Tier 1 - Partial: Knowledge is partially documented or known only to specific people. Reactionary security posture with ad-hoc incident handling. Tier 2 - Risk-Informed: Fully documented processes and procedures with established incident handling. Tier 3 - Repeatable: Established documentation in place with a mature security program able to rapidly make assessments and change the program to match business needs. Tier 4 - Adaptable: Unit is able to take a proactive approach to cybersecurity.