NIST CSF 2.0 — Implementation Tiers & Evaluation
This document describes the NIST CSF implementation tiers and the criteria used to assess cybersecurity maturity.
Implementation Tiers
The tiers reflect the maturity of an organization’s cybersecurity risk management practices.
Tier 1 — Partial
- Ad hoc or reactive cybersecurity practices
- No formalized risk management processes
Assessment: Very low preparedness and limited control.
Tier 2 — Risk-Informed
- Awareness of cybersecurity risks
- Risk considerations influence decision-making
- Processes are informal and inconsistently applied
Assessment: Capable teams, but lacking standardized and documented processes.
Tier 3 — Repeatable
- Documented and implemented cybersecurity processes
- Formal risk management policies approved and enforced
Assessment: Structured and consistent, with limited adaptability.
Tier 4 — Adaptive
- Continuous improvement of cybersecurity practices
- Use of advanced and current risk management techniques
- Rapid adaptation to emerging threats
Assessment: Mature, proactive, and resilient cybersecurity posture.
Tier Evaluation Factors
Key criteria used to assess tier placement:
- Maturity of risk management processes
- Integration of cybersecurity into daily operations
- Ability to adapt to evolving threat landscapes
Evaluation Process
- Identification, control, and reduction of risks
- Formalization, communication, and enforcement of cybersecurity policies
- Measurement of overall cybersecurity maturity and preparedness