If you are an ASTM Compass Subscriber and this document is part of your subscription, you can access it for free at ASTM Compass
    ASTM F3449 - 20

    Standard Guide for Inclusion of Cyber Risks into Maritime Safety Management Systems in Accordance with IMO Resolution MSC.428(98)―Cyber Risks and Challenges

    Active Standard ASTM F3449 | Developed by Subcommittee: F25.07

    Book of Standards Volume: 01.08

      Format Pages Price  
    PDF 16 $60.00   ADD TO CART
    Hardcopy (shipping and handling) 16 $60.00   ADD TO CART

    Significance and Use

    5.1 ISM Code Requirement—In 1989, IMO adopted guidelines on management for the safe operation of ships and pollution prevention that is now the International Safety Management (ISM) Code that was made mandatory for ships trading on international waters through the International Convention for the Safety of Life at Sea, 1974 (SOLAS). In 1995, the IMO Assembly adopted the guidelines on implementation of the ISM Code by administrations by Resolution A.788(19). These guidelines were revised and adopted as Resolution A.913(22) in 2001. The guidelines were further revised and adopted as Resolution A.1022(26) in 2009 and entered into force on 1 July 2010.

    5.1.1 ISM Code Purpose—The ISM Code is designed to improve the safety of international shipping and reduce pollution by encouraging self-regulation and oversight for identifying safety issues, taking corrective action, and promoting overall organization safety culture. The ISM Code establishes an international standard for the safe management and operation of ships and for the implementation of a SMS operating internationally.

    5.1.2 ISM Code Intent—The intent of the ISM Code is to support and encourage the development of a safety culture in shipping by moving away from a culture of “unthinking” compliance with external rules toward a culture of “thinking” self-regulation of safety and the development of a “safety culture” that identifies safety issues and concerns and promotes proactive corrective actions. The safety culture involves moving to a culture of self-regulation with every individual from the top to the bottom empowered to ownership, responsibility, and action for improving and addressing safety.

    5.2 Additional Applications—In addition to the ISM Code requirements, Flag States, industry organizations, and companies have initiated mandatory and nonmandatory SMS. All of these systems are being instituted to improve operational safety, identify safety issues, promote implementation of corrective actions, and improve overall organizational safety culture.

    5.2.1 Application/Use of Guide—The intention of this guide is to leverage mandatory or voluntary safety management systems already in place to identify and address proactively cybersecurity issues that is a critical and ever-increasing safety concern in maritime operations. The intent of this guide is to provide items for consideration, recommendations, and contribute to the thought process for incorporating cyber elements into existing SMSs by providing information, structure, and elements for consideration in working through the process.

    5.2.2 Limitation of Guide—This guide is not all encompassing but provides a foundation for starting the process by leveraging existing resource to address cybersecurity issues beginning with basic cyber hygiene and running all the way through nefarious intentional cyberattacks. This guide is interned to serve the entire maritime community but will be most beneficial to resource constrained organizations that may not have significant infrastructure or resources or both to secure comprehensive cybersecurity services and solutions.

    5.2.3 Focus Topics for Applying the Guide—Considerations that are covered in the guide include management of change, cyber risk assessment, development of mitigation strategies, implementation, training, documentation, auditing, as well as examples of template language that can be leverage in SMS applications.

    1. Scope

    1.1 This guide is designed to provide the maritime industry guidance, information, and options for incorporating cyber elements into safety management systems (SMS) in accordance with the International Safety Management (ISM) Code and other national (United States) and international requirements.

    1.2 This guide will support U.S. maritime operating companies but is a guide only and does not recommend a specific course of action. However, this guide is to be used to improve cyber safety, address vulnerability, recommend and outline training, and raise knowledge and awareness of cyber threats by leveraging documented, auditable SMS mechanisms.

    1.3 The purpose of this guide is to offer guidance, information, and options based on a consensus of opinions but not to establish a standard practice. Each organization shall evaluate their SMS, their information management systems at sea and ashore, and the level of cyber risk that exists within the organization to determine the best methods of compliance with the cybersecurity requirements of the ISM Code or other legal or self-imposed requirements or both.

    1.4 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.

    1.5 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.

    2. Referenced Documents (purchase separately) The documents listed below are referenced within the subject standard but are not provided as part of the standard.

    2.1 ISO Standards

    ISO 9001:2015 Quality Management Systems Requirements, Section 7.5, Documented Information

    ISO/IEC 27000:2018 Information Technology Security Techniques Information Security Management Systems Overview and Vocabulary

    USCG Guidance and Policy

    NVIC 05-17 Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities

    USCG CG-5P Policy Letter 08-16 Reporting Suspicious Activity and Breaches of Security

    Other Standards

    46 CFR Subchapter M Towing Vessels Available from U.S. Government Printing Office, Superintendent of Documents, 732 N. Capitol St., NW, Washington, DC 20401-0001, http://www.access.gpo.gov.

    IMO Resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems Available from the International Maritime Organization, http://www.imo.org/en/OurWork/Security/Guide_to_Maritime_Security/Documents/Resolution%20MSC.428(98).pdf.

    The International Safety Management (ISM) Code Chapter IX of the International Convention for the Safety of Life at Seal (SOLAS) Available from International Maritime Organization (IMO), 4, Albert Embankment, London SE1 7SR, United Kingdom, http://www.imo.org.

    Referencing This Standard
    Link Here
    Link to Active (This link will always route to the current Active version of the standard.)

    DOI: 10.1520/F3449-20

    Citation Format

    ASTM F3449-20, Standard Guide for Inclusion of Cyber Risks into Maritime Safety Management Systems in Accordance with IMO Resolution MSC.428(98)―Cyber Risks and Challenges, ASTM International, West Conshohocken, PA, 2020, www.astm.org

    Back to Top