On what basis was identify marked as tier 2 NIST clearly says - Tier profiles are not maturity models. They are a measure of how well the org manages cyber risks. So, what is the meaning of giving Tier-2 to Identify ?
This is the #1 problem I have with Cyber Maturity Assessments (CMA) using the Implementation Tiers. As you directly mentioned, if you read CSF, it explicitly states not to use the tiers as maturity levels. Additionally, there is no language nor graphics within any NIST publication to say that the implementation tiers should be applied at the sub-cat, cat, or function level. So every time I see a CMA that says, PR.AC is a 2.5 NIST implementation tier, I ask, "How is that even possible?" If I read NIST Implementation Tiers 2 and 3, all they talk about is Risk Management, NOT Access Management. Organizations and consultants have been incorrectly using the tiers by applying them to the functions, categories, and sub-cats. You fundamentally have to change the words in the tiers to be able to apply it to any of the framework core.
On what basis was identify marked as tier 2
NIST clearly says - Tier profiles are not maturity models. They are a measure of how well the org manages cyber risks.
So, what is the meaning of giving Tier-2 to Identify ?
This is the #1 problem I have with Cyber Maturity Assessments (CMA) using the Implementation Tiers. As you directly mentioned, if you read CSF, it explicitly states not to use the tiers as maturity levels. Additionally, there is no language nor graphics within any NIST publication to say that the implementation tiers should be applied at the sub-cat, cat, or function level. So every time I see a CMA that says, PR.AC is a 2.5 NIST implementation tier, I ask, "How is that even possible?" If I read NIST Implementation Tiers 2 and 3, all they talk about is Risk Management, NOT Access Management. Organizations and consultants have been incorrectly using the tiers by applying them to the functions, categories, and sub-cats. You fundamentally have to change the words in the tiers to be able to apply it to any of the framework core.