Enhancing Third-Party Risk Management through the NIST Cybersecurity Framework and a Digital Value Management System
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
As digital businesses increasingly rely on third-party suppliers, partners, cloud service providers, and software vendors, managing the associated cybersecurity risks becomes critical to ensuring business continuity and protecting stakeholder value. Integrating the NIST Cybersecurity Framework (CSF) with the Digital Value Management System (DVMS) offers a comprehensive and scalable approach to identifying, assessing, managing, and governing third-party cybersecurity risks. By leveraging the strengths of both frameworks, organizations can build a resilient digital ecosystem adaptable to the evolving threat landscape.
The NIST CSF: A Foundation for Third-Party Risk Governance
The NIST Cybersecurity Framework version 2.0 defines a set of core Functions—Govern, Identify, Protect, Detect, Respond, and Recover—that represent high-level cybersecurity outcomes applicable across all sectors and organization sizes. Within these Functions, the CSF provides Categories and Subcategories that detail specific outcomes for managing cybersecurity risk, including supply chain and third-party risk.
A key enhancement in CSF 2.0 is the prominence of the “Govern” Function, which now explicitly includes cybersecurity supply chain risk management (C-SCRM) as a core component. This Function helps organizations establish policies, assign responsibilities, and monitor risks related to third parties. By embedding third-party risk management into governance activities, digital businesses can ensure supplier cybersecurity risks are aligned with enterprise risk management strategies and integrated with overall business objectives.
The CSF Profiles feature allows organizations to tailor the framework to their unique third-party contexts. A Target Profile may include outcomes that demand all vendors meet a certain level of cybersecurity maturity, while a Current Profile could reveal gaps in supply chain oversight. Using the Tier model, organizations can assess and communicate the rigor of their third-party cybersecurity governance, encouraging progression toward more adaptive, proactive practices.
DVMS: A Systems-Based Overlay for Third-Party Risk
The DVMS complements the NIST CSF by providing an adaptive overlay that helps operationalize the CSF’s high-level outcomes within real-world business systems. One of the DVMS’s central principles is the integration of “strategy-risk”—a recognition that strategy and risk are inseparable and must be managed concurrently to create and protect digital business value.
Using the DVMS overlay, digital businesses can identify how third-party dependencies map to their core systems and value streams. The DVMS Z-X Model structures organizational capabilities into seven domains: Govern, Assure, Plan, Design, Change, Execute, and Innovate. Each of these capabilities is relevant to third-party risk. For example, the Govern and Assure capabilities define the policies, risk tolerances, and assurance mechanisms required for vetting and monitoring vendors. Meanwhile, Plan and Design support the incorporation of secure third-party relationships into system architectures, and Execute ensures that day-to-day operations maintain supplier security postures.
The DVMS emphasizes culture, systems thinking, and leadership accountability. It helps organizations understand that third-party risk management is not merely about enforcing checklists but about reshaping behaviors, incentives, and communication patterns across internal teams and supplier relationships. By fostering a culture of resilience and shared responsibility, organizations can extend their security posture beyond organizational boundaries and into their supply chains.
Practical Benefits of the NIST CSF-DVMS Approach to Third-Party Risk
- Strategic Alignment of Vendor Risk Management
Integrating the CSF and DVMS ensures vendor risk management aligns with enterprise-wide goals. Businesses can determine which third-party relationships are mission-critical through strategy-risk modeling and organizational profiling and assign appropriate risk levels. This alignment supports prioritizing vendor controls based on business impact, not just technical vulnerabilities. - Scalable and Context-Aware Governance
The CSF’s tiered model allows organizations to calibrate their vendor risk governance practices to their maturity and resources. The DVMS then overlays these practices to expose performance gaps and cultural misalignments. For instance, a Phase 0 DVMS FastTrack initiative might focus on basic hygiene, such as ensuring all third-party contracts include cybersecurity clauses. In contrast, later phases incorporate continual vendor performance monitoring and breach simulations. - Enhanced Visibility and Communication
Through Organizational Profiles and the DVMS 3D Knowledge Model, businesses can map how information about third-party risks flows between teams. This visibility fosters cross-functional collaboration between legal, IT, procurement, and security teams, improving the ability to detect risks early and respond cohesively. Additionally, communicating expectations clearly to vendors, such as through a Target Profile based on NIST CSF outcomes, reduces ambiguity and supports mutual accountability. - Proactive Risk Discovery and Continuous Improvement
The DVMS’s systems thinking and cultural inquiry support CSF’s Detect and Respond Functions. Techniques like the 5 Whys and QO–QM (Question Outcome–Question Metric) help teams identify root causes of third-party incidents, such as insufficient onboarding or ineffective access controls. These insights inform continuous improvement initiatives that go beyond technical controls and address structural and behavioral weaknesses across the supply chain. - Cultural Integration and Organizational Resilience
Third-party risks often emerge from cultural disconnects between organizations and their suppliers. The DVMS addresses this by embedding security awareness and values into the organizational culture and leadership structure. Leaders act as cultural ambassadors who model behavior and demand accountability from suppliers. Recognition programs for internal teams and vendors further reinforce a proactive risk culture.
Conclusion: Toward Resilient and Secure Digital Ecosystems
In the digital economy, resilience hinges on internal cybersecurity and the security of the extended enterprise—its suppliers, partners, and contractors. The NIST CSF and DVMS combined application enables digital businesses to move beyond reactive vendor oversight and instead embed third-party risk management into the DNA of organizational governance, operations, and culture.
By doing so, organizations are better equipped to anticipate, assess, and adapt to third-party risks, making their entire value delivery chain more resilient. The CSF provides the what, while the DVMS offers the how. Together, they transform third-party risk management from a fragmented compliance function into a strategic capability that creates, protects, and sustains digital business value in a dynamic and uncertain world.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
The DVMS Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach Service Providers of any type the skills to build a Holistic, Adaptive, and Culture-Powered Cyber Resilience Overlay System capable of proactively identifying and mitigating the systemic risks that could impact cyber business operations.
The NIST-CSF-DVMS positions cyber resiliency not as a technical function but as a strategic, enterprise-wide responsibility. This systems-based approach mandates engagement from top Leadership to Frontline Employees , each fulfilling distinct duties.
Enabling Resilience requires coordinated action across an organization’s Strategy, Governance, and Operations business layers. Each of these layers contains unique roles that, when aligned and functioning cohesively, enable the organization to protect cyber business assets and adaptively manage cyber business risks while delivering sustained cyber business operations and resilience.
Enabling this unique and innovative approach to Adaptive Governance, Resilience, and Assurance service providers can now comply with any government-mandated cyber regulation (SEC, DORA, NIS2 etc.) or maturity model program (SCF, HITRUST, CMMC etc.).
® DVMS Institute 2025 All Rights Reserved
