NIST Cybersecurity Framework 2.

0:
Quick-Start Guide for
Using the CSF Tiers

NIST Special Publication

U.S. Department of Commerce NIST SP 1302
Gina M. Raimondo, Secretary https://doi.org/10.6028/NIST.SP.1302
National Institute of Standards and Technology Please send your comments to [email protected].
Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology October 2024
 NIST CSF 2.0: USING THE CSF TIERS
A QUICK-START GUIDE
Cybersecurity Framework (CSF) Tiers Selecting Tiers
CSF Tiers can be applied to CSF Organizational Profiles to characterize the rigor of an Selecting the CSF Tiers that your organization should be meeting in its cybersecurity risk
organization’s cybersecurity risk governance and management outcomes. This can help governance and management activities is generally performed by organization
provide context on how an organization views cybersecurity risks and the processes in leadership.
place to manage those risks.​ The Tiers can also be valuable when reviewing processes Here are tips for selecting Tiers:
and practices to determine needed improvements and monitor progress made through
• Selecting Tiers overall or at the Function or Category level will provide a better sense
those improvements.
of the organization’s current cybersecurity risk management practices than selecting
Appendix B of the CSF contains a notional illustration of the CSF Tiers. ​In that illustration, Tiers at the lower Subcategory level.
each Tier has separate descriptions for Cybersecurity Risk Governance (corresponding to
• You can use one of the two Tier components (governance or management
the Govern Function) and Cybersecurity Risk Management (for the other five CSF
descriptions) if you want to focus on a subset of the CSF Functions​. For example, if
Functions: Identity, Protect, Detect, Respond, and Recover).
your scope is governance only, you can omit the Cybersecurity Risk Management
The Tiers capture an organization’s outcomes over a range: Partial (Tier 1), Risk Informed descriptions.
(Tier 2), Repeatable (Tier 3), and Adaptive (Tier 4). They reflect a progression from • When selecting Tiers, consider the following aspects of the organization:​
informal, ad hoc responses to approaches that are agile, risk-informed, and continuously
• current risk management practices​
improving.​
• threat environment​
• legal and regulatory requirements​
An organization wanting to
use the CSF Tiers can reuse • information sharing practices​
the notional descriptions • business and mission objectives​
from Appendix B of the • supply chain requirements ​
CSF. Alternatively, they can • organizational constraints, including resources​
customize those
descriptions, create new • Ensure that the Tiers being selected help to meet organizational goals, are feasible to
ones, or use a set of implement, and reduce cybersecurity risks to critical assets and resources to levels
descriptions they already that are acceptable to the organization.​
have in place. • Progression to higher Tiers is encouraged when needed to address risks or mandates.​
 NIST CSF 2.0: USING THE CSF TIERS
A QUICK-START GUIDE
APPLYING TIERS TO ORGANIZATIONAL PROFILES

Applying Tiers to Organizational Profiles

Once your organization’s Tier selections have been made, you can use them to help inform your Current and Target Profiles. ​
For example, if leadership has determined that your organization should be at Tier 2 (Risk Informed) for the Identify and Protect Functions,
then your Current Profile would reflect how well the Tier 2 Cybersecurity Risk Management characteristics are currently being achieved for
each CSF Category within those two Functions. Similarly, the Target Profile would reflect any improvements to Identity and Protect outcomes Additional Resources
needed to fully achieve the Tier 2 description. ​The table excerpt below shows the relevant part of the Tier 2 description.
• Quick-Start Guide for
Tiers should be used to guide and inform an organization’s cybersecurity risk governance and management methodologies rather than take Creating and Using
their place. Organizational Profiles
(includes taking CSF Tiers
Cybersecurity Cybersecurity into account in Current and
Tier Target Profiles)
Risk Governance Risk Management
Tier 1: Partial ... … • Organizational Profile
Tier 2: Risk … There is an awareness of cybersecurity risks at the organizational level, but an organization-wide notional template
Informed approach to managing cybersecurity risks has not been established. • A Guide to Creating CSF 2.0
Consideration of cybersecurity in organizational objectives and programs may occur at some but Community Profiles
not all levels of the organization. Cyber risk assessment of organizational and external assets (includes using CSF Tiers to
occurs but is not typically repeatable or reoccurring. inform the development of
Cybersecurity information is shared within the organization on an informal basis. Community Profiles)
The organization is aware of the cybersecurity risks associated with its suppliers and the products
and services it acquires and uses, but it does not act consistently or formally in response to those
risks.
Tier 3: Repeatable … …
Tier 4: Adaptive … …