What Changed from NIST CSF 1.1 to 2.0 (and What It Means for Your Firm)

The short version

CSF 2.0 is not a minor revision. It adds a sixth function, broadens who the framework is meant for, formalizes organizational profiles, and moves the reference catalog online. If you built your cybersecurity program around version 1.1, it still works. But the gaps are real, and examiners are starting to notice them.

Change 1: The new Govern function

This is the biggest structural change. CSF 1.1 had five functions: Identify, Protect, Detect, Respond, and Recover. Version 2.0 adds a sixth: Govern (GV).

Govern was not tacked onto the end of the list. NIST placed it at the center of the CSF wheel, because governance is supposed to inform and direct every other function. Risk appetite, roles and responsibilities, policy oversight, supply chain governance: it all lives here.

For RIAs, this matters because SEC examiners already ask about board oversight, risk strategy, and cybersecurity governance. CSF 2.0 now gives you a formal structure to document those answers.

Change 2: Expanded scope

CSF 1.1 was titled "Framework for Improving Critical Infrastructure Cybersecurity." The scope was technically limited to critical infrastructure organizations, even though plenty of other firms used it.

CSF 2.0 drops that constraint. The new title is simply "Cybersecurity Framework." NIST explicitly states that it is designed for all organizations, regardless of size, sector, or maturity. A two-person RIA has just as much reason to reference it as a Fortune 500 company.

This matters in regulatory conversations. When the SEC says your cybersecurity program should be "reasonably designed," pointing to a framework that now explicitly includes firms like yours gives you a stronger footing.

Change 3: Implementation examples

Version 1.1 told you what to do. Version 2.0 also shows you how. NIST added Implementation Examples: practical steps tied to each subcategory.

For example, instead of just saying "establish access control policies," an Implementation Example might describe implementing role-based access with periodic reviews. These examples are not requirements. They are suggestions. But they make the framework much easier to act on, especially for smaller firms that do not have a dedicated security team translating subcategories into tasks.

Change 4: Profiles are formalized

CSF 1.1 mentioned profiles but did not give them much structure. CSF 2.0 formalizes two types:

• Current Profile: Where your cybersecurity posture stands right now. Your "as-is" documentation.
• Target Profile: Where you want to be. Your remediation roadmap.

The gap between Current and Target is your action plan. Examiners love this because it shows you know where you stand and have a plan to improve.

CSF 2.0 also introduces Community Profiles, which are pre-built profiles for specific sectors or use cases. There is no RIA-specific community profile yet, but industry groups could publish one. In the meantime, you can build your own based on regulatory requirements like Reg S-P and SEC guidance.

Change 5: Tiers are clarified

CSF has always had four tiers: Partial, Risk Informed, Repeatable, and Adaptive. In version 1.1, firms sometimes treated these like maturity levels and aimed for Tier 4 as the goal.

CSF 2.0 pushes back on that interpretation. Tiers are not maturity levels. They describe how an organization integrates cybersecurity risk management into broader decisions. A small firm operating at Tier 2 (Risk Informed) may be perfectly appropriate if their risk environment warrants it. The point is intentionality, not a score.

Change 6: Informative references moved online

In version 1.1, informative references (links to other standards like ISO 27001, COBIT, and CIS Controls) were embedded in the framework document. In 2.0, they have been moved to the Cybersecurity and Privacy Reference Tool (CPRT), a searchable online catalog maintained by NIST.

In practice, this is a big improvement. Instead of flipping through a static PDF table, you can look up mappings between CSF subcategories and other standards online. If you need to map CSF to Reg S-P or NYDFS 500, the CPRT is the place to start.

Change 7: Supply chain risk management elevated

CSF 1.1 had a supply chain category tucked under the Identify function. CSF 2.0 moves supply chain risk management into the Govern function (GV.SC), which gives it a lot more visibility.

For RIAs, this aligns directly with Reg S-P's vendor oversight requirements. Your vendors handle client data. The framework now expects you to govern those relationships as a core cybersecurity activity, not a secondary concern under "asset identification."

If you are on version 1.1, here is what to do

You do not need to start over. CSF 2.0 is an evolution, not a replacement. The original five functions are still there. Here is a practical migration path:

1. Add Govern activities. If you have been working with the five functions, you likely have some governance activities already. They are just scattered across Identify and other areas. Pull them into a formal Govern section. Document risk appetite, roles, oversight, and policy management.
2. Update your profiles. If you have a current-state assessment, formalize it as a Current Profile. Build a Target Profile based on your regulatory obligations and risk tolerance. The gap analysis between the two becomes your remediation plan.
3. Check the CPRT. If your crosswalk references are from the 1.1 PDF, update them using the online CPRT. Mappings have been refreshed and expanded.
4. Review Implementation Examples. Look at the examples NIST provides for each subcategory. They can help you fill in operational gaps, especially in areas where your documentation says the right things but your actual practices are thin.
5. Do not chase Tier 4. Assess your tier honestly and make sure it is appropriate for your risk environment. Document why you chose the tier you are at.

So should you migrate?

CSF 2.0 is more complete and more practical than 1.1. The Govern function fills the biggest hole in the original structure: it treats cybersecurity as a leadership responsibility, not just a technical one.

If your firm already uses CSF 1.1, the transition is manageable. If you are starting from scratch, go straight to 2.0. Either way, the framework fits smaller firms much better than 1.1 ever did. See how BlackSheep maps your program to CSF 2.0.