Does the NIST Privacy Framework Require that Companies Score Themselves?
No. The NIST privacy framework recommends that companies summarize their maturity with respect to each category by using four “Tiers.” The Tiers are intended to describe whether the current practices of the company with respect to the domain are partially in place (Tier 1), risk informed (Tier 2), repeatable (Tier 3), or adaptive (Tier 4). While the NIST privacy framework contemplates that a maturity assignment using the tiering system will help a company “communicate internally about resource allocations necessary to progress to a higher Tier or as general benchmarks to gauge progress in its capability to manage privacy risks,” the privacy framework does not mandate that companies assign a tier to each subcategory, nor does the privacy framework mandate that companies achieve a certain tier level. The net result is that the tiers are designed to be a tool to help companies conceptualize their maturity in relationship to specific privacy issues.
 NIST, NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 at 9 (Jan. 16, 2020).