NIST CSF Profiles and Tiers

ENTITY

Explains NIST CSF Organizational Profiles and Implementation Tiers. These tools help entities assess their current security posture, define target states, and prioritize cybersecurity investments.

Updated 4/7/2026NIST, Profiles, Tiers, Assessment

In the NIST Cybersecurity Framework 2.0 Overview, NIST CSF Profiles and NIST CSF Tiers serve as the primary mechanisms for organizations to assess their current cybersecurity posture, define their desired target state, and prioritize their cybersecurity investments.

NIST CSF Profiles

A CSF Organizational Profile describes an entity's cybersecurity posture in terms of the framework's outcomes (see NIST CSF Core Functions). Profiles allow organizations to understand, assess, prioritize, and communicate their cybersecurity objectives by aligning framework outcomes with their specific mission, stakeholder expectations, threat landscape, and business requirements.

Every Organizational Profile generally falls into one or both of two categories:

  • Current Profile: Specifies the cybersecurity outcomes an organization is currently achieving or attempting to achieve. It characterizes the extent to which these outcomes are met and acts as a baseline. Current Profiles are often used to document and communicate existing capabilities and known areas of improvement to internal teams and external stakeholders, such as business partners or prospective customers.
  • Target Profile: Specifies the desired, prioritized outcomes an organization aims to achieve to meet its cybersecurity risk management goals. It accounts for anticipated changes to the environment, such as new compliance requirements, technology adoption, or evolving threat intelligence trends. A Target Profile can also express cybersecurity expectations to suppliers and third parties.

Organizations typically conduct a gap assessment between their Current Profile and Target Profile. This gap analysis informs an Action Plan, which establishes deadlines and ongoing initiatives to address deficiencies and systematically move the organization toward its target state.

Additionally, a Community Profile is a standardized baseline of CSF outcomes published for a specific sector, industry, or technology use case. It provides a customized template that organizations within that community can adopt as a starting point.

NIST CSF Implementation Tiers

CSF Tiers characterize the rigor and maturity of an organization's cybersecurity risk governance and management practices. While Profiles focus on the specific outcomes an entity aims to achieve, Tiers provide context for how an organization views cybersecurity risks and the processes it uses to manage them. Organizations choose a Tier to inform the development of their Current and Target Profiles.

The Framework defines four Tiers, representing a progression from informal, ad-hoc responses to approaches that are highly agile, risk-informed, and continuously improving:

  • Tier 1: Partial
  • Tier 2: Risk Informed
  • Tier 3: Repeatable
  • Tier 4: Adaptive

Selecting a target Tier helps set the overall tone for an enterprise-wide approach to managing cyber risk. Tiers are designed to complement, rather than replace, an organization's existing risk management methodology. Progression to higher Tiers is not automatically required for every organization; rather, it is encouraged when risks or regulatory mandates increase, or when a cost-benefit analysis indicates that advancing to a higher Tier will result in a feasible and cost-effective reduction of cybersecurity risk.

Relationship to Broader Risk Management

Using Profiles and Tiers helps align tactical security operations with broader business and compliance objectives, particularly in areas like NIST CSF 2.0: Governance and Supply Chain Risk. By establishing a clear Target Profile and selecting an appropriate Tier, an organization can systematically justify cybersecurity budgets, demonstrate continuous improvement, and clearly communicate its security roadmap to executives and third-party partners.