The Implementation Tiers describe how closely an agency's cybersecurity program aligns to the characteristics defined in the Framework. For example, is the program designed to manage network vulnerabilities and possible threats, does the program have formally approved policies that have been implemented, and is the program updated and improved to respond to evolving threats? The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and represent a progression from an informal, reactive program to one that is formalized, agency-wide, and proactive. To select which Tier an agency is currently operating within, several things must be considered. For example, current security practices, threat environment (i.e. particular cybersecurity threats relevant to the agency), legal and regulatory requirements, business/mission objectives, and agency constraints (e.g. staffing, funding). When determining the desired Tier, agencies should consider the following: will operating within the desired Tier allow agency goals to continue being met, will the desired Tier be feasible to implement, and will the desired Tier reduce cybersecurity risk to information assets and resources to acceptable levels for the agency?
