Implementation Tiers

The Implementation Tiers describe how closely an agency's cybersecurity program aligns to the characteristics defined in the Framework. For example, is the program designed to manage network vulnerabilities and possible threats, does the program have formally approved policies that have been implemented, and is the program updated and improved to respond to evolving threats? The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and represent a progression from an informal, reactive program to one that is formalized, agency-wide, and proactive.To select which Tier an agency is currently operating within, several things must be considered. For example, current security practices, threat environment (i.e. particular cybersecurity threats relevant to the agency), legal and regulatory requirements, business/mission objectives, and agency constraints (i.e. staffing, funding).When determining the desired Tier, agencies should consider the following: will operating within the desired Tier allow agency goals to continue being met, will the desired Tier be feasible to implement, and will the desired Tier reduce cybersecurity risk to information assets and resources to acceptable levels for the agency?
Tier 1 - Partial

Risk Management Process – Risk management practices are not formalized (i.e. implemented agency-wide using a formally approved policy or procedure) and are often reactive. Prioritization of cybersecurity activities may not be based on possible threats or business/mission requirements.

Integrated Risk Management Program - There is limited agency-wide cybersecurity awareness and there is no formal method for managing cybersecurity risk. Processes that allow cybersecurity information to be shared within the agency may not exist.

External Participation - Processes may not be in place to safely participate in the external network to network activities (i.e. activities that require using the agency's network to connect to an external agency's network) with other entities.

Tier 2 - Risk Informed

Risk Management Process – Risk management practices are approved but may not be enforced as an agency-wide formal policy. Prioritization of cybersecurity activities is based on possible threats or business/mission requirements.

Integrated Risk Management Program - There is an agency-wide awareness of cybersecurity, but there is no formal method for managing cybersecurity risk. Processes that allow cybersecurity information to be shared within the agency exist but are informal.

External Participation – Processes may be in place to safely participate in external network to network activities with other entities but the processes used are not formal.

Tier 3 - Repeatable

Risk Management Process – Risk management practices are formally approved and there is an agency-wide policy implemented. Prioritization of cybersecurity activities is updated as needed and is based on changing threats and business/mission requirements.

Integrated Risk Management Program – There are approved agency-wide methods for managing cybersecurity risk in place. Agency policies, processes, and procedures are established, implemented, and regularly reviewed. Personnel has the knowledge and skill to perform their appointed cybersecurity roles and responsibilities.

External Participation – Agency dependencies and the role of external partners are understood. Information gathered from external partners is used to make cybersecurity decisions and respond to cybersecurity events.

Tier 4 - Adaptive

Risk Management Process – Cybersecurity practices are adapted based on lessons learned from previous and current methods for managing cybersecurity risk. Continuous improvement and updating of cybersecurity practices and technologies are used to respond to threats in a timely manner.

Integrated Risk Management Program – Formal, agency-wide policies, processes, and procedures are used to address potential cybersecurity events. The importance of risk management is understood throughout the agency and there is a continuous awareness of the activities happening on systems and networks.

External Participation – Information is actively shared with external partners to improve cybersecurity before a cybersecurity event occurs.