NIST Cybersecurity Tiers


NIST has defined four Framework Implementation Tiers. These Tiers classify organizations according to how well risk management practices have been implemented. They range from Tier 1 to Tier 4. Tier 1 organizations have ineffective risk management methods, Tier 2 have informal risk management methods, Tier 3 have structured risk management methods, and Tier 4 have adaptive risk management methods. These four Tiers are summarized below:
  • Tier 1 organizations have ineffective risk management methods.
    They have unsystematic risk management processes, unreliable risk
    management programs, and unresponsive risk management participation.
     

  • Tier 2 organizations have informal risk management methods.
    They have unfinished risk management processes, underdeveloped risk
    management programs, and incomplete risk management participation.
     

  • Tier 3 organizations have structured risk management methods.
    They have orderly risk management processes, robust risk management
    programs, and routine risk management participation.
     

  • Tier 4 organizations have adaptive risk management methods.
    They have dynamic risk management processes, responsive risk
    management programs, and interactive risk management participation.

Study the following detailed Tier definitions. Then choose the Tier that best describes
your organization’s current risk management practices: your Current Tier. Next, choose
the Tier that best describes the risk management practices that your organization would
like to implement: your Target Tier. In order to create accurate descriptions of your
current and target risk management practices, you may wish to select elements
from all of the Tiers or simply add your own items. It’s up to you.

The important thing is to accurately describe your current risk management practices
and your target risk management practices. The difference between your current risk
management practices (your Current Tier) and your target risk management practices
(your Target Tier) identifies the risk management gaps
you need to fill.

As you select or build your Target Tier, please consider your corporate mission,
business objectives, threat environment, legal and regulatory requirements, supply
chain cybersecurity expectations, information sharing practices, and resource limits.
Select or construct a Target Tier that will reduce your cybersecurity risk to acceptable
levels. Make sure that it is feasible and
will help you achieve your organization’s
goals and objectives.

NIST
        Cybersecurity Implementation Tiers

NIST Implementation Tier Definitions

Tier 1 organizations have ineffective risk management methods

A. Tier 1 organizations have unsystematic risk management processes

Unsystematic risk management process activities occur:

•  When cybersecurity risk management is unplanned.

•  When cybersecurity risk is managed in an ad hoc manner.

•  When cybersecurity risk is managed in a reactive manner.

•  When cybersecurity priorities ignore the context.

•  When cybersecurity priorities ignore risk objectives.

•  When cybersecurity priorities ignore corporate mission.

•  When cybersecurity priorities ignore threat environment.

•  When cybersecurity priorities ignore business requirements.

B. Tier 1 organizations have unreliable risk management programs

Unreliable risk management program delivery occurs:

•  When risk management programs are poorly organized.

•  When there is limited awareness of cybersecurity risk at the organizational level.

•  When cybersecurity risk management activities are not routinely carried out.

•  When cybersecurity risk is not well understood at the organizational level.

•  When cybersecurity information is not routinely and regularly shared.

C. Tier 1 organizations have unresponsive risk management participation

Unresponsive risk management participation occurs:

•  When an organization fails to properly understand its ecosystem.

•  When it fails to understand how it fits into its external ecosystem.

•  When it fails to understand how its dependents fit into this ecosystem.

•  It fails to understand the ways in which other entities depend on it.

•  When it fails to understand how its dependencies fit into this ecosystem.

•  It fails to understand the ways in which it depends on other entities.

•  When an organization fails to collaborate with external entities:

•  When it fails to share or receive information about threats:

•  When it fails to share or receive threat intelligence from ISAOs*.

•  When it fails to share or receive threat intelligence from buyers.

•  When it fails to share or receive threat intelligence from suppliers.

•  When it fails to share or receive threat intelligence from researchers.

•  When it fails to share or receive threat intelligence from dependents.

•  When it fails to share or receive threat intelligence from governments.

•  When it fails to share or receive information about best practices:

•  When it fails to discuss information about best practices with ISAOs.

•  When it fails to discuss information about best practices with buyers.

•  When it fails to discuss information about best practices with suppliers.

•  When it fails to discuss information about best practices with researchers.

•  When it fails to discuss information about best practices with dependents.

•  When it fails to discuss information about best practices with governments.

•  When it fails to share or receive information about technologies:

•  When it fails to discuss information about technologies with ISAOs.

•  When it fails to discuss information about technologies with buyers.

•  When it fails to discuss information about technologies with suppliers.

•  When it fails to discuss information about technologies with researchers.

•  When it fails to discuss information about technologies with dependents.

•  When it fails to discuss information about technologies with governments.

•  When an organization fails to appreciate its cyber supply chain risks.

•  When it fails to appreciate the cyber supply chain risks that it generates.

•  When it is unaware of the supply chain risks that its own products create.

•  When it is unaware of the supply chain risks that its own services create.

•  When it fails to appreciate the cyber supply chain risks that it experiences.

•  When it is unaware of the supply chain risks that its suppliers’ products create.

•  When it is unaware of the supply chain risks that its suppliers’ products create.

Tier 2 organizations have informal risk management methods

A. Tier 2 organizations have unfinished risk management processes

Unfinished risk management process activities occur:

•  When risk management practices have been approved by management.

•  But an organization-wide risk management policy has not been approved.

•  When cybersecurity priorities consider the larger ecosystem.

•  When cybersecurity priorities consider cybersecurity needs.

•  When cybersecurity activities consider risk objectives.

•  When cybersecurity priorities consider corporate mission.

•  When cybersecurity priorities consider threat environment.

•  When cybersecurity priorities consider business requirements.

B. Tier 2 organizations have underdeveloped risk management programs

Underdeveloped risk management program delivery occurs:

•  When there is awareness of cybersecurity risk at the organizational level.

•  But an organization-wide approach to managing risk does not exist.

•  And informal methods are used to share information internally.

•  When some organizational programs and objectives consider cybersecurity.

•  But many organizational programs and objectives ignore cybersecurity.

•  When cybersecurity risk assessments are performed by the organization.

•  When risk assessments are carried out for the organization’s own assets.

•  But these risk assessments of corporate assets are not usually repeatable.

•  And these risk assessments of corporate assets do not usually reoccur.

•  When risk assessments are done for external assets that affect the organization.

•  But these risk assessments of external assets are not usually repeatable.

•  And these risk assessments of external assets do not usually reoccur.

C. Tier 2 organizations have incomplete risk management participation

Incomplete risk management participation occurs:

•  When an organization understands its role and how it fits into the larger ecosystem.

•  But it fails to understand how dependents fit into this larger external ecosystem.

•  It fails to understand the ways in which other external entities depend on it.

•  But it fails to understand how dependencies fit into this larger external ecosystem.

•  It fails to understand the ways in which it depends on other external entities.

•  When an organization collaborates and communicates with external entities.

•  And it receives some cybersecurity information from these external entities.

•  When an organization generates some of its own cybersecurity information.

•  But it often fails to share internal cybersecurity information with others.

•  When an organization is familiar with cyber supply chain security risks.

•  When it is familiar with the cyber supply chain security risks that it generates.

•  When it is aware of the supply chain security risks that its own products create.

•  But it fails to act formally to address the risks that its own products create.

•  But it fails to act consistently to address the risks that its own products create.

•  When it is aware of the supply chain security risks that its own services create.

•  But it fails to act formally to address the risks that its own services create.

•  But it fails to act consistently to address the risks that its own services create.

•  When it is familiar with the cyber supply chain security risks that it experiences.

•  When it is aware of the supply chain security risks that its suppliers’ products create.

•  But it fails to act formally to address the risks that its suppliers’ products create.

•  But it fails to act consistently to address the risks that its suppliers’ products create.

•  When it is aware of the supply chain security risks that its suppliers’ services create.

•  But it fails to act formally to address the risks that its suppliers’ services create.

•  But it fails to act consistently to address the risks that its suppliers’ services create.

Tier 3 organizations have structured risk management methods

A. Tier 3 organizations have orderly risk management processes

Orderly risk management process activities occur:

•  When risk management practices are approved by management.

•  And these risk management practices are expressed as policy.

•  And this risk management policy has been formally approved.

•  When cybersecurity practices are routinely updated as security risks change.

•  If cybersecurity practices are updated whenever threat landscape changes.

•  If cybersecurity practices are updated whenever corporate mission changes.

•  If cybersecurity practices are updated whenever business requirements change.

•  If cybersecurity practices are updated whenever associated technologies change.

B. Tier 3 organizations have robust risk management programs

Robust risk management program delivery occurs:

•  When there is awareness of cybersecurity risk at the organizational level.

•  And an organization-wide approach to managing cybersecurity risk exists.

•  When executives ensure that cybersecurity is considered throughout the organization.

•  When senior cybersecurity executives discuss cybersecurity risk on a regular basis.

•  When non-cybersecurity executives discuss cybersecurity risk on a regular basis.

•  When risk-based policies, procedures, and processes have been established.

•  When risk-based policies, procedures, and processes have been defined.

•  When risk-based policies, procedures, and processes were implemented.

•  When risk-based policies, procedures, and processes are being reviewed.

•  When personnel have the expertise needed to perform their cybersecurity tasks.

•  When they have the knowledge and skill needed to perform all relevant roles.

•  When they have the knowledge and skill needed to carry out their responsibilities.

•  When assets are consistently and accurately monitored and related risks are identified.

•  When consistent and effective methods are used to address changes in risk landscape.

C. Tier 3 organizations have routine risk management participation

Routine risk management participation occurs:

•  When an organization understands its role and how it fits into the larger ecosystem.

•  When an organization understands how its dependents fit into this larger ecosystem.

•  When an organization understands the ways in which other entities depend on it.

•  When an organization understands its role and how dependencies fit into this ecosystem.

•  When an organization understands the ways in which it depends on external entities.

•  When an organization collaborates and discusses cybersecurity with external entities.

•  And it regularly receives cybersecurity information from these external entities.

•  When an organization routinely generates its own cybersecurity information.

•  And it shares internal cybersecurity information with other entities.

•  When an organization is familiar with cyber supply chain security risks.

•  When it is familiar with the cyber supply chain security risks that it generates.

•  When it is aware of the supply chain security risks that its own products create.

•  And it usually acts formally to address the risks that its own products create.

•  When it is aware of the supply chain security risks that its own services create.

•  And it usually acts formally to address the risks that its own services create.

•  When it is familiar with the cyber supply chain security risks that it experiences.

•  When it is aware of the supply chain security risks that its suppliers’ products create.

•  And it usually acts formally to address the risks that its suppliers’ products create.

•  When it is aware of the supply chain security risks that its suppliers’ services create.

•  And it usually acts formally to address the risks that its suppliers’ services create.

•  When an organization takes action to address supply chain security risks.

•  When it uses mechanisms to communicate recommendations and requirements.

•  When it uses written agreements to communicate cybersecurity expectations.

•  When it uses written agreements to communicate governance expectations.

•  When it uses written agreements to communicate monitoring expectations.

•  When it uses written agreements to communicate baseline expectations.

•  When it uses written agreements to communicate policy expectations.

Tier 4 organizations have adaptive risk management methods

A. Tier 4 organizations have dynamic risk management processes

Dynamic risk management process activities occur:

•  When an organization actively adapts to a changing cybersecurity environment.

•  When it uses current activities to adapt to a changing cybersecurity environment.

•  When it uses current activities to adapt to a changing technology environment.

•  When it uses current activities to adapt to a changing threat environment.

• When it uses previous activities to adapt to a changing cybersecurity environment.

•  When it uses previous activities to adapt to a changing technology environment.

•  When it uses previous activities to adapt to a changing threat environment.

• When it uses lessons learned to adapt to a changing cybersecurity environment.

•  When it uses lessons learned to adapt to a changing technology environment.

•  When it uses lessons learned to adapt to a changing threat environment.

• When it uses predictive indicators to adapt to a changing cybersecurity environment.

•  When it uses predictive indicators to adapt to a changing technology environment.

•  When it uses predictive indicators to adapt to a changing threat environment.

• When an organization continuously improves its cybersecurity risk management methods.

•  When an organization continuously improves using advanced cybersecurity technologies.

•  When an organization continuously improves using advanced cybersecurity practices.

•  When an organization responds in a timely and effective manner to sophisticated threats.

•  When an organization responds in a timely and effective manner to evolving threats.

B. Tier 4 organizations have responsive risk management programs

Responsive risk management program delivery occurs:

•  When senior executives monitor and treat cybersecurity risks the same as other risks.

•  When cybersecurity risk management is an integral part of the organization’s culture.

•  When cybersecurity risk managers are continuously aware of system and network activity.

•  When cybersecurity risk management evolves as system and network activity changes.

•  When risk management is influenced by previous activities on systems and networks.

•  When risk management is influenced by current activities on systems and networks.

•  When the relationship between cybersecurity risk and objectives is well understood.

•  When cybersecurity risks and objectives are considered when making decisions.

•  When there is an organization-wide approach to managing cybersecurity risk.

•  When risk-informed policies are used to address potential cybersecurity events.

•  When risk-informed processes are used to address potential cybersecurity events.

•  When risk-informed procedures are used to address potential cybersecurity events.

•  When corporate budgets are based on a clear understanding of cybersecurity risks.

•  When budgets are based on a clear understanding of the organization’s risk tolerance.

•  When budgets are based on a clear understanding of the organization’s risk environment.

•  When budgets are based on a clear understanding of the predicted risk environment.

•  When budgets are based on a clear understanding of the current risk environment.

•  When business units implement the cybersecurity vision established by senior management.

•  When business units have a clear understanding of the organization’s tolerance for risk.

•  When business units consider risk tolerance when they analyze system-level risks.

•  When risk management methods can quickly adapt to changes in corporate direction.

•  When risk management methods can quickly respond to changes in the mission.

•  When communication methods can efficiently respond to changes in the mission.

•  When risk management methods can quickly respond to changes in business objectives.

•  When communication methods can efficiently respond to changes in these objectives.

C. Tier 4 organizations have interactive risk management participation

Interactive risk management participation occurs:

•  When an organization understands its role and how it fits into the larger ecosystem.

•  When an organization understands how its dependents fit into this larger ecosystem.

•  When an organization understands the ways in which other entities depend on it.

•  When an organization understands its role and how dependencies fit into this ecosystem.

•  When an organization understands the ways in which it depends on external entities.

•  When an organization receives prioritized cybersecurity information from relevant sources.

•  When an organization receives cybersecurity information as the threat landscape evolves.

•  When an organization receives cybersecurity information as technology landscape evolves.

•  When an organization generates prioritized cybersecurity information for relevant entities.

•  When an organization generates cybersecurity information as the threat landscape evolves.

•  When an organization generates cybersecurity information as technology landscape evolves.

•  When an organization reviews prioritized cybersecurity information from all relevant sources.

•  When an organization reviews cybersecurity information as the threat landscape evolves.

•  When an organization uses threat information to analyze its own cybersecurity risks.

•  When an organization reviews cybersecurity information as technology landscape evolves.

•  When an organization uses technological information to analyze its cybersecurity risks.

•  When an organization shares prioritized cybersecurity information from all relevant sources.

•  When an organization shares this cybersecurity information with internal personnel.

•  When an organization shares this cybersecurity information with external collaborators.

•  When an organization uses real-time or near real-time information to address its risks.

•  When an organization uses timely information to understand cyber supply chain risks.

•  When it uses this information to understand the risks that its own products create.

•  When it uses this information to consider the risks that suppliers’ products create.

•  When it uses this information to understand the risks that its own services create.

•  When it uses this information to consider the risks that suppliers’ services create.

•  When an organization uses timely information to act upon cyber supply chain risks.

•  When it uses timely information to act upon the risks that its own products create.

•  When it uses timely information to act upon the risks that its own services create.

•  When it uses timely information to act upon the risks that suppliers’ products create.

•  When it uses timely information to act upon the risks that suppliers’ services create.

•  When an organization actively develops and maintains strong supply chain relationships.

•  When it communicates with suppliers to develop strong supply chain relationships.

•  When it uses informal mechanisms to maintain strong supply chain relationships.

•  When it uses formal mechanisms to maintain strong supply chain relationships.

•  When it uses formal agreements to maintain its supply chain relationships.

*ISAO stands for Information Sharing and Analysis Organization.

OTHER CYBERSECURITY PAGES

Introduction to Cybersecurity Framework

Overview of NIST Cybersecurity Framework

Structure of NIST Cybersecurity Framework

Cybersecurity Framework in Plain English

How to Create a Cybersecurity Program

Cybersecurity Privacy Principles

Cybersecurity Audit Checklist

Cybersecurity Audit Tool


Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited       help@praxiom.com       780-461-4514

 Updated on March 31, 2020. First published on January 27, 2020.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2020 by Praxiom Research Group Limited. All Rights Reserved.

First Edmonton Place, 14th Floor, 10665 Jasper Avenue,
        Edmonton, Alberta, T5J 3S9, Canada