CMMC and the DVMS Institute NIST Cybersecurity Framework Digital Value Management System®
The Digital Value Management System™ (DVMS) provides a robust, adaptive, and capability-driven approach that aligns seamlessly with the goals of the Cybersecurity Maturity Model Certification (CMMC) program in the United States. Designed to ensure that Department of Defense (DoD) contractors safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), CMMC mandates that organizations not only implement cybersecurity practices but also institutionalize them as part of their day-to-day operations. This requires more than technical controls—it calls for mature governance, process integration, cultural alignment, and continuous improvement. The DVMS offers this comprehensive overlay system, transforming CMMC compliance from a checklist exercise into a scalable, organization-wide capability that enhances resilience and performance.
At its core, CMMC 2.0. outlines three maturity levels, each building on the previous by adding more advanced cybersecurity practices and deeper institutionalization. These levels correspond to increasing expectations for process maturity—from basic cyber hygiene to proactive, risk-informed cybersecurity management. The DVMS overlays these expectations with its structured capability model, notably the Z-X Model, which defines seven minimal viable capabilities necessary to create, protect, and deliver digital business value: govern, assure, plan, design, change, execute, and innovate. These capabilities are not abstract ideals—they represent operational functions that must be understood, measured, and continually improved to meet the escalating demands of CMMC.
The DVMS begins with the foundational principle that cybersecurity must be integrated into an organization’s strategic and operational overlay system—not treated as an isolated technical domain. This is a direct match with CMMC’s emphasis on institutionalization. In DVMS, cybersecurity is embedded in the CPD Model (Create–Protect–Deliver), ensuring that cyber risk management is central to how digital value is conceived, secured, and delivered. This model helps organizations internalize CMMC practices by showing how each cybersecurity requirement supports the mission of the business and the delivery of services to government customers. Rather than adding cybersecurity on top of operations, the DVMS helps embed it within them, making practices sustainable and repeatable—key criteria for achieving higher CMMC levels.
CMMC Level 1 focuses on the basic safeguarding of FCI, emphasizing foundational practices such as access control, physical protection, and system configuration. The DVMS supports this through its initial “stabilization” phase in the FastTrack™ implementation model. This phase helps organizations identify their current baseline, establish governance ownership, and ensure essential controls are in place. It also supports training, documentation, and awareness—key aspects the CMMC assesses even at the most basic level. What differentiates the DVMS is that it does not stop at implementation; it immediately introduces measurement and alignment, ensuring that even Level 1 practices are supported by a rationale tied to business objectives and contextual risk.
As organizations move toward CMMC Level 2—focused on protecting CUI and closely aligned with NIST SP 800-171—the DVMS becomes even more relevant. Level 2 introduces process maturity: organizations must implement controls and manage and document them in a repeatable fashion. The DVMS supports this by embedding assurance and planning as core capabilities. Through the “assure” capability, organizations implement validation and monitoring systems that provide evidence of performance. With tools like the Goal-Question-Metric (GQM) and the adapted Question Outcome–Question Metric (QO-QM), DVMS enables organizations to align metrics with CMMC control objectives, demonstrate ongoing compliance, and create a defensible audit trail. These tools are particularly valuable for showing how cybersecurity decisions are risk-informed and strategically justified—key to satisfying the maturity aspect of CMMC Level 2.
Planning and design—two other DVMS capabilities—are also critical at this stage. CMMC expects organizations to adopt a structured, proactive approach to cybersecurity, which includes defining roles, responsibilities, resources, and risk management processes. The DVMS enables this through systems thinking, allowing organizations to assess interdependencies, map capability gaps, and design cybersecurity programs that are scalable and aligned with strategic priorities. The DVMS doesn’t prescribe a one-size-fits-all model; it helps organizations overlay its structure onto what they already do, integrating with existing practices such as ISO/IEC 27001, NIST RMF, or internal governance models.
CMMC Level 3 further emphasizes the need for organizations to be adaptive, risk-aware, and capable of continuous improvement in the face of evolving threats. This level aligns strongly with the “innovate” capability in the DVMS Z-X Model, where cybersecurity is no longer just about protecting assets but about enabling strategic agility and digital transformation. DVMS empowers organizations to embrace threat intelligence, adopt adversarial mindsets (“being the menace”), and evolve their systems in real-time based on feedback and foresight. This level of maturity sets truly resilient organizations apart—and what CMMC ultimately aims to cultivate in defense contractors handling the most sensitive data.
Third-party risk management, a growing concern in the DoD ecosystem, is also addressed by CMMC and the DVMS. CMMC expects organizations to ensure their suppliers meet equivalent security standards, mainly if those suppliers handle CUI. The DVMS helps operationalize this requirement through its 3D Knowledge Model, which maps the collaborative, operational, and strategic interdependencies between internal teams and external partners. This model allows organizations to assess third-party relationships in terms of contract language and risk exposure, resilience posture, and alignment with security goals. This approach enables a more proactive stance on third-party assurance, shifting from reactive compliance to a more integrated and strategic model of supply chain security.
One of the significant challenges organizations face with CMMC is the need to demonstrate process maturity—not just that controls are implemented, but that they are institutionalized across the organization. This is where the cultural integration features of the DVMS genuinely shine. DVMS fosters a questioning culture where individuals are encouraged to think critically about their roles, understand how their actions affect cybersecurity, and participate in continuous learning. Training, knowledge sharing, and feedback are not treated as one-off exercises but as embedded cultural practices. This aligns perfectly with CMMC’s requirement that cybersecurity practices be “managed” and “reviewed” on an ongoing basis, with involvement from leadership and engagement from the workforce.
The DVMS also addresses a central CMMC pain point—overhead and resource allocation. Many smaller contractors struggle with the perception that CMMC is too resource-intensive or complex. The DVMS’s FastTrack™ implementation model solves this by introducing an incremental, scalable path to capability maturity. Organizations can begin where they are, prioritize high-value capabilities, and build maturity through phases: Initiate, Stabilize, Expand, and Innovate. This allows even small-to-medium-sized businesses (SMBs) to pursue CMMC readiness in a manageable, risk-informed way. The model also integrates continuous improvement, reducing the burden of last-minute remediation and expensive certification sprints.
Another strength of the DVMS is its ability to support organizations that must meet overlapping regulatory requirements beyond CMMC. Many U.S. companies doing business with public and private sector clients are subject to various mandates—from FedRAMP to HIPAA to the upcoming SEC cybersecurity disclosure rules. The DVMS’s overlay model allows organizations to build a single, coherent operating system that aligns with multiple standards, making CMMC one piece of a larger, harmonized resilience strategy. This interoperability is particularly beneficial for organizations seeking to reduce compliance fatigue and focus on actual performance and assurance.
The DVMS provides a highly effective, scalable, and strategically aligned model for operationalizing the capabilities required by the Cybersecurity Maturity Model Certification in the United States. It transforms compliance into capability and capability into performance assurance. By embedding cybersecurity into governance, operations, culture, and digital value delivery, the DVMS equips organizations to meet and exceed the expectations of the Department of Defense while also strengthening their broader resilience and competitive position. As cybersecurity becomes inseparable from trust, performance, and national security, the DVMS ensures that U.S. companies are compliant and capable in a digital-first world.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
