How to Use NIST CSF 2.0 to Prepare for Your Next SEC Exam

Why examiners reference NIST CSF

The SEC has never mandated a specific cybersecurity framework. What they require is that your program be "reasonably designed" to protect customer information. That phrase leaves a lot of room for interpretation.

In practice, SEC examination staff reference NIST CSF as a benchmark. The Division of Examinations has cited it in risk alerts, and examiners often use CSF categories to organize their review of a firm's cybersecurity posture. If your program aligns with CSF, you are speaking the same language as the person across the table.

That does not mean CSF alignment equals automatic compliance. But it gives you a defensible structure when someone asks you to show your program is reasonable.

Your Current Profile is your "as-is" document

CSF 2.0 formalizes the concept of a Current Profile: a documented snapshot of your cybersecurity posture across all six functions. Think of it as your answer to "where do you stand today?"

When an examiner asks about your cybersecurity program, your Current Profile is the document you hand them. It should show:

• Which CSF subcategories you have addressed
• What controls, policies, and processes map to each subcategory
• Where you have identified gaps
• What tier you operate at and why

The fact that you have gaps is not the problem. Every firm has gaps. The problem is not knowing where they are or not having a plan to address them.

Your Target Profile is your remediation roadmap

A Target Profile describes where you want your cybersecurity posture to be, based on your risk environment, regulatory obligations, and business objectives. The gap between your Current Profile and your Target Profile is your action plan.

This matters during an exam. It demonstrates good faith. An examiner who sees a Current Profile with documented gaps and a Target Profile with a timeline for addressing them is going to view your program very differently than one who sees a firm that cannot articulate its own risk posture.

Prioritize your Target Profile items by risk. Not everything needs to be fixed at once. Show that you understand which gaps carry the most risk and are addressing those first.

Build a crosswalk spreadsheet

A crosswalk maps your existing policies, procedures, and controls to CSF subcategories. It connects "we have a cybersecurity program" to "here is exactly how our program addresses each area of the framework."

Your crosswalk should have at minimum:

• CSF Function and Subcategory (e.g., PR.AC-1, now PR.AA in 2.0)
• Your policy or procedure that addresses it (e.g., "Access Control Policy, Section 3.2")
• Evidence that demonstrates implementation (e.g., "Quarterly access review logs, last completed January 2026")
• Status (implemented, partially implemented, not started)
• Owner (who is responsible for this control)

This is the document examiners will spend the most time with. Make it thorough and keep it current.

Document the Govern function specifically

Examiners tend to start with the Govern function. Governance is what separates a firm that takes cybersecurity seriously from one that has a binder on a shelf.

SEC examiners specifically look for evidence of board or senior management involvement in cybersecurity oversight. Under CSF 2.0, that maps directly to the Govern function:

• GV.OC: Do you understand your organizational context? Your regulatory environment, your risk exposure, your stakeholder expectations?
• GV.RM: Do you have a documented risk management strategy? Have you articulated your risk appetite?
• GV.RR: Are cybersecurity roles and responsibilities clearly defined? Who is accountable?
• GV.PO: Are your policies documented, approved, and reviewed on a regular cycle?
• GV.OV: Is there active oversight? Do the partners or board receive cybersecurity reports? How often?
• GV.SC: Are you managing supply chain and vendor risk? (This one also satisfies Reg S-P vendor oversight requirements.)

For a small RIA, "the board" might be the managing partners. The "CISO" might be the CCO wearing a second hat. That is fine. The point is that someone is accountable and the oversight is documented.

Evidence examiners request, mapped to CSF functions

Here is a practical mapping of common SEC examiner requests to CSF 2.0 functions:

• "Show us your cybersecurity policies." → Govern (GV.PO) and Protect (PR)
• "Who is responsible for cybersecurity?" → Govern (GV.RR)
• "How does the board oversee cyber risk?" → Govern (GV.OV)
• "Show us your risk assessment." → Identify (ID.RA) and Govern (GV.RM)
• "What access controls are in place?" → Protect (PR.AA)
• "How do you monitor for threats?" → Detect (DE.CM, DE.AE)
• "Walk us through your incident response plan." → Respond (RS.MA, RS.AN, RS.CO)
• "How do you handle vendor oversight?" → Govern (GV.SC) and Identify (ID.AM)
• "Show us your business continuity plan." → Recover (RC.RP)
• "What training do employees receive?" → Protect (PR.AT)

If you can pull evidence for each of these within an hour of an examiner asking, you are in good shape. If you cannot, your crosswalk has gaps.

CSF alignment is not compliance

Aligning your program with NIST CSF does not automatically make you compliant with Reg S-P, NYDFS 500, or any other regulation. Those rules have specific requirements that go beyond what any framework covers.

What CSF alignment does give you is a way to show reasonableness. It tells examiners you followed a recognized approach, and that your program was not cobbled together the week before the exam.

Think of it this way: CSF is the scaffolding. Regulatory requirements are the building code. You need both.

Practical steps before your exam

1. Complete your Current Profile. Assess every CSF subcategory against your actual practices. Be honest about gaps.
2. Build your Target Profile. Base it on your regulatory obligations (Reg S-P, state laws) and risk environment. Include timelines.
3. Create or update your crosswalk. Map every policy, procedure, and control to the relevant CSF subcategory. Include evidence references.
4. Document Govern thoroughly. This is where examiners start. Make sure governance roles, risk strategy, policy oversight, and vendor management are all documented.
5. Organize your evidence. Have SOC 2 reports, access review logs, training records, incident response test results, and vendor due diligence files ready to produce.
6. Run a mock exam. Walk through common examiner questions with your team. Find the places where you stumble. Fix them before the real thing.

What examiners actually want to see

SEC examiners are not going to quiz you on tier levels or subcategory numbers. They want to see that your cybersecurity program is written down and actually running. NIST CSF 2.0 gives you the structure to prove that.

Show up with a Current Profile, a Target Profile, a crosswalk, and organized evidence. That is what gets you through the exam. BlackSheep builds the crosswalk for you.