SOCI Act Compliance and the DVMS Institute NIST Cybersecurity Framework Digital Value Management System®
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The Digital Value Management System™ (DVMS) provides an advanced, systems-thinking-based overlay system that is exceptionally well-suited to help companies in Australia operationalize the capabilities required under the Security of Critical Infrastructure (SOCI) Act. As Australia strengthens its legislative framework to protect nationally significant infrastructure against a growing array of cyber, physical, and supply chain threats, organizations must move beyond baseline compliance efforts and adopt mature, strategic approaches to resilience. The SOCI Act demands proactive, accountable, and adaptive cybersecurity and risk management capabilities across critical energy, water, communications, banking, transport, and healthcare sectors. The DVMS enables organizations to build and sustain these capabilities, aligning operational practices with strategic goals while embedding resilience as a continuous, organization-wide capability rather than a static outcome.
The SOCI Act introduces four significant areas of obligation for operators of critical infrastructure assets: (1) mandatory reporting of cyber incidents, (2) a risk management program covering cyber, physical, personnel, and supply chain risks, (3) ownership and operational information transparency, and (4) government assistance measures in cases of significant national threats. These provisions require organizations to demonstrate technical competence, strategic leadership, operational maturity, and integrated risk governance. This is precisely where the DVMS excels. It provides a structured model that combines the governance of digital value with cyber and operational risk management, turning regulatory requirements into practical, adaptive capabilities embedded into business processes and culture.
At the heart of the DVMS is the CPD Model (Create–Protect–Deliver), which defines the lifecycle of digital business value. This model ensures that protection and resilience are not treated as afterthoughts but built into creating and delivering value itself. For Australian organizations managing critical infrastructure, this is a necessary shift. The SOCI Act places equal importance on preventing, responding to, and recovering from cyber incidents. The CPD Model helps organizations align their value creation with protection strategies, ensuring that investments in innovation, service delivery, and modernization are securely governed and operationally resilient. This foundational alignment between business objectives and risk management is a requirement under the SOCI Act, which explicitly calls for security and resilience to be embedded in operational strategies and planning.
The DVMS’s Z-X Model further breaks down the seven minimal viable capabilities required to sustain operational resilience: govern, assure, plan, design, change, execute, and innovate. These capabilities map directly onto the SOCI Act’s requirement for a Risk Management Program that addresses all hazards—including cyber, physical, and supply chain threats. The “govern” capability ensures that cybersecurity is integrated into board-level and executive decision-making, in line with SOCI’s Positive Security Obligations (PSO), which place direct responsibility on directors and officers. Through the DVMS, organizations can define clear lines of accountability, assign responsibility for cybersecurity outcomes, and embed cybersecurity oversight into their broader governance and assurance functions.
The “assure” capability addresses the SOCI Act’s emphasis on demonstrating the effectiveness of risk controls. The DVMS supports this through structured feedback mechanisms, such as the Goal-Question-Metric (GQM) and Question Outcome–Question Metric (QO-QM) approaches. These tools help organizations translate strategic objectives into measurable outcomes, validate the efficacy of control implementations, and continuously improve their risk posture. SOCI’s risk management requirements are not static; organizations are expected to assess and evolve their capabilities in response to changing threats and operational contexts. The DVMS operationalizes this expectation by embedding dynamic measurement and evaluation into the system, promoting a culture of evidence-based learning and improvement.
The DVMS also enhances incident response capabilities—a core pillar of SOCI. The Act requires critical infrastructure entities to report cyber incidents within strict timeframes (usually within 12 or 72 hours) and to maintain processes for identifying, managing, and mitigating threats. These expectations go beyond technical response—they require organizations to have clear escalation protocols, communication strategies, and coordination with government agencies. The DVMS integrates incident response into its broader CPD value stream, ensuring that detection, containment, recovery, and reporting processes are aligned with business impact priorities. Moreover, DVMS promotes the concept of “being the menace”—an advanced capability that encourages organizations to adopt an adversarial mindset through red-teaming, misuse cases, and threat modeling. These proactive approaches help identify vulnerabilities before they are exploited, aligning with SOCI’s focus on pre-emptive and responsive resilience.
Supply chain risk management is another key focus of the SOCI Act, reflecting that many critical services depend on third-party providers. SOCI requires organizations to identify critical dependencies, assess security posture, and address third-party risks in contracts and monitoring processes. The DVMS supports these efforts through its 3D Knowledge Model, which provides a structured way to understand how external systems, suppliers, and stakeholders influence organizational value and risk. This model maps knowledge (x-axis), collaboration (y-axis), and strategic alignment (z-axis), helping organizations visualize interdependencies and prioritize resilience-building efforts across their extended enterprise. Rather than treating third-party risk as a compliance checkbox, DVMS enables a more profound, systems-based understanding of how external factors influence resilience—and how those relationships can be governed effectively.
The DVMS FastTrack™ implementation model benefits Australian organizations beginning their journey under the SOCI framework. It guides companies through four phases: Initiate, Stabilize, Expand, and Innovate. Early phases focus on building foundational capabilities and stabilizing core systems, while later phases introduce continuous improvement, threat-led planning, and innovation-driven resilience. This staged maturity journey directly aligns with SOCI’s expectation that critical infrastructure entities demonstrate initial compliance and a pathway to sustained advanced capability. The FastTrack model also reduces the risk of over-engineering solutions in the early stages and instead promotes right-sized, context-aware progress tailored to organizational readiness and sector-specific challenges.
Cultural change and leadership engagement are also emphasized in both SOCI and the DVMS. SOCI requires that organizations foster a culture of cyber awareness and embed security into decision-making at all levels. DVMS provides a structured pathway to achieve this cultural integration by focusing on collaboration, questioning, and learning. By promoting a questioning culture, DVMS encourages individuals and teams to challenge assumptions, surface hidden risks, and take collective ownership of cybersecurity. This is supported by organizational learning tools such as the 5 Whys and scenario-based planning, which help transform incidents into learning opportunities and elevate awareness across the enterprise.
One of the most valuable aspects of the DVMS in the Australian context is its flexibility and interoperability. Many organizations in Australia must meet multiple overlapping standards—such as SOCI, ISO/IEC 27001, the Essential Eight, APRA CPS 234, and others. The DVMS is designed as an overlay, meaning it can enhance and integrate with these existing frameworks rather than replace them. Australian organizations can leverage their current investments while aligning holistically with SOCI’s broader objectives. It also supports harmonization across regulatory domains, which is particularly important for large organizations that operate in multiple sectors or jurisdictions.
In conclusion, the Digital Value Management System provides a robust, scalable, and context-aware approach to helping Australian organizations operationalize the capabilities required by the Security of Critical Infrastructure Act. By embedding resilience into digital value creation and delivery, the DVMS enables organizations to meet and exceed regulatory requirements while building sustainable, adaptive systems that respond to complexity, uncertainty, and emerging threats. It turns SOCI compliance from a reactive, burdensome task into a strategic capability that enhances performance, trust, and national security. Through its layered models, cultural integration, and continuous improvement mindset, the DVMS helps Australia’s critical infrastructure operators survive regulatory change and thrive in a digitally dependent and risk-sensitive future.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
