What are the four NIST CSF implementation tiers?

The four NIST CSF implementation tiers are: Tier 1 (Partial), where risk management is ad hoc and reactive; Tier 2 (Risk Informed), where risk-informed practices exist but are not consistently enforced across the organization; Tier 3 (Repeatable), where practices are formally approved, consistently applied, and integrated with enterprise risk management; and Tier 4 (Adaptive), where the organization actively adapts practices based on real-time threat intelligence and contributes to community-level cybersecurity knowledge.

Do NIST CSF implementation tiers measure compliance?

No. NIST is explicit that the implementation tiers are not a compliance checklist and do not represent maturity levels on a universal scale. A higher tier is not automatically better — the appropriate target tier depends on the organization's risk appetite, regulatory context, and threat environment. The tiers measure the rigor, consistency, and integration of cybersecurity risk management practices, not the presence or absence of specific technical controls.

What tier should a regulated mid-market organization target?

Most regulated mid-market organizations in healthcare, financial services, manufacturing, and the defense industrial base should target Tier 3 (Repeatable). This is where HIPAA, GLBA, CMMC Level 2, and NIST SP 800-171 requirements effectively place organizations. Tier 3 requires that cybersecurity practices be formally approved, consistently implemented organization-wide, and integrated with the broader enterprise risk management function.

NIST CSF 2.0

NIST CSF Implementation Tiers: Partial to Adaptive

The NIST CSF implementation tiers — Partial, Risk Informed, Repeatable, and Adaptive — are not a maturity score and not a compliance checklist. They are a lens for evaluating the rigor, integration, and adaptability of your cybersecurity risk management practices. Understanding what each tier actually requires, and where the gaps between tiers are most consequential, is the starting point for a credible CSF improvement program. Armorstack’s VERITY team conducts structured tier assessments and builds the operational program needed to advance through them.

Start the 90-Day Proof
Talk to an Expert

What the Implementation Tiers Measure — and What They Do Not

NIST is explicit on a point that is frequently misunderstood in practice: the implementation tiers do not represent maturity levels, and a higher tier is not universally better. Tier 4 (Adaptive) is appropriate for organizations operating in high-threat environments with complex supply chains and significant regulatory obligations. A small manufacturing company with a straightforward IT environment and limited regulatory exposure may be fully and appropriately positioned at Tier 2. The right tier target is determined by the organization’s risk appetite, regulatory context, and the threat environment it operates in — not by a general aspiration to score higher.
What the tiers do measure is the degree to which cybersecurity risk management practices are integrated into the broader organizational risk management structure, informed by threat intelligence, and coordinated with external partners. They cut across the entire NIST CSF — all six functions in CSF 2.0, including the new GOVERN function — and reflect how the organization manages risk as a whole, not how any specific control domain is configured.

Tier 1: Partial

At Tier 1, cybersecurity risk management practices are not formalized. Risk management is reactive and ad hoc — responses occur after incidents rather than through proactive processes. There is limited organizational awareness of cybersecurity risk, and the approach to managing it is not coordinated across the enterprise. Decisions about security investments are not explicitly tied to a risk management strategy. Collaboration with external parties on cybersecurity topics is irregular or nonexistent.
Tier 1 is not a comfortable place for any regulated organization. It is the starting condition for organizations that have deployed security tools based on vendor recommendation or informal consensus but have not built the governance, process, and integration layers that define a functioning risk management program. Most mid-market organizations that discover they are at Tier 1 are genuinely surprised — they have made security investments, but those investments are not connected to a coherent strategy or accountable ownership structure.

Tier 2: Risk Informed

At Tier 2, risk management practices exist but are not consistently applied across the organization. There is organizational awareness of cybersecurity risk, and risk-informed policies and processes have been approved by management. However, implementing those policies and processes depends on individual initiative rather than organization-wide enforcement mechanisms. The cybersecurity program is not fully integrated with the broader enterprise risk management function, and information sharing with external parties is informal.
Tier 2 represents the condition of a significant portion of regulated mid-market organizations that have a security program in place. Policies are written. A risk assessment has been conducted, perhaps annually. A CISO or IT security lead exists. But enforcement is inconsistent — some business units follow the policies, others do not, and the lack of systematic integration with enterprise risk means that cybersecurity risk does not consistently reach executive or board-level decision-making.
The gap between Tier 2 and Tier 3 is primarily a governance and integration gap, not a technical controls gap. Organizations with strong Protect and Detect capabilities frequently plateau at Tier 2 because they have not built the GOVERN function infrastructure — risk appetite documentation, board reporting, integrated risk management processes — that Tier 3 requires.

Tier 3: Repeatable

At Tier 3, the organization’s risk management practices are formally approved, expressed as policy, and consistently implemented across the enterprise. Cybersecurity practices are updated regularly in response to changes in business requirements, threat landscape, and technology. The cybersecurity function is formally integrated with the broader organizational risk management function — cybersecurity risk is managed on the same basis and through the same governance structures as other enterprise risks. The organization receives and actively uses threat intelligence to inform its security practices. Information sharing and collaboration with external parties follows defined processes.
Tier 3 is the appropriate target for most regulated mid-market organizations in healthcare, financial services, manufacturing, and the defense industrial base. It is where auditors and regulators expect to find organizations subject to frameworks like HIPAA, GLBA, CMMC Level 2, and NIST SP 800-171. Reaching Tier 3 requires that the GOVERN function be fully operational — not just documented — and that cybersecurity practices be demonstrably consistent across the enterprise, not dependent on specific individuals.
The most common gap on the path to Tier 3 is the integration requirement. Organizations can demonstrate repeatable technical controls but cannot demonstrate that cybersecurity risk is formally integrated into enterprise risk management. A risk register exists in the IT department but does not connect to the organization’s enterprise risk framework. The board receives an annual security briefing but cybersecurity risk does not appear in quarterly risk reporting. These integration gaps prevent advancement to Tier 3 regardless of technical control maturity.

Tier 4: Adaptive

At Tier 4, the organization actively adapts its cybersecurity practices based on lessons learned from previous activities, continuous monitoring, and real-time threat intelligence. Cybersecurity risk management is deeply integrated with organizational strategy and enterprise risk management. The organization contributes to the broader community’s cybersecurity knowledge base — sharing threat intelligence, participating in sector-specific information sharing organizations (ISACs), and collaborating with government partners and peers. Risk management decisions reflect a sophisticated understanding of the threat landscape and the organization’s position within it.
Tier 4 is appropriate for organizations operating critical infrastructure, those in highly targeted sectors facing nation-state or sophisticated criminal adversaries, and organizations with complex global supply chains. It is not a realistic near-term target for most mid-market organizations, and framing it as one creates misdirected investment. The appropriate question for a mid-market organization is not whether it should reach Tier 4 but whether it has reached Tier 3 consistently and whether specific risk domains warrant Tier 4 investment.

Using Tiers in a CSF Assessment

NIST CSF 2.0 maintains the concept of Current Profile and Target Profile — documenting where the organization’s cybersecurity practices currently stand and where they need to be given the organization’s risk appetite and regulatory context. The tier assessment provides the organizational context for that profile work: what tier does the organization currently operate at across its governance and risk management practices, and what tier is appropriate given its regulatory obligations and threat environment?
A structured tier assessment conducted by Armorstack’s VERITY team examines each of the three tier dimensions — Risk Management Process, Integrated Risk Management Program, and External Participation — across all relevant program areas. The output is a current-state tier characterization, a gap analysis against the appropriate target tier, and a remediation roadmap that addresses governance integration before technical controls, because governance gaps are the most common blocker to tier advancement.
For a detailed examination of what a structured CSF maturity assessment covers and how it connects tier evaluation to actionable remediation, see NIST CSF maturity assessment. To understand how the CSF tier framework compares to the control specificity of NIST SP 800-53, see NIST CSF vs. NIST 800-53. Organizations beginning with the 90-Day Proof receive a tier assessment as part of the baseline engagement. To discuss your current tier position and target, talk to the Armorstack VERITY team.
See the full NIST CSF compliance program for how tier advancement connects to the six CSF functions and continuous compliance posture management.