Operationalizing NIST CSF Through DVMS – The Assurance in Action Series – Part 2

David Nichols – Co-Founder and Executive Director of the DVMS Institute

The Familiar Map – and Its Limits

What would you say if a member of the board or your CEO asks, “You know the NIST Cybersecurity Framework. But how do we live it every day?”

The NIST Cybersecurity Framework (NIST CSF) is one of the most recognized tools in digital governance. It’s cited by regulators, referenced in boardrooms, and included in contracts. For many organizations, claiming alignment with the NIST CSF demonstrates that they take resilience seriously.

That adoption has marked a significant advance. For twenty years, frameworks have aided organizations in establishing discipline, structure, and comparability. They remain vital. But here’s the problem: too often, NIST CSF is turned into a checklist, a binder, or a maturity score. Managers view the six functions — Govern, Identify, Protect, Detect, Respond, and Recover — as boxes to check off. Reports are submitted. Certifications are achieved.

And still, when disruption strikes, organizations falter:

• Equifax (2017): frameworks in place, audits passed, compliance achieved — yet a single unpatched vulnerability led to a catastrophic breach.
• Colonial Pipeline (2021): cyber policies and safeguards existed, but treating cyber as “IT’s problem” left operations unprepared for ransomware disruption.
• Snowflake (2024): strong compliance posture and certifications, yet misconfigurations across more than 160 environments caused widespread impact.

The lesson isn’t that NIST CSF has flaws. Quite the opposite: NIST CSF is a solid guide. But guides aren’t the same as the actual terrain. Owning one doesn’t mean you can navigate the ground. The challenge for managers is how to transition from simply adopting the NIST CSF to customizing it, thereby turning the guide into a practical system that provides assurance evidence.

The Disconnect in Practice

Managers often view NIST CSF through siloed lenses:

• Cybersecurity emphasizes “Protect” and “Detect.”
• IT focuses on “Recover,” highlighting uptime and continuity.
• Compliance leans on “Identify,” ensuring audits and risk registers are maintained.
• Governance is viewed as the responsibility of executives alone.

Every function believes it’s performing well, showing dashboards and reports that seem impressive. But when disruption happens, the framework breaks apart. Escalation is slow, recovery takes too long, and the board receives artifacts — not evidence.

This is the translation problem highlighted in Part 1: executive intent gets diluted into activities instead of being turned into integrated capabilities. Without a system to connect them, NIST CSF risks remaining just a map on the shelf.

The Role of DVMS as the Overlay

As described in Thriving on the Edge of Chaos and The Practitioner’s Guide to Building Cyber-Resilience (Second Edition), the Digital Value Management System® (DVMS) functions as the operating system that makes frameworks like NIST CSF actionable.

• DVMS aligns three essential elements into one continuous cycle:
• Governance intent – what boards and executives declare must be achieved.
• Operational workflows – how managers and teams carry that intent out.
• Assurance evidence – the proof that capabilities perform under stress.

Without DVMS, adoption risks becoming symbolic. With DVMS, NIST CSF is integrated into daily operations. Managers can see not only where alignment exists but also where Minimum Viable Capabilities (MVC) are lacking. This overlay transforms static alignment into dynamic assurance.

CPD as the Organizing Principle

The six functions of NIST CSF — Govern, Identify, Protect, Detect, Respond, and Recover — are often implemented in isolation. But resilience isn’t about individual functions. It’s about sustaining digital business value.

The Create, Protect, Deliver (CPD) Model reframes the NIST CSF through outcomes:

• Create: design and build services with resilience from the start.
• Protect: safeguard them through monitoring, controls, and rehearsed responses.
• Deliver: ensure continuity and recovery while preserving trust.

Viewed through CPD, the NIST CSF functions become building blocks for capabilities that reinforce one another.

For example:

• Respond is not just a plan on paper but rehearsed workflows that demonstrate recovery times and escalation effectiveness.
• Recover is not simply restoring data but proving services return within governance-defined thresholds.

NIST CSF gives the map. CPD ensures the journey remains focused on value.

From Controls to Assurance Evidence

At the heart of this shift lies the difference between controls and assurance.

Controls offer comfort, including firewalls, access rules, and backup procedures, while assurance builds confidence through evidence that these controls perform under stress.

This is where the QO–QM (Question Outcome–Question Metric) model becomes vital:

• Outcome (fit for purpose): “Customer services must be available within four hours of disruption.”
• Metric (fit for use): “In the last three rehearsals, recovery averaged 2.5 hours.”

The gap between the two drives innovation and incremental capability development. Embedding QO–QM within DVMS ensures that NIST CSF is more than alignment — it becomes a system of evidence.

Practical Example: NIST CSF in Action

Consider the common board directive: “Ensure resilience against a ransomware attack.”

Policy intent: Ransomware framed as a business risk tied to trust and continuity.

NIST CSF alignment: Identify assets, Protect with backups and access controls, Detect anomalies, Respond with playbooks, Recover systems.

DVMS/CPD operationalization:

• Create: Systems designed with segmentation, redundancy, and secure backups.
• Protect: Teams rehearse ransomware response, test detection, and refine controls.
• Deliver: Recovery performance measured against thresholds, evidence reported to governance.

When disruption occurs, managers don’t just verify that controls were in place; they also ensure that they are effective. They demonstrate recovery happened promptly, escalation was effective, and trust remained intact.

AI and the New Assurance Frontier

For years, scale has been a significant barrier to implementing assurance. Continuous monitoring, scenario testing, and real-time reporting were perceived as too burdensome for most organizations.

That is changing. Advances in AI and agentic automation are lowering the “burden of assurance.” AI-powered monitoring systems continuously detect anomalies. Automated recovery testing confirms continuity capabilities. Agentic systems produce QO–QM evidence in real-time.

With these tools, assurance moves from occasional reports to continuous proof. For managers, this means NIST CSF can finally be implemented at scale — not just adopted. For boards, it means that assurance evidence becomes part of governance discussions in real-time.

The Manager’s Paradigm Shift

Operationalizing NIST CSF through DVMS requires a profound shift in mindset:

• From adopting NIST CSF → to adapting it through DVMS.
• From alignment and reports → to capabilities and evidence.
• From static maps → to living systems.

As Thriving on the Edge of Chaos reminds us, leadership is about turning complexity into clarity. Managers demonstrate leadership when they transform frameworks into systems that prove resilience.

The Executive Question for Managers

In the Assurance Mandate whitepaper, the call to boards was clear: move from Governance, Risk, and Compliance (GRC) to Governance, Resilience, and Assurance (GRA).

Now, the call to managers is equally clear: can you demonstrate that frameworks like NIST CSF are being adopted and adapted through DVMS?

The key question is simple:

• Are you presenting NIST CSF as artifacts — audit results, control lists, maturity scores?
• Or as evidence — recovery metrics, continuity demonstrations, resilience under pressure?
• The first provides comfort. The second builds confidence.

From Map to Living System

The NIST CSF has always been a guide, not a fixed endpoint. The Digital Value Management System ensures it becomes a dynamic system—where governance goals shape workflows, capabilities develop through MVC, and assurance evidence demonstrates resilience.

For managers, the shift is clear: stop viewing the NIST CSF as the endpoint. Begin using it as a foundation for systems that generate value during disruption.

Looking Ahead

In the following article of the Assurance in Action Series, we’ll expand on this theme with “Closing the Loop: From Controls to Assurance Evidence.” We will examine how DVMS ensures that every control generates measurable proof of resilience — the evidence boards need to govern confidently in an era of ongoing disruption.

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

DVMS Cyber Resilience Professional Accredited Certification Training

Teaching Enterprises How to Govern, Assure, and Account for Operational Resilience in Living Digital Ecosystems

Moving From Paper to Practice-Based Operational Resilience 

Explainer Video – Governing By  Assurance

Despite an abundance of frameworks, metrics, and dashboards, many leaders still lack a clear line of sight into how their digital value streams perform when conditions deteriorate.

Strategic intent, organizational structures, and day-to-day behaviors are evaluated separately, producing static snapshots that fail to reveal how decisions, dependencies, and human actions interact within a dynamic digital system.

The result is governance that appears comprehensive in documentation yet proves fragile under pressure, leaving leaders to reconcile disconnected controls rather than systematically strengthen operational resilience.

What is needed is a framework-agnostic operating overlay that enables operational resilience to be governed, assured, and accounted for coherently across complex, living digital ecosystems.

DVMS Institute White Papers – The Assurance Mandate Series

Explainer Video –  From Compliance Rituals to Evidence-Based Resilience  

The whitepapers below present a clear progression from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Together, they define an evidence-based approach to building and governing resilient digital enterprises.

The Assurance Mandate Paper explains why traditional compliance artifacts offer reassurance, not proof, and challenges boards to demand evidence that value can be created, protected, and delivered under stress.

The Assurance in Action Paper shows how DVMS turns intent into execution by translating outcomes into Minimum Viable Capabilities, aligning frameworks through the Create–Protect–Deliver model, and producing measurable assurance evidence of real performance.

The Governing by Assurance Paper extends this model to policy and regulation, positioning DVMS as a learning overlay that links governance intent, operational capability, and auditable evidence—enabling outcome-based governance and proof of resilience through measurable performance data.

The Digital Value Management System® (DVMS)

Explainer Video – What is a Digital Value Management System (DVMS)

The DVMS is an overlay management system that governs, assures, and accounts for operational resilience in complex, living digital ecosystems. It does so by ensuring living-system outcomes account for paper-system intent.

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business performs
• Assurance Evidence – proof that outcomes are achieved and accountable
• Cultural Learning – for governance intent and operational capability fine-tuning

Underpinning this integration are three distinctive DVMS models

Create, Protect, and Deliver (CPD) – The CPD Model™ is a systems-based model within the DVMS that links strategy-risk and governance to execution to create, protect, and deliver digital business value as an integrated, continuously adaptive capability.

3D Knowledge (3DK) – The 3D Knowledge Model is a systems-thinking framework that maps team knowledge over time (past, present, future), cross-team collaboration, and alignment to strategic intent to ensure that organizational behavior, learning, and execution remain integrated and adaptive in delivering digital business value.

Minimum Viable Capabilities (MVC) – The Minimum Viable Capabilities (MVCs) model supports the seven essential, system-level organizational capabilities—Govern, Assure, Plan, Design, Change, Execute, and Innovate—required to reliably create, protect, and deliver digital business value in alignment with strategy-risk intent.

The models work together to enable the following organizational capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Benefits – Organizational and Leadership

Explainer Video – DVMS Organization and Leadership Benefits

Organizational Benefits

Instead of replacing existing operational frameworks and platforms, the DVMS elevates them, connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, enterprises are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors, an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability.

DVMS – Accredited Certification Training Program

Explainer Video – The DVMS Training Pathway to Cyber Resilience

The Digital Value Management System® (DVMS) training programs teach leadership, practitioners, and employees how to integrate fragmented systems into a unified, culture-driven governance and assurance system that accounts for the resilience of digital value within a living digital ecosystem.

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

DVMS NISTCSF Cyber Resilience Foundation Certification Training

The DVMS NISTCSF Cyber Resilience Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

A FastTrack Approach to Launching Your DVMS Program

Explainer Video – Scaling a DVMS Program

 The DVMS FastTrack approach is a phased, iterative approach that helps organizations mature their DVMS over time, rather than trying to do everything simultaneously.

This approach breaks the DVMS journey into manageable phases of success. It all starts with selecting the first digital service you want to make cyber resilient. Once that service becomes resilient, it becomes the blueprint for operationalizing cyber resilience across the enterprise and its supply chain.

Company Brochures and Presentation

• DVMS Briefing Paper
• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved