Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1

Tier Risk Management Process Integrated Risk Management Program External Participation
Tier 1: Partial   Organisational cybersecurity risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of cybersecurity activities may not be directly informed by organisational risk objectives, the threat environment, or business/mission requirements. There is limited awareness of cybersecurity risk at the organisational level. The organisation implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable cybersecurity information to be shared within the organisation. The organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organisation does not collaborate with or receive information (e.g., threat intelligence, best practices, technologies) from other entities (e.g., buyers, suppliers, dependencies, dependents, ISAOs, researchers, governments), nor does it share information. The organisation is generally unaware of the cyber supply chain risks of the products and services it provides and that it uses.
Tier 2: Risk Informed   Risk management practices are approved by management but may not be established as organisational-wide policy. Prioritisation of cybersecurity activities and protection needs is directly informed by organisational risk objectives, the threat environment, or business/mission requirements. There is an awareness of cybersecurity risk at the organisational level, but an organisation-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organisation on an informal basis. Consideration of cybersecurity in organisational objectives and programs may occur at some but not all levels of the organisation. Cyber risk assessment of organisational and external assets occurs, but is not typically repeatable or reoccurring. Generally, the organisation understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both. The organisation collaborates with and receives some information from other entities and generates some of its own information, but may not share information with others. Additionally, the organisation is aware of the cyber supply chain risks associated with the products and services it provides and uses, but does not act consistently or formally upon those risks.
Tier 3: Repeatable   The organisation’s risk management practices are formally approved and expressed as policy. Organisational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape. There is an organisation-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organisation consistently and accurately monitors cybersecurity risk of organisational assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risk. Senior executives ensure consideration of cybersecurity through all lines of operation in the organisation. The organisation understands its role, dependencies, and dependents in the larger ecosystem and may contribute to the community’s broader understanding of risks. It collaborates with and receives information from other entities regularly that complements internally generated information, and shares information with other entities. The organisation is aware of the cyber supply chain risks associated with the products and services it provides and that it uses. Additionally, it usually acts formally upon those risks, including mechanisms such as written agreements to communicate baseline requirements, governance structures (e.g., risk councils), and policy implementation and monitoring.
Tier 4: Adaptive   The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats. There is an organisation-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The relationship between cybersecurity risk and organisational objectives is clearly understood and considered when making decisions. Senior executives monitor cybersecurity risk in the same context as financial risk and other organisational risks. The organisational budget is based on an understanding of the current and predicted risk environment and risk tolerance. Business units implement executive vision and analyse system-level risks in the context of the organisational risk tolerances. Cybersecurity risk management is part of the organisational culture and evolves from an awareness of previous activities and continuous awareness of activities on their systems and networks. The organisation can quickly and efficiently account for changes to business/mission objectives in how risk is approached and communicated. The organisation understands its role, dependencies, and dependents in the larger ecosystem and contributes to the community’s broader understanding of risks. It receives, generates, and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organisation shares that information internally and externally with other collaborators. The organisation uses real-time or near real-time information to understand and consistently act upon cyber supply chain risks associated with the products and services it provides and that it uses. Additionally, it communicates proactively, using formal (e.g. agreements) and informal mechanisms to develop and maintain strong supply chain relationships.