The Strategic Fallacy of NIST's Sixth Function: What Jomini Would Say About Adding "Governance"

Mark Dalton

17 Sep 2025 • 5 min read

All views in this newsletter are my own and do not represent the views of The R Street Institute, the US Navy, or any other organization I am affiliated with.

In 1838, Baron Antoine-Henri Jomini wrote that "nothing is so important in war as an undivided command." The great Swiss-French strategist didn't pull this concept from thin air, it was built on his observation of Napoleon's early victories. He noticed that Bonaparte's military dominance came from organizational simplicity. Napoleon had set up clear lines of authority that enabled rapid decision-making and execution at appropriate levels. As the scope of the Napoleonic Wars expanded, the Grande Armée showed a corresponding increase in size and complexity. Layers of bureaucracy were added and competing authorities emerged and Napoleon's forces lost the very qualities that made them so dominant. A swift, decisive force transformed into a lumbering giant and its defeat can be explained as much by its own organizational complexity than by enemy action.

Today, cybersecurity leaders in the United States are making the identical mistake. In 2024, the National Institute of Standards and Technology (NIST) released Version 2.0 of its Cybersecurity Framework. This update added "Govern" as a sixth core function in an effort to emphasize "organizational structures, roles, and responsibilities required to oversee cybersecurity effectively" and "encompasses leadership involvement, stakeholder alignment, and the development of governance frameworks."

This represents a profound misunderstanding of strategic problems that is all too common in the US. When cybersecurity fails, we instinctively assume that lack of oversight was the root cause and respond by adding another organizational layer. This in turn requires more coordination, more governance, more oversight. The point that the US misses, that Jomini understood, is that adding layers of command typically makes coordination worse, not better.

When Adding Layers Backfires: The Department of Homeland Security Lesson

We have a perfect historical example of this dynamic in action. After September 11, 2001, policymakers identified a critical strategic problem: the domestic security apparatus lacked coordination and communication between agencies. The solution seemed obvious, all that was missing was a unified organization to coordinate everything.

Congress responded by creating the Department of Homeland Security (DHS), "a massive cabinet-level agency that consolidated 22 departments and agencies and almost 200,000 federal employees." This represented "the largest reorganization of the federal government since the late 1940s," designed to improve domestic security coordination through organizational unity.

More than twenty years later, it seems that placing such a wide variety of organizations under a single umbrella has created more problems while solving few. Rather than streamlining coordination, DHS created what analysts describe as "continual inter- and intra-agency conflict." The department struggles with overlapping jurisdictions. For example, both DHS and the Justice Department gather intelligence and share it with local law enforcement.

Despite repeated efforts to create "One DHS," the department still operates like a fragmented assortment of different agencies. The congressional committee overseeing DHS concluded that "this fractured structure makes it nearly impossible for DHS headquarters leaders to manage the department effectively or efficiently."

What went wrong? DHS violated Jomini's principle of undivided command by creating competing authorities rather than eliminating them. Instead of clarifying who was responsible for what, the reorganization added another layer that had to coordinate with existing agencies, multiplying coordination problems rather than solving them.

This isn't an inherently governmental problem. Corporate America made the same mistake after Enron, creating thousands of Chief Compliance Officer positions that produced compliance theater rather than preventing the billions in regulatory penalties we still see today.

Jomini's Strategic Principles Applied

Jomini's military insights translate directly to organizational design. His principle of "unity of command" doesn't just mean having one person make all the decisions, it means eliminating competing authorities and overlapping jurisdictions that create coordination friction.

NIST adding a separate "Govern" function violates this principle by creating another authority that must coordinate with the existing five functions (Identify, Protect, Detect, Respond, Recover). Rather than clarifying responsibility, this diffuses it across more organizational boundaries.

Jomini also emphasized the principle of simplicity, stating that the best plans are always the simplest. Complex organizational structures, no matter how elegant on paper, break down under the stress of actual operations. The more layers you add, the more points of failure you create.

Consider what happens in practice when a cybersecurity incident occurs. Under the old framework, response teams knew to move through the five functions systematically. Under NIST 2.0, they must also consider governance requirements. This asks the question of who has authority to make decisions, what approval processes are required, how to coordinate with the governance function? This adds complexity at precisely the moment when simplicity is most crucial.

Historical Pattern Recognition

This isn't the first time American institutions have confused organizational restructuring with strategic improvement. The Pentagon, for example, maintains byzantine hierarchies and complex processes despite (or as the result of) several restructuring efforts over the decades. Each reorganization promises better coordination and clearer authority, yet fundamental strategic problems persist.

The pattern that emerges is quite predictable. Strategic failure occurs, organizational solutions are proposed, new layers are added, coordination becomes more complex, and original problems persist while new coordination problems emerge leading to new strategic failures. Jomini would recognize this as the inevitable result of violating unity of command principles.

The irony is that effective governance requires exactly what Jomini prescribed. Organizations need clear authority, simple structures, and unified command. Adding a governance function achieves the opposite. Authority becomes diffuse, structures become complex, and command divides.

What This Means For...

Policymakers: Stop assuming that organizational charts solve strategic problems. NIST's governance function will create compliance theater and do nothing to protect systems. Evidence-based policy requires measuring actual security outcomes, not governance processes. Before mandating new organizational structures, examine whether existing authorities are clear and whether resources match responsibilities.

Chief Information Security Officers: Prepare for governance requirements to consume resources without improving security posture. The new function will likely manifest as additional reporting, committee meetings, and compliance documentation. Focus on demonstrating security value through operational metrics rather than governance compliance. Document how governance overhead affects actual security activities.

U.S. strategic competition: While we add governance layers to cybersecurity, competitors are streamlining decision-making and operational authorities. China's centralized cyber governance enables rapid response and resource allocation, while our distributed governance creates decision-making friction. We're optimizing for process while they're optimizing for outcomes.

Aspiring strategic thinkers: Study Jomini's principles of unity of command and operational simplicity. These insights apply beyond military strategy to any complex organizational challenge. When facing coordination problems, the solution is rarely adding another coordination mechanism. Instead focus on eliminating unnecessary organizational boundaries and clarifying existing authorities. Governance needs to exist within operational functions, not in layers above them.

Comments

Comments settings