Quiz Entry - updated: 2026.07.14
What are the four Implementation Tiers of the NIST CSF?
Tier 1 Partial, Tier 2 Risk Informed, Tier 3 Repeatable, Tier 4 Adaptive.
* The four Tiers as a ladder — each step up means more formalization and more learning. *
The Tiers describe how rigorously an organization manages cybersecurity risk:
| Tier | Name | Flavor |
|---|---|---|
| 1 | Partial | Ad-hoc, reactive; risk handled case by case |
| 2 | Risk Informed | Management approves practices, but not org-wide policy |
| 3 | Repeatable | Formal policy, regularly updated, organization-wide |
| 4 | Adaptive | Continuous improvement; lessons learned and predictive indicators feed back into practice |
Tip: Mnemonic ladder P-R-R-A: "Practices Rarely Repeat… until they Adapt." Each step up = more formalization and more learning.