Dynamic Management Services

Cybersecurity & Compliance Consulting

← Back to Assessment

Understanding NIST CSF 2.0 Tiers

CSF Tiers characterize the rigor of an organization's cybersecurity risk governance and management practices, providing context for how an organization views and manages cybersecurity risks.

What Are CSF Tiers?

The Tiers capture an organization's outcomes over a range from Partial (Tier 1) to Adaptive (Tier 4). They reflect a progression from informal, ad hoc responses to approaches that are agile, risk-informed, and continuously improving.

Tiers should complement an organization's cybersecurity risk management methodology rather than replace it. Progression to higher Tiers is encouraged when risks or mandates are greater, or when a cost-benefit analysis indicates a feasible and cost-effective reduction of negative cybersecurity risks.

Why Do CSF Tiers Matter?

CSF Tiers serve several important purposes within an organization's cybersecurity program:

  • Self-Assessment — Help organizations understand their current cybersecurity maturity level
  • Goal Setting — Enable organizations to define target states for improvement
  • Communication — Provide a common language for discussing cybersecurity posture with stakeholders
  • Progress Tracking — Allow organizations to monitor improvements over time
  • Benchmarking — Serve as an organization-wide benchmark for managing cybersecurity risks

The Four CSF Tiers

Tier 1

Partial

Risk Governance

Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.

Risk Management

  • Limited awareness of cybersecurity risks at the organizational level
  • Cybersecurity risk management occurs on an irregular, case-by-case basis
  • No processes to enable cybersecurity information sharing within the organization
  • Generally unaware of cybersecurity risks from suppliers and acquired products/services
Tier 2

Risk Informed

Risk Governance

Risk management practices are approved by management but may not be established as organization-wide policy. Prioritization is directly informed by organizational risk objectives, threat environment, or business/mission requirements.

Risk Management

  • Awareness of cybersecurity risks exists but no organization-wide approach established
  • Cybersecurity considered at some but not all levels of the organization
  • Risk assessment occurs but is not typically repeatable or reoccurring
  • Cybersecurity information shared informally within the organization
  • Aware of supplier risks but does not act consistently or formally in response
Tier 3

Repeatable

Risk Governance

Risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Practices are regularly updated based on changes in business/mission requirements, threats, and technology.

Risk Management

  • Organization-wide approach to managing cybersecurity risks
  • Cybersecurity information routinely shared throughout the organization
  • Consistent methods in place to respond effectively to changes in risk
  • Personnel possess knowledge and skills for their roles
  • Consistent and accurate monitoring of asset cybersecurity risks
  • Regular executive communication about cybersecurity risks
  • Supplier risks addressed through formal mechanisms (written agreements, governance structures, policies)
Tier 4

Adaptive

Risk Governance

Organization-wide approach uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The relationship between cybersecurity risks and organizational objectives is clearly understood. Executives monitor cybersecurity risks alongside financial and other organizational risks. Cybersecurity risk management is part of the organizational culture and evolves from continuous awareness of activities on systems and networks.

Risk Management

  • Cybersecurity practices adapt based on lessons learned and predictive indicators
  • Continuous improvement incorporating advanced technologies and practices
  • Active adaptation to changing technological landscape and sophisticated threats
  • Real-time or near real-time understanding and action on supplier risks
  • Cybersecurity information constantly shared throughout the organization and with authorized third parties

How to Use CSF Tiers

When applying CSF Tiers to your organization, consider the following:

  • Select Tiers at the overall, Function, or Category level for a comprehensive view of risk management practices
  • Consider current practices, threat environment, legal requirements, and organizational constraints
  • Ensure selected Tiers help meet organizational goals and are feasible to implement
  • Use Tiers to inform Current and Target Profiles for gap analysis
  • Progress to higher Tiers when risks or mandates require it