Operationalizing NIST CSF Through DVMS – The Assurance in Action Series – Part 2

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Familiar Map – and Its Limits

What would you say if a member of the board or your CEO asks, “You know the NIST Cybersecurity Framework. But how do we live it every day?”

The NIST Cybersecurity Framework (NIST CSF) is one of the most recognized tools in digital governance. It’s cited by regulators, referenced in boardrooms, and included in contracts. For many organizations, claiming alignment with the NIST CSF demonstrates that they take resilience seriously.

That adoption has marked a significant advance. For twenty years, frameworks have aided organizations in establishing discipline, structure, and comparability. They remain vital. But here’s the problem: too often, NIST CSF is turned into a checklist, a binder, or a maturity score. Managers view the six functions — Govern, Identify, Protect, Detect, Respond, and Recover — as boxes to check off. Reports are submitted. Certifications are achieved.

And still, when disruption strikes, organizations falter:

• Equifax (2017): frameworks in place, audits passed, compliance achieved — yet a single unpatched vulnerability led to a catastrophic breach.
• Colonial Pipeline (2021): cyber policies and safeguards existed, but treating cyber as “IT’s problem” left operations unprepared for ransomware disruption.
• Snowflake (2024): strong compliance posture and certifications, yet misconfigurations across more than 160 environments caused widespread impact.

The lesson isn’t that NIST CSF has flaws. Quite the opposite: NIST CSF is a solid guide. But guides aren’t the same as the actual terrain. Owning one doesn’t mean you can navigate the ground. The challenge for managers is how to transition from simply adopting the NIST CSF to customizing it, thereby turning the guide into a practical system that provides assurance evidence.

The Disconnect in Practice

Managers often view NIST CSF through siloed lenses:

• Cybersecurity emphasizes “Protect” and “Detect.”
• IT focuses on “Recover,” highlighting uptime and continuity.
• Compliance leans on “Identify,” ensuring audits and risk registers are maintained.
• Governance is viewed as the responsibility of executives alone.

Every function believes it’s performing well, showing dashboards and reports that seem impressive. But when disruption happens, the framework breaks apart. Escalation is slow, recovery takes too long, and the board receives artifacts — not evidence.

This is the translation problem highlighted in Part 1: executive intent gets diluted into activities instead of being turned into integrated capabilities. Without a system to connect them, NIST CSF risks remaining just a map on the shelf.

The Role of DVMS as the Overlay

As described in Thriving on the Edge of Chaos and The Practitioner’s Guide to Building Cyber-Resilience (Second Edition), the Digital Value Management System® (DVMS) functions as the operating system that makes frameworks like NIST CSF actionable.

• DVMS aligns three essential elements into one continuous cycle:
• Governance intent – what boards and executives declare must be achieved.
• Operational workflows – how managers and teams carry that intent out.
• Assurance evidence – the proof that capabilities perform under stress.

Without DVMS, adoption risks becoming symbolic. With DVMS, NIST CSF is integrated into daily operations. Managers can see not only where alignment exists but also where Minimum Viable Capabilities (MVC) are lacking. This overlay transforms static alignment into dynamic assurance.

CPD as the Organizing Principle

The six functions of NIST CSF — Govern, Identify, Protect, Detect, Respond, and Recover — are often implemented in isolation. But resilience isn’t about individual functions. It’s about sustaining digital business value.

The Create, Protect, Deliver (CPD) Model reframes the NIST CSF through outcomes:

• Create: design and build services with resilience from the start.
• Protect: safeguard them through monitoring, controls, and rehearsed responses.
• Deliver: ensure continuity and recovery while preserving trust.

Viewed through CPD, the NIST CSF functions become building blocks for capabilities that reinforce one another.

For example:

• Respond is not just a plan on paper but rehearsed workflows that demonstrate recovery times and escalation effectiveness.
• Recover is not simply restoring data but proving services return within governance-defined thresholds.

NIST CSF gives the map. CPD ensures the journey remains focused on value.

From Controls to Assurance Evidence

At the heart of this shift lies the difference between controls and assurance.

Controls offer comfort, including firewalls, access rules, and backup procedures, while assurance builds confidence through evidence that these controls perform under stress.

This is where the QO–QM (Question Outcome–Question Metric) model becomes vital:

• Outcome (fit for purpose): “Customer services must be available within four hours of disruption.”
• Metric (fit for use): “In the last three rehearsals, recovery averaged 2.5 hours.”

The gap between the two drives innovation and incremental capability development. Embedding QO–QM within DVMS ensures that NIST CSF is more than alignment — it becomes a system of evidence.

Practical Example: NIST CSF in Action

Consider the common board directive: “Ensure resilience against a ransomware attack.”

Policy intent: Ransomware framed as a business risk tied to trust and continuity.

NIST CSF alignment: Identify assets, Protect with backups and access controls, Detect anomalies, Respond with playbooks, Recover systems.

DVMS/CPD operationalization:

• Create: Systems designed with segmentation, redundancy, and secure backups.
• Protect: Teams rehearse ransomware response, test detection, and refine controls.
• Deliver: Recovery performance measured against thresholds, evidence reported to governance.

When disruption occurs, managers don’t just verify that controls were in place; they also ensure that they are effective. They demonstrate recovery happened promptly, escalation was effective, and trust remained intact.

AI and the New Assurance Frontier

For years, scale has been a significant barrier to implementing assurance. Continuous monitoring, scenario testing, and real-time reporting were perceived as too burdensome for most organizations.

That is changing. Advances in AI and agentic automation are lowering the “burden of assurance.” AI-powered monitoring systems continuously detect anomalies. Automated recovery testing confirms continuity capabilities. Agentic systems produce QO–QM evidence in real-time.

With these tools, assurance moves from occasional reports to continuous proof. For managers, this means NIST CSF can finally be implemented at scale — not just adopted. For boards, it means that assurance evidence becomes part of governance discussions in real-time.

The Manager’s Paradigm Shift

Operationalizing NIST CSF through DVMS requires a profound shift in mindset:

• From adopting NIST CSF → to adapting it through DVMS.
• From alignment and reports → to capabilities and evidence.
• From static maps → to living systems.

As Thriving on the Edge of Chaos reminds us, leadership is about turning complexity into clarity. Managers demonstrate leadership when they transform frameworks into systems that prove resilience.

The Executive Question for Managers

In the Assurance Mandate whitepaper, the call to boards was clear: move from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA).

Now, the call to managers is equally clear: can you demonstrate that frameworks like NIST CSF are being adopted and adapted through DVMS?

The key question is simple:

• Are you presenting NIST CSF as artifacts — audit results, control lists, maturity scores?
• Or as evidence — recovery metrics, continuity demonstrations, resilience under pressure?
• The first provides comfort. The second builds confidence.

From Map to Living System

The NIST CSF has always been a guide, not a fixed endpoint. The Digital Value Management System ensures it becomes a dynamic system—where governance goals shape workflows, capabilities develop through MVC, and assurance evidence demonstrates resilience.

For managers, the shift is clear: stop viewing the NIST CSF as the endpoint. Begin using it as a foundation for systems that generate value during disruption.

Looking Ahead

In the following article of the Assurance in Action Series, we’ll expand on this theme with “Closing the Loop: From Controls to Assurance Evidence.” We will examine how DVMS ensures that every control generates measurable proof of resilience — the evidence boards need to govern confidently in an era of ongoing disruption.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Institute®

The DVMS Institute assists organizations in operationalizing the NIST Cybersecurity Framework (CSF) by utilizing a Digital Value Management System® to transform it from a static compliance reference framework into a dynamic system of governance, resilience, and assurance.

Through its Accredited Training Programs, the Institute teaches executives, practitioners, and employees the skills to build an integrated, adaptive, and culture-driven governance and assurance operating system that utilizes NISTCSF Functions, DVMS Models, and other existing best practice systems (GRC, ITSM, etc.) to transform cyber risk into operational resilience.

The DVMS Institute’s courses offer a structured pathway for mastering the integration of governance intent, operational execution, and assurance evidence, enabling organizations to demonstrate measurable resilience, regulatory alignment, and stakeholder confidence in a rapidly evolving digital landscape.

Digital Value Management System® (DVMS)

A Digital Value Management System (DVMS) turns systemic cyber risk into operational resilience by uniting Fragmented Frameworks and Standards—such as NIST, ITSM, GRC, and ISO—into a single, adaptive Governance, Resilience, and Assurance (GRA) operating system that keeps your digital business running, no matter the disruption.

The DVMS doesn’t replace existing frameworks—it connects, contextualizes, and amplifies them, transforming compliance requirements into actionable intelligence that drives and ensures sustained digital operations and performance.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, the DVMS provides a structured way to align technology investments and operations with measurable business outcomes.

For the CRO, the DVMS provides a way to embed risk and resilience directly into operational processes, turning risk management into a driver of performance and adaptability.

For the CISO, the DVMS provides a continuous assurance mechanism that demonstrates cyber resilience and digital trust across the enterprise and its supply chain.

For Internal and External Auditors, the DVMS provides verifiable proof that the enterprise can maintain operational continuity under stress.

DVMS Explainer Videos

• Architecture Video: David Moskowitz explains the DVMS System
• Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• Overlay Model – What is an Overlay Model
• MVC ZX Model – Powers the CPD
• CPD Model – Powers  DVMS Operations
• 3D Knowledge Model – Powers the DVMS Culture
• FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved