Guide · 7 min read · Last reviewed 27 April 2026
What is TMSA, and what is Element 13?
The Tanker Management and Self Assessment (TMSA) programme, published by the Oil Companies International Marine Forum (OCIMF), is the framework tanker operators use to self-assess their management systems — and that oil majors lean on when deciding whether to accept a vessel. The third edition (TMSA 3) is organised into thirteen elements covering everything from leadership to navigation to environmental management.
Element 13 covers maritime security — and that now explicitly includes cyber security. It is where an operator demonstrates that cyber risk to the vessel and the shore organisation is identified, managed and improved over time, alongside physical and ISPS-style security.
How the staged KPIs work
TMSA does not score pass/fail. Each element is built from Key Performance Indicators grouped into four stages, where each stage represents increasing maturity:
- Stage 1 — foundational: policies and procedures are in place.
- Stage 2 — the procedures are implemented and supported with the right resources and responsibilities.
- Stage 3 — performance is measured and reviewed.
- Stage 4 — the system is continually improved, often using leading indicators and benchmarking.
For cyber under Element 13 that means: a Stage 1 operator has a cyber policy and basic controls; a Stage 4 operator measures the effectiveness of those controls, reviews them, and demonstrably improves. Operators self-assess honestly, because vetting inspectors and charterers will probe whether the claimed stage is supported by evidence.
What cyber controls Element 13 expects
The areas tankers are expected to address line up closely with the wider maritime cyber baseline:
- Endpoint protection against malware on shipboard and shore systems.
- Access control — accountable, least-privilege access with strong authentication.
- Removable media / USB policy and enforcement, a long-standing maritime weak point.
- Vulnerability and patch management across connected systems.
- An audit trail showing the controls operate and incidents are handled.
- Awareness and training for crew and shore staff.
Because SIRE 2.0 — OCIMF's inspection regime — has integrated cyber questions into the on-board inspection itself, the same evidence that supports your TMSA self-assessment is what an inspector may look to confirm during a SIRE inspection.
What evidence keeps you charter-ready
The practical bar is being able to show, per vessel and on demand, that the Element 13 controls are operating: current endpoint protection status, access and MFA configuration, USB / removable-media enforcement records, vulnerability and patch status, and a defensible audit log. Charterers move quickly; an operator who can produce a current cyber evidence pack in minutes — rather than promising to "send it after the fixture" — has a real commercial advantage.
How Navis Arca helps
Navis Arca runs the Element 13 controls — endpoint protection, removable-media policy, access control, vulnerability management, audit logging — on every vessel endpoint, and turns them into a vetting-ready PDF in two clicks: pick TMSA 3, pick the vessel, download. The same evidence base also covers BIMCO V5 and IMO MSC.428(98), so the next charterer or port-state query is answered from one source. See the compliance matrix for the full mapping.
- TMSA 3 Element 13 is maritime security, and now explicitly includes cyber.
- It is scored across four maturity stages, not pass/fail — claimed stages must be evidenced.
- SIRE 2.0 brings the same cyber questions into the on-board inspection.
- Being able to produce a current, per-vessel cyber evidence pack on demand is a commercial advantage at fixture.
This guide is general information for fleet operators and does not constitute compliance or legal advice. Always confirm requirements with OCIMF programme documentation and your vetting counterparts.