The NIST Cybersecurity Framework Implementation Tiers Explained

The National Institute of Standards and Technology (NIST) has developed Implementation Tiers for the Cybersecurity Framework. The tiers are one of the three main elements of the NIST CSF: the Framework Core, Profile, and Implementation Tiers. They are designed to provide stakeholders with context around the degree to which an organization’s cybersecurity program exhibits the characteristics of the NIST CSF.

NIST explicitly states that the NIST CSF Implementation Tiers are not designed to be a maturity model. Instead, these management tiers are designed to illuminate and guide the interaction between cybersecurity risk management and operational risk management processes. In short, the NIST Cybersecurity Framework Tiers are designed to provide a clear path to roll cyber risk into the overall organizational risk of the enterprise. Much like the Profiles and the Framework Core, the Implementation Tiers are a benchmark to take stock of current cybersecurity risk management practices and help organizations develop plans to improve their cybersecurity posture. In this post, we’ll explore each of the four Implementation Tiers as you work to understand how your organizational structure might fit into this scoring model.

Each of the Implementation Tiers is broken down into three main components: Risk Management Processes, Risk Management Program, and External Participation with their own respective functions, categories, and subcategories. Risk management processes point to the processes and ways that the organization approaches cybersecurity risk. The degree to which an organization practices an integrated cyber risk management program indicates that, for top-level management, it has centralized its cyber risk data and can make decisions from that information. With strategic planning, leadership can make cybersecurity decisions that align with the company's overall goals and objectives. Finally, external participation points to the organization’s awareness within the greater business ecosystem in which they participate.

NIST Cybersecurity Framework Implementation Tiers

Tier 1 - Partial

• Risk Management Processes: At Tier 1 organizations, cybersecurity risk management is typically performed ad hoc/reactive. Furthermore, cybersecurity activities are typically performed with little to no prioritization based on the degree of risk that those activities address.
• Integrated Risk Management Program: The lack of processes associated with cyber risk management makes communicating and managing that risk difficult for these organizations. As a result, the organization works with cybersecurity risk management on a case-by-case basis because of the lack of consistent information.
• External Participation: These organizations lack a greater understanding of their role in the greater business ecosystem - their position in the supply chain, dependents, and dependencies. Without understanding where it sits in the ecosystem, a Tier 1 organization does not share information with third parties effectively (if at all). It is generally unaware of the supply chain risks it accepts and passes on to other ecosystem members.

Tier 2 - Risk-Informed

• Risk Management Processes: While management approves, risk management practices are typically not established as organizational-wide policies within Tier 2 organizations. While risk management practices are not standard, they directly inform the prioritization of cybersecurity activities alongside organizational risk objectives, the threat environment, and business requirements.
• Integrated Risk Management Program: Awareness of cybersecurity risk exists at the organizational level but is not standardized organization-wide, and information about cybersecurity is only shared informally. While some consideration for cybersecurity exists in organizational objectives, it is not standard. A cyber risk assessment may occur but is not standard and is periodically repeated.
• External Participation: Tier 2 organizations understand their role in the ecosystem regarding dependencies or dependents, but not both. Organizations like this typically receive information but do not share it. While they know the risk associated with their supply chain, they do not typically act on it.

Tier 3 - Repeatable

• Risk Management Processes: Tier 3 organizations have formally approved risk management practices and are expressed as policy. These practices are regularly updated based on changes in business requirements and the changing threat landscape.
•  
• Integrated Risk Management Program: This tier has a higher-level organization-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented, and reviewed. There are methods in place to consistently respond effectively to changes in risk, and personnel possess the knowledge and skills to perform their roles. Senior cybersecurity, board of directors, and business-side executives communicate regularly regarding cybersecurity events and risks.
• External Participation: Tier 3 organizations understand their role in the ecosystems and contribute to the broader understanding of risks. They regularly collaborate with other entities that coincide with internally generated information shared with other entities. These organizations know the risks associated with their supply chains and act formally, including implementing written agreements to communicate baseline requirements, governance structures, and policy implementation and monitoring.

Tier 4 - Adaptive

• Risk Management Processes: These organizations adapt their cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive factors. They implement a continuous improvement process - including incorporating advanced cybersecurity technologies and practices and actively adapting to a changing threat and technology landscape.
• Integrated Cyber Risk Management Program: Building on Tier 3, Tier 4 organizations clearly understand the link between organizational objectives and cybersecurity risk. Senior executives monitor cybersecurity risks in the same context as financial and organizational risks. These organizations base budgeting decisions on understanding the current and potential risk environment. Cybersecurity risk is integrated into the organizational culture and evolves from an awareness of previous activities and continuous awareness.
• External Participation: Integrating itself further into the ecosystem beyond Tier 3, Tier 4 organizations receive, generate, and contribute to the understanding of the ecosystem around risk. Further integration of sharing information with internal and external stakeholders means that the organization uses real-time information to understand and regularly act on supply chain risks. They also have a formalized process integrated into their documentation with dependencies and dependents.

What The Implementation Tiers Mean for You

As we’ve discussed, the NIST CSF Implementation Tiers are not meant to be seen as a maturity model. Instead, consider them benchmarking tools and clear directions for improving your organization's approach to cybersecurity.

Discover our automated risk assessment solution, CyberStrong, that enables you to score using the Implementation Tiers and score your organization as you complete an assessment rather than after the fact. From there, it is a matter of illustrating your findings clearly and compellingly, soliciting buy-in from all relevant stakeholders, and using the NIST CSF to progress toward your goal Tier.