence chain — but all draw from the same underlying incident data, eliminating the duplication and inconsistency that plagues manual reporting processes.
This parallel reporting capability is particularly critical for vessels that call at both EU and US ports. Without it, compliance teams must maintain separate tracking systems for each jurisdiction, often resulting in missed deadlines or contradictory reports. NCoDE ensures that a single source of truth drives all regulatory notifications.
IMO guidelines specifically address cyber risks to safety-critical shipboard systems. NCoDE classifies incidents by their impact on vessel safety functions, not just IT severity. This maritime-specific approach ensures that flag state inspectors see the safety context, not just a generic IT incident report.
ECDIS compromise, GPS spoofing, chart display manipulation, radar interference, AIS tampering. NCoDE tracks impact on safe navigation capabilities and COLREGS compliance.
Engine control system compromise, propulsion management interference, auxiliary system manipulation. Tracks impact on vessel manoeuvrability and SOLAS Chapter II-1 compliance.
GMDSS disruption, VSAT compromise, crew communication interference, DSC system tampering. Assesses impact on distress alerting and SOLAS Chapter IV requirements.
Cargo monitoring system compromise, ballast control interference, tank gauging manipulation. Evaluates impact on vessel stability and MARPOL compliance.
ISPS access control compromise, CCTV system interference, alarm system tampering. Tracks impact on vessel security plan and ISPS Code compliance.
Fire detection/suppression interface, life-saving appliance monitoring, emergency shutdown systems. Evaluates impact on SOLAS life safety and LSA code requirements.
NCoDE’s incident classification includes maritime-specific cyber threat types that generic IT incident management tools miss entirely: GPS spoofing attacks that affect position reporting, AIS tampering that creates phantom vessels or hides the ship from traffic monitoring, ECDIS compromise that could display incorrect chart data, and engine control system ransomware that could disable propulsion. Each incident type is pre-mapped to the affected safety functions, the relevant IMO regulations, and the appropriate SMS reporting chain — so the response team does not need to determine reporting obligations from scratch during a crisis.
Common questions about IMO maritime cyber risk management guidelines and ISM Code integration.
IMO guidelines on maritime cyber risk management, in effect since January 2024. Based on the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) adapted for maritime operations. Applies to all vessels subject to ISM Code audits.
Under ISM Code, cyber incidents must be reported through the Safety Management System chain: Captain reports immediately, DPA (Designated Person Ashore) is notified, Company Security Officer informed, then Flag State notification as required. NCoDE tracks each stage with deadlines.
Cyber risks must be incorporated into the vessel’s existing Safety Management System. This means cyber risk assessment alongside operational risks, cyber incident procedures alongside emergency procedures, and cyber training alongside safety training. NCoDE links cyber incidents directly to ISM procedures.
Navigation systems (GPS, ECDIS, AIS), propulsion control systems, communications (GMDSS, VSAT), cargo management systems, and safety systems (fire detection, ballast water). NCoDE classifies incidents by their impact on each critical system category.
Yes, for all vessels subject to ISM Code audits. Flag states and classification societies verify compliance during ISM audits and port state control inspections. Failure to demonstrate cyber risk management can result in ISM non-conformities.
NCoDE Command implements every IMO MSC-FAL.1/Circ.3 recommendation as an operational control with audit evidence. See how it fits alongside NIS2, USCG, and classification society requirements in the full compliance matrix.