Reference Guide

Compliance

A working reference for the maritime cybersecurity frameworks that flag states, classification societies, and the U.S. Coast Guard are actively enforcing. Every Maverick engagement is documented against these standards.

Quick Reference
Framework Applies To Risk Assessment Crew Training Incident Response Documentation
IMO MSC-FAL.1/Circ.3 All flag state vessels ✓ Annual✓ SMS
USCG 33 CFR 101.650 US-flagged / MTSA vessels & facilities ✓ Annual✓ Records
NIST CSF 2.0 All operators (voluntary baseline)
IEC 62443 OT/IACS systems on vessels
ISM Code SOLAS vessels & operators ✓ (via SMS)✓ SMS
IMO
MSC-FAL.1/Circ.3/Rev.3
Maritime Cyber Risk Management Guidelines
April 2025 Revision All Flag State Vessels
Maverick covers: Risk assessment, network security design, and crew training documentation — all aligned to IMO Section 3.

What it requires

The IMO's Guidelines on Maritime Cyber Risk Management direct flag states to ensure that cyber risk is appropriately addressed in existing safety and security management systems. Integrated into the ISM Code framework.

  • §3.2 — Cyber Risk Assessment Identify, analyse, and evaluate cyber risks to shipboard systems including navigation, propulsion, cargo management, and communication systems. Addressed by Maverick's SOW-A Maritime Cyber Risk Assessment
  • §3.5 — Awareness & Training All crew should be aware of cyber risks and their role in managing them. Annual training is required and must be integrated into the vessel's Safety Management System. Addressed by DeckSecure annual training sessions
  • §3.3 — Vulnerability Identification Identify systems, assets, data, and capabilities that, if disrupted, pose risks to the ship's operations, safety, or environment.
  • §3.6 — Response & Recovery Develop plans and procedures for responding to and recovering from cyber incidents, including backup and restoration of critical systems.
January 2021
IMO Resolution MSC.428(98) in effect
Cyber risk management required in Safety Management Systems for all SOLAS vessels.
April 2025
MSC-FAL.1/Circ.3/Rev.3 issued
Current revision of the Guidelines, strengthening requirements for annual crew training and documentation.
USCG
33 CFR Part 101.650
Cybersecurity in the Marine Transportation System
Final Rule — July 2025 MTSA Vessels & Facilities
Deadline passed. Initial training was due January 12, 2026. New personnel must be trained within 30 days of hire.

What it requires

The USCG's binding regulation applies to U.S.-flagged vessels, MTSA-regulated facilities, and outer continental shelf facilities. Unlike IMO guidelines, this is federal law with enforcement authority.

  • §101.650(d)(1) — Training Topics Annual training must cover: (i) recognizing cyber threats, (ii) detecting cyber incidents, (iii) cyber hygiene practices, and (iv) reporting procedures. DeckSecure covers all four required topic areas
  • §104.235 / §105.225 / §106.230 — Record Keeping Operators must maintain training records. DeckSecure's completion certificate and session report are structured specifically to satisfy these requirements. DeckSecure auto-generates compliant records at session end
  • §101.650(b) — Cybersecurity Plan Covered vessels and facilities must develop, implement, and maintain a Cybersecurity Plan addressing risk assessment, access control, incident response, and training.
  • §101.650(d)(2) — Key Personnel Certain personnel must have enhanced training covering their roles and responsibilities during a cyber incident.
NIST
CSF 2.0
Cybersecurity Framework
Version 2.0 — Feb 2024 All Operators (Voluntary Baseline)
Maverick uses NIST CSF 2.0 as the primary organizing framework for all risk assessments and gap analyses.

Six core functions

NIST CSF 2.0 provides the underlying structure for Maverick's assessments and gap analyses. It integrates with IMO and USCG requirements, providing a globally recognized benchmark for maritime cyber posture.

  • Govern (GV)Establish organizational policies, roles, and accountability for cybersecurity risk management.
  • Identify (ID)Asset management, risk assessment, and vulnerability identification across IT/OT systems.
  • Protect (PR)Access control, data security, network segmentation, and training programs.
  • Detect (DE)Anomaly detection, monitoring, and continuous assessment of security controls.
  • Respond (RS)Response planning, communications, analysis, and mitigation during incidents.
  • Recover (RC)Recovery planning, communications, and system restoration after incidents.
IEC
62443
Industrial Automation & Control Systems Security
OT / IACS Systems Operational Technology

Why it matters for maritime

IEC 62443 addresses the security of Industrial Automation and Control Systems — the OT layer that controls propulsion, engine management, navigation, and cargo handling on modern vessels. The IT/OT convergence risk is where most maritime cyber incidents originate.

  • Zone & Conduit Model Defines how to segment OT systems into security zones and control data flows through conduits — the foundation of VLAN design for bridge and engine networks.
  • Security Levels (SL 1–4) Tiered security levels allow operators to apply proportionate controls based on system criticality — navigation systems typically require SL 2 or higher.
  • Integration with NIST CSF Maverick's assessments cross-reference IEC 62443 controls with NIST CSF functions, providing a unified view of IT and OT security posture.
Get Compliant

Not sure where you stand?

Schedule a free 30-minute Maritime Cyber Readiness Check. We'll walk through your current posture against these frameworks and tell you where the gaps are.

Free Readiness Check DeckSecure Compliance Docs