The NIST Cybersecurity Framework Implementation Tiers (Part 2 of 3)

The NIST cybersecurity framework is comprised of three main components:

1. The Core
2.  Implementation Tiers
3. Profiles

In this post we will be focusing on component #2, Implementation Tiers.

What are NIST Cybersecurity Implementation Tiers?

The NIST Cybersecurity Implementation Tiers are a scaled ranking system (1-4) that describes the degree to which an organization exhibits the characteristics described in the NIST Cybersecurity Framework. Organizations using the tiers receive context on their cyber risk and this mechanism enables organizations to understand the characteristics of their approach to managing cybersecurity risk which can help them prioritize and achieve their cybersecurity goals. Tier one represents an organization with an informal reactionary approach to cybersecurity risk management while a score of four represents an agile, risk informed organization with the highest degree of sophistication in their cybersecurity risk management plan. Tiers are determined based on an organizations characteristics for three categories: Risk Management Processes, Integrated Risk Management Programs, and External Participation. 

Tier 1 - Partial Implementation

• Risk Management Process
• informal, ad hoc, reactionary
• prioritization of cybersecurity activities is NOT directly informed by organizational risk objectives, business requirements, or the threat environment
• Integrated Risk Management Program
• limited awareness of cybersecurity risk at organizational level
• risk management implemented irregularly on a case-by-case basis
• May or may not have processes to share cybersecurity information internally
• External Participation
• organization does NOT collaborate or exchange information with other entities
• organization is unaware of the cyber risks in their supply chain

Tier 2 - Risk Informed

• Risk Management Process
• approved by management but NOT established as organizational-wide policy
• prioritization of cybersecurity activities IS directly informed by organizational risk objectives, business requirements, and the threat environment
• Integrated Risk Management Program
• awareness of cybersecurity risk at organizational level
• organization-wide approach to cybersecurity risk management has NOT been established
• cybersecurity information is shared internally but on an irregular basis
• cyber risk assessment of organizations assets occurs but is not a recurring process
• External Participation
• organization collaborates and receives some information from other entities
• organization is aware of cyber risks in their supply chain but takes no formal or consistent actions against those risks

Tier 3 - Repeatable

• Risk Management Process
• formally approved and expressed as policy
• cybersecurity practices are updated based on the application of risk management process to changes in business requirements and a changing threat/technology landscape.
• Integrated Risk Management Program
• organization-wide approach to manage cybersecurity risk
• risk-informed policies
• process are defined, implemented, and reviewed
• cybersecurity and non-cybersecurity executives regularly communicate about cybersecurity risks
• External Participation
• organization regularly collaborates and receives information from outside entities
• organization generates and shares information of their own with outside entities
• organization is aware of cyber risks in their supply chain and formally acts against those risks including written agreements communicating baseline requirements, governance structures, and policy implementation/monitoring

Tier 4 - Adaptive

• Risk Management Process
• continuous improvement incorporating advanced technology and best practices
• actively adapted based on past and present cybersecurity activities including lessons learned and predictive indicators
• responds to sophisticated changing threat landscape in a timely and effective way
• Integrated Risk Management Program
• organization-wide approach to management of cybersecurity risks
• risk-informed policies
• processes and procedures in place to to address potential cybersecurity events
• senior executives treat cyber risk the same as financial risk
• cybersecurity risk management is part of organizational culture
• External Participation
• organization receives, generates, and reviews, information for continuous analysis of its risks in an evolving technological and threat landscape
• organization shares this information internally and externally
• organization understands cyber risks in supply chain and uses real-time information to understand and consistently act against those risks
• proactively communicates formally and informally to create and maintain strong supply chain relationships

To identify an organizations tier in the NIST Cybersecurity Framework you must consider many factors including the organizations risk management practices, regulatory requirements, the threat environment, legal requirements, business objectives, organizational constraints, supply chain cybersecurity requirements, and information sharing practices. While it is desirable for an organization at a lower tier to progress to a higher tier, progression to higher tiers is only encouraged after conducting a cost-benefit analysis to determine if progression is a feasable and cost-effective means to reduce cybersecurity risk.

Further Reading: 

• NIST Cybersecurity Framework - An Introduction
• NIST and DFARS Compliance 101: What You Need to Know
• Producing and Protecting Manufacturing Technology with NIST MEP