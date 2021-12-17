The federal government is a behemoth. I’m not revealing anything there. You know it’s a trillion-dollar enterprise with millions of personnel supporting it. It may not be the biggest national government operation. It may be though. I’m not researching that for you because you don’t need the details. Also, it may be a snipe hunt, trying to gauge the vastness of the U.S. government administration.
The Administrative Conference of the United States is an independent federal agency designed to make the government work better. It’s website self-touts that “Its membership is composed of innovative federal officials and experts....” It was established in 1964 in order to “promote improvements in the efficiency, adequacy, and fairness of the procedures by which federal agencies conduct regulatory programs….” The ACUS is sort of a quality controller for this massive operation.
As part of its nearly mystical charge to improve the countless operations and actors that make our government hum it publishes the Sourcebook of United States Executive Agencies. That, it may seem, would be a dandy place to start understanding the vastness. The question of how many agencies make up the federal government is both a tired one and one without an answer, it appears. In the ACUS’s so-called sourcebook, it admits that “[T]here is no authoritative list of government agencies.”
Looking at various other sources, the numbers range from fewer than 100, which denotes a specific definition of “agency,” to over 400. When the sourcebook says there’s no telling, it shouldn’t shock anyone that even the Federal Register, the official record of agencies’ rules, presented competing counts. The Register’s list was at 440 on paper and at the same time its online list only rose to around 300.
How big is the U.S. government? No one knows, at least in terms of how many agencies make up the beast.
I’m not writing today about this. This issue arose as I was preparing my weekly missive. It was surprising in and of itself, but it really is more trivia. It’s not worth the snipe hunt. My quest to learn that simple count arose while writing about one agency, the National Institute of Standards and Technology. Among federal government machinations, NIST is a non-regulatory agency within the Department of Commerce. Commerce, and certainly NIST, are meant to help promote American competitiveness and innovation.
One of NIST’s many responsibilities is to establish and maintain the federal government’s Cybersecurity Framework. Those rules guide all the agencies to protect our precious information, and to protect the more serious, national security bent line of data above all. It’s critical, omnipresent guidance that affects the entirety of the government. That level of influence is what aimed me at the rabbit hole of agencies counting.
Forget how many agencies there are. Do realize, though, that this NIST business as much as Treasury’s currency production has the tendency to affect every single federal operation. You should be impressed.
NIST’s Cybersecurity Framework must provide security and defenses to cyber-threats. It must be applicable to nearly all of agencies within America’s governmental operations. It must be tested and improved. It is continuously being tested by the bad actors. Hackers from the lowliest solo act in their proverbial basement to the most sophisticated, nation-state backed teams of highly trained technologists are constantly bombarding (and breaching) the defenses put up by our own nation-state backed teams. It can truly be seen as digital warfare at this stage of our technological evolution.
The Cybersecurity Framework seems, to me, to have come into action a little late. You may think that (a) with the sensitivity of governmental data and intelligence, coupled to (b) the fact that America is an ever-present target for all sorts of hackers, and knowing that (c) for at least 40 or 50 years the hacking culture and communities have been growing, evolving themselves, and having become more successful than ever, this framework guidance has been in play for decades too. You would have to surmise that, like technology itself, the framework is constantly improving.
NIST’s Cybersecurity Framework was first published in 2014, not in the Nineties or earlier. It’s pages and pages, books even, but it can all be boiled down into understandable components. Any given federal agency takes in the Framework’s Tiers, one of the three main breakdowns. The Cybersecurity Framework Tiers guide an agency to apply its management approach in an organized way. This, essentially, helps variously sized agencies incorporate the Framework somewhat uniformly. The second breakdown is the Framework’s Profile. That also leads to each agency’s management of the Framework and its place within the entity, all toward being better at cybersecurity defense.
The third major component is where the action is: NIST’s Cybersecurity Framework Core. The Core further organizes the Framework into five overarching functions. In the Core’s Identify function, the agencies evaluate their assets, the various security roles, and other ways to identify the work in terms of security. Then comes the Protect function, self-explanatory. Detect is the function that relates to even knowing when you’re under attack. The Respond function guides agencies about what to do when they are attacked. Finally, the Framework’s Core ends on Recover.
Three areas of guidance, one of which expands to five functional security protocols, all applicable to hundreds of agencies. This is good organization. Or, it was a good start. Now, eight years and countless attacks later, it is finally getting an update. There have been edits and slight improvements along the way, but the real problem, hopefully soon to be rectified, is that in those eight years the hackers updated their strategies daily. Maybe not knowing how many agencies there are is less meaningful than I posited, but it’s a symbol of the bigness. Bigness also contributes to why our Cybersecurity Framework maybe came late, and definitely needs more frequent attention and improvement.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
