Quiz Entry - updated: 2026.07.14
What are the three components of the NIST Cybersecurity Framework?
Core, Tiers, and Profiles. The Core lists what to do (functions, categories, subcategories), Tiers measure how well you do it, and Profiles describe where you want to be.
* The three parts of the CSF: the Core is what to do, Tiers are how well, Profiles are where you aim. *
| Component | Purpose | Analogy |
|---|---|---|
| Core | The catalogue: 6 functions, 22 categories, 106 sub-categories of controls | What to do |
| Tiers | A 1–4 scale measuring how mature and risk-informed the organisation is | How well you do it |
| Profile | A current-vs-target snapshot, used as a roadmap for improvement | Where you want to go |
A typical CSF programme:
- Map current state against the Core → "Current Profile".
- Decide where you need to be → "Target Profile".
- Score current Tier of each function.
- Plan the controls and Tier movements to close the gap.
Tip: Most CSF implementations focus on the Core and ignore Tiers — but Tiers are what distinguish having controls from having a working risk-management programme. Without Tier 3+, you have a checklist, not a programme.
Go deeper:
The NIST CSF 2.0 (CSWP 29) — the primary text defining the Core, Tiers and Profiles and how they interlock.
NIST Cybersecurity Framework (Wikipedia) — plain-language summary of Core / Tiers / Profiles for orientation.