The Uruguay Cybersecurity Framework (MCU) and the NIST Cybersecurity Framework Digital Value Management System®
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The NIST Cybersecurity Framework (NIST CSF) and the Digital Value Management System (DVMS) together provide a robust, adaptive, and scalable methodology that can help organizations in Uruguay achieve and sustain compliance with the Uruguay Cybersecurity Framework (MCU). The MCU, or Marco de Ciberseguridad del Uruguay, is Uruguay’s national cybersecurity policy framework developed under the leadership of AGESIC (Agencia de Gobierno Electrónico y Sociedad de la Información y del Conocimiento), which aims to provide clear guidelines and coordination mechanisms for government institutions and critical private sector entities to manage cybersecurity risks, protect critical infrastructure, and strengthen national resilience.
The MCU draws on global best practices and international standards, including the NIST CSF, ISO 27001, and ITU guidance, and sets forth expectations for how public and private sector organizations should govern cybersecurity, protect data and systems, respond to incidents, and foster a culture of cyber awareness. While the MCU sets the strategic policy direction for cybersecurity in Uruguay and outlines the obligations institutions must fulfill, it does not always provide specific implementation methods or operational models. The NIST CSF, especially when embedded within the DVMS framework, becomes useful as a bridge between high-level regulatory intent and actionable, measurable outcomes.
The NIST CSF is widely recognized as a flexible and outcome-based framework that organizes cybersecurity best practices into six high-level Functions: Govern, Identify, Protect, Detect, Respond, and Recover. These Functions break down further into Categories and Subcategories that define what good cybersecurity practices look like without prescribing how they must be achieved. This modularity is one of the key reasons why NIST CSF has been adopted or referenced by many national frameworks, including the MCU.
Uruguay’s MCU encourages institutions to implement a risk-based approach, conduct regular assessments, establish cybersecurity governance, and promote continuous improvement, all aligning seamlessly with NIST CSF’s structure. However, referencing the NIST CSF is not enough for many organizations, especially those with limited cybersecurity maturity or experience. They require a practical roadmap for adoption, a way to integrate cybersecurity into their business processes, and a mechanism to measure progress. This is precisely what the Digital Value Management System provides. The DVMS is a systems-thinking-based overlay that enables organizations to operationalize the NIST CSF while aligning it with strategic goals, business value delivery, and regulatory requirements like those articulated in the MCU.
The DVMS transforms the NIST CSF from a conceptual framework into a functioning, measurable system by introducing models such as the Z-X Model, the CPD (Create, Protect, Deliver) Model, and the 3D Knowledge Model. These tools enable organizations to map their existing activities and capabilities to the NIST CSF Functions and simultaneously track how they support the continuous creation, protection, and delivery of digital business value.
For example, under the MCU, agencies must maintain updated asset inventories, protect sensitive information, and define risk management policies. Using the DVMS, organizations can assess these requirements within the Plan and Design capabilities of the Z-X Model, ensuring that asset inventories are linked to strategic planning and risk-informed governance rather than just IT department checklists. The CPD Model helps these same organizations distinguish between digital value creation and the processes that protect that value, emphasizing the importance of treating cybersecurity as a quality attribute embedded in all phases of service delivery. This approach is fully consistent with MCU mandates for proactive, organization-wide risk management and fosters the type of cultural shift that AGESIC seeks across public and regulated institutions.
Moreover, the DVMS supports the phased adoption of cybersecurity controls and governance through its FastTrack model, which segments implementation into Initiate, Basic Hygiene, Expand, and Innovate phases. This allows organizations in Uruguay to align with MCU requirements gradually, starting from wherever they are in their maturity journey.
For example, a municipality in the early stages of compliance can use the Initiate phase to identify assets, define roles, and begin awareness training—key elements of the MCU’s foundational requirements—while a national ministry might operate at the Expand or Innovate levels, implementing advanced detection tools, conducting real-time risk assessments, and refining response protocols. This flexibility is critical in Uruguay, where the capabilities of government entities and private partners can vary significantly.
Additionally, DVMS incorporates the Question-Outcome–Question Metric (QO-QM) framework to ensure that cybersecurity initiatives are tied to measurable outcomes. Under the MCU, institutions are expected to conduct audits and demonstrate effectiveness through performance data. The QO-QM model allows organizations to define outcomes based on MCU obligations, ask strategic and operational questions, and identify metrics demonstrating compliance and improvement over time. It empowers institutions not only to meet requirements but to prove that their cybersecurity investments are yielding tangible improvements in resilience, governance, and service continuity.
Incident response and recovery are other critical aspects where the combination of NIST CSF and DVMS supports MCU compliance. The MCU emphasizes the need for institutions to be prepared for cyber incidents and to coordinate responses across agencies and sectors. Within NIST CSF, the Respond and Recover Functions guide on planning, communications, analysis, mitigation, and lessons learned.
DVMS brings this to life by mapping these functions into actionable practice areas such as Change Coordination, Communications, Service Management, and Performance Monitoring. Organizations using DVMS can develop playbooks, clarify escalation paths, and conduct readiness exercises, all while documenting processes that align with MCU reporting and coordination expectations. Integrating sub-practice areas like Crisis Coordination, Root Cause Analysis, and Recovery Messaging ensures the response is reactive and adaptive, setting the stage for institutional learning and systemic improvement. This is particularly important given that MCU calls for continuous improvement and mandates that lessons from cyber incidents be used to strengthen institutional resilience.
DVMS also helps bridge cultural and organizational gaps, another priority area identified in the MCU. Uruguay’s framework calls for cybersecurity awareness and leadership commitment across all levels of government and industry. The NIST CSF addresses this at a high level through its Governance Categories. Still, the DVMS operationalizes it through the Leadership, Culture, and Accountability capabilities embedded in the Z-X Model.
With sub-practice areas such as Tone-at-the-Top, Role Clarity, and Cultural Reinforcement, DVMS enables executive leaders to model expected behaviors and integrate cybersecurity into institutional values and communication. This cultural alignment supports MCU mandates and makes compliance sustainable over time by embedding cybersecurity into the organizational DNA. The DVMS Knowledge Management component further enables institutions to capture best practices, avoid knowledge loss during staff transitions, and build long-term cyber capacity—an essential aspect for any national framework focused on resilience and sovereignty.
The NIST Cybersecurity Framework provides a foundational structure that aligns well with the MCU’s strategic goals. At the same time, the Digital Value Management System delivers the operational scaffolding to turn that structure into results. Together, they enable organizations in Uruguay to assess, implement, and continuously improve their cybersecurity capabilities in a way that is fully aligned with the MCU.
Whether the organization is a government ministry, a municipal agency, a healthcare provider, or a utility operator, the NIST CSF and DVMS approach allows them to start where they are, identify gaps, and develop the people, processes, and technologies needed to close those gaps with confidence and clarity. They also provide a common language and methodology that can be used across Uruguay’s diverse public and private sectors, facilitating coordination, transparency, and trust. As the threat landscape continues to evolve and digital transformation accelerates, this integration of global best practices and local mandates ensures that Uruguay’s cybersecurity posture is compliant, capable, resilient, and future-ready.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
