An Integrated and Affordable Solution for DIB Companies to Achieve CMMC Certification
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The U.S. Department of Defense (DoD) has made it unequivocally clear that cybersecurity within the Defense Industrial Base (DIB) is not a discretionary concern but a national imperative. To safeguard Controlled Unclassified Information (CUI) and maintain operational readiness, the DoD established the Cybersecurity Maturity Model Certification (CMMC) to verify and validate the cybersecurity capabilities of its vast supplier network. However, CMMC, in its design, is fundamentally a set of compliance requirements; it prescribes what needs to be done but does not articulate how to achieve and maintain those capabilities sustainably. This is where the integration of the NIST Cybersecurity Framework and a Digital Value Management System (NIST-CSF-DVMS) becomes indispensable. Together, they provide a dynamic, strategic, and operational approach that enables the DIB to meet CMMC mandates and continuously mature its cybersecurity posture in alignment with the DoD’s long-term resilience objectives.
CMMC establishes maturity levels that define increasing cybersecurity safeguards, ranging from basic cyber hygiene to advanced practices. These levels are built on existing standards such as NIST SP 800-171 and the broader principles found in NIST CSF. However, the Defense Department’s expectations go beyond mere technical implementation; they demand embedded organizational practices that are sustainable, adaptable, and capable of evolving with the threat landscape. In this regard, the NIST Cybersecurity Framework—particularly in its 2.0 iteration—serves as a comprehensive guidance system for organizations to understand, assess, and improve their cybersecurity outcomes. It does so through six integrated functions: Govern, Identify, Protect, Detect, Respond, and Recover. These functions establish a common taxonomy and language that aligns cybersecurity with enterprise risk management, enabling both strategic leadership and operational teams to collaborate effectively.
What binds the CMMC and NIST CSF into an effective engine for digital resilience is the Digital Value Management System (DVMS). The DVMS is not just another framework or method—it is a systems-based overlay that enables organizations to see, think, and act differently about digital value creation and protection. While CMMC outlines what organizations in the DIB must demonstrate, and NIST CSF offers a flexible, outcome-driven model to achieve those ends, the DVMS supplies the crucial “how” by embedding these goals into the organization’s structure, culture, and governance. The DVMS accomplishes this through its minimum viable capabilities (MVCs): Govern, Assure, Plan, Design, Change, Execute, and Innovate. These capabilities form a lifecycle through which digital business value can be created, protected, and delivered coherently and repeatably.
At the heart of the DVMS is the CPD Model—Create, Protect, Deliver. This model reinforces the notion that value creation and protection must occur concurrently rather than sequentially. This is essential when dealing with CUI and other sensitive defense-related assets. If an organization develops cutting-edge aerospace technology but does not protect its digital blueprints and manufacturing systems, the value of that innovation is immediately compromised. The CPD Model allows DIB contractors to internalize cybersecurity as part of their core operational logic rather than treat it as a compliance burden. CMMC’s practices become natural by-products of a well-governed, risk-informed, and adaptive enterprise—not external constraints to be managed separately.
Furthermore, the DVMS supports the profiling and tiering concepts embedded within the NIST CSF. By creating organizational profiles, a company can describe its current and target states of cybersecurity maturity in a structured and contextualized way. This is highly valuable in a CMMC context, where organizations must demonstrate increasing capability and process maturity to handle more sensitive information. The DVMS enables the organization to document, monitor, and continuously refine these profiles through its governance and assurance functions, ensuring that the organization is working toward the desired outcomes—not just the IT department.
The power of this integrated approach lies in its ability to continuously align strategic intent with operational execution, a necessity in the fast-evolving threat landscape of the defense sector. For example, the “Govern” function in both the CSF and the DVMS is not about creating static policies—it is about establishing a living governance structure that adapts to new risks, compliance updates, and mission changes. This is vital because the DoD’s expectations are not static either; adversaries evolve, technologies shift, and regulatory landscapes change. The DVMS ensures that governance remains dynamic and anchored in real-time awareness and organizational accountability, enabling the DIB to stay aligned with DoD requirements across time and circumstances.
Moreover, the DVMS approach supports and operationalizes risk-informed decision-making. The CSF’s Tiers (Partial, Risk-Informed, Repeatable, Adaptive) describe increasing levels of cybersecurity risk governance rigor. The DVMS provides the scaffolding to move an organization up these Tiers by integrating cross-functional teams, leadership oversight, and continuous measurement and learning. The CMMC Level 3 certification, for example, is not just about meeting technical control requirements—it is about demonstrating that those controls are embedded in institutionalized and continually improved processes. DVMS enables that institutionalization through its structures and processes while NIST CSF and CMMC provide the benchmarks and verification criteria.
Additionally, the DVMS promotes a cultural shift essential for enduring success in cybersecurity. Culture is often the missing element in compliance-driven initiatives. The DVMS treats culture as a strategic asset, ensuring cybersecurity awareness and accountability cascade from the boardroom to the break room. This aligns closely with CMMC’s emphasis on organizational maturity, including demonstrating documented policies, trained personnel, and institutional knowledge sharing. By fostering a culture that values learning, transparency, and proactive risk management, the DVMS helps the DIB fulfill the letter of CMMC and its spirit.
In operational terms, CMMC, NIST CSF, and DVMS also enable the DIB to manage supply chain risk better, which is a top priority for the DoD. The CSF now explicitly integrates supply chain risk management under its GOVERN function, and CMMC includes requirements for flow-down controls to subcontractors. The DVMS, with its systems-thinking foundation, ensures that these requirements are not implemented in isolation but integrated into the enterprise’s broader strategic and operational ecosystem. This allows for better transparency, oversight, and resilience across supply chains—capabilities paramount in defending against sophisticated nation-state adversaries.
The DoD expects cybersecurity compliance from its defense contractors and demonstrable resilience, adaptability, and strategic alignment with national security objectives. This cannot be achieved by CMMC alone. Nor can it be accomplished by applying the NIST CSF as a loose collection of best practices. It requires a disciplined, adaptive, and enterprise-wide management approach that operationalizes these frameworks into a coherent system of digital value governance. The DVMS delivers this capability, making it the bridge that connects compliance to competence and competence to confidence. By integrating CMMC, NIST CSF, and the DVMS, the Defense Industrial Base can meet the Defense Department’s expectations—not merely by passing audits but by embodying the principles of cyber resilience and digital trust upon which national security increasingly depends.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
