The NIST-CSF-DVMS – Proactively Identifying, Classifying, and Mitigating Third-, Fourth-, and Fifth-Party Systemic Risks
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The NIST Cybersecurity Framework (CSF) 2.0 and the Digital Value Management System® (DVMS) provide a structured, adaptable, and holistic foundation for governments and businesses to manage the increasing complexity of third-, fourth-, and fifth-party cyber risks. In an interconnected digital economy, these risks arise from direct suppliers and the extended web of their vendors and service providers. By aligning cybersecurity with enterprise risk management and embedding it into organizational strategy, governance, and culture, the CSF and DVMS facilitate proactive resilience against cascading vulnerabilities across complex supply chains.
Understanding Third to Fifth Party Risks
The growing digitization of services and reliance on external vendors have significantly expanded organizations’ attack surfaces. Third-party risks stem from direct partners, such as IT service providers, SaaS platforms, or data processors. Fourth—and fifth-party risks emerge deeper within the supply chain—those entities upon which third parties rely. This cascading risk model becomes increasingly opaque and more complex to manage, particularly as cyber adversaries target upstream vendors to gain access to higher-value downstream targets, exemplified by incidents like the SolarWinds breach.
NIST CSF 2.0: Governance and Supply Chain Focus
The NIST CSF 2.0 comprises six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Its flexible, outcome-based taxonomy helps organizations assess their cybersecurity posture and adapt to evolving threats. Critically, the “Govern” function in CSF 2.0 elevates the importance of governance and cybersecurity supply chain risk management (C-SCRM). It mandates establishing risk management strategies encompassing third-party and extended supply chain relationships. Organizations are prompted to establish policies, roles, and authorities that extend beyond internal boundaries, ensuring that all external parties align with the organizational risk appetite and compliance obligations.
The CSF’s use of Organizational Profiles and Tiers allows organizations to define their current and target states regarding supply chain cybersecurity. Tiers provide a maturity model that gauges the sophistication of governance and risk management practices, from ad hoc (Tier 1) to adaptive (Tier 4) levels. These mechanisms help organizations map out their existing capabilities and create actionable roadmaps for improvement, including expectations for third- and fourth-party vendors.
DVMS: Systems Thinking and Strategic Overlay
Where the CSF defines the necessary outcomes, the DVMS offers a practical approach for operationalizing them through a systems-based lens. DVMS treats cybersecurity not as a siloed technical issue but as an aspect of enterprise risk and quality management. It introduces the CPD (Create, Protect, Deliver) Model to ensure that value creation and protection happen concurrently, particularly within extended ecosystems.
A core contribution of the DVMS is its overlay methodology. Rather than replacing existing frameworks, DVMS integrates with them, such as the CSF, using a layered model of minimum viable capabilities (Govern, Assure, Plan, Design, Change, Execute, Innovate). These capabilities enable organizations to apply consistent oversight across their internal operations and external partnerships. In the context of third- to fifth-party risks, this means embedding risk-informed decision-making and cultural accountability throughout the digital value chain.
The DVMS emphasizes continuous improvement and cultural adaptation. By leveraging systems thinking, organizations can trace how risks propagate through the supply network, apply leverage where it matters most, and recalibrate structures to adapt to new threats. For example, using tools like the 3D Knowledge Model and the QO-QM (Question-Outcome–Question-Metric) methodology allows teams to challenge assumptions, expose blind spots, and build organizational resilience, including partners and suppliers.
Managing Risk Across the Digital Ecosystem
A key tenet in both CSF and DVMS is the recognition that cybersecurity is not solely a technology issue but an enterprise responsibility requiring alignment across governance, culture, and operations. This is particularly critical in managing cyber risks that arise from extended digital ecosystems.
NIST CSF provides a common taxonomy and language that can be communicated across internal and external stakeholders, making it possible to express cybersecurity expectations in contracts, supplier assessments, and due diligence processes. DVMS complements this by providing practical tools to assess and improve those relationships.
By using the CSF to define desired outcomes and the DVMS to integrate and implement these within a risk-governed, culturally aware enterprise system, organizations can effectively identify systemic weaknesses, prioritize mitigation efforts, and embed accountability for digital risks across the extended enterprise.
Conclusion
In an age where cybersecurity breaches often originate from the weakest link in the supply chain, the combined power of NIST CSF 2.0 and DVMS gives organizations the structure and adaptability needed to manage third-, fourth-, and fifth-party cyber risks. The CSF sets the destination—resilience and trust through measurable outcomes—while DVMS provides the roadmap and the means, through systems thinking, cultural transformation, and strategy-risk alignment. This dual approach ensures that cyber risks are identified, prioritized, and systematically mitigated to sustain value delivery and trust in an interconnected world.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
The DVMS Institute’s NIST Cybersecurity Framework Digital Value Management System® Certified Training and Assessment Programs teach enterprises the skills to build a holistic, culture-powered overlay system for Adaptive Cyber Operational Resilience.
The NIST-CSF-DVMS overlay system is a strategic, enterprise-wide operating system and cultural imperative that equips Leadership to Frontline Employees with the skills and business capabilities to Create, Protect, and Deliver (CPD) trusted & resilient digital value in a complex, multi-vendor digital ecosystem.
Enabling cyber operational resilience requires a coordinated, system-wide effort across the team’s that drive the organizational Strategy, Governance, and Operational business layers.
The NIST-CSF-DVMS 3D Knowledge Model operationalizes this effort using a practical and structured approach to align workflow, communication, and innovation at the strategy, governance, and operational levels. This approach ensures resilient, adaptive, and continuously improving cybersecurity operations despite ongoing digital business disruption.
The NIST-CSF-DVMS approach to Cyber Operational Resilience also enables enterprises to comply with any government-mandated cybersecurity regulation (SEC, DORA, NIS2, etc.) or maturity model program (SCF, HITRUST, CMMC, etc.).
® DVMS Institute 2025 All Rights Reserved
