Last March the DoD announced the retirement of DIACAP in favor of an information-assurance approach based on NIST’s risk management framework (RMF). This transition had been anticipated for quite awhile, and was a welcome development in getting all elements of the federal government aligned on the same approach to information risk management.
But one aspect of this change has drawn little comment from the DoD’s information community: the revised DoDI 8500.01 that accompanied this change now directs that the term “cybersecurity” be used throughout the DoD instead of the term “information assurance.”
That’s a major change that bears further review. It’s one thing to rename the document itself from “Information Assurance” to “Cybersecurity” in recognition of its focus on security in the cyber domain. But to do a “global search-and-replace” on these terms across the DoD suggests that they’re either synonymous or even perhaps that cybersecurity is higher up on the evolutionary scale than IA.
In fact, cybersecurity is not the same thing as information assurance. Cybersecurity is a sub-set of information security, which itself is a sub-discipline of information assurance, which encompasses higher-level concepts such as strategy, law, policy, risk management, training, and other disciplines that transcend a particular medium or domain.
Securing Cyberspace Doesn’t Secure or Assure All Information in All Media
Both NIST and the Intelligence Community recognize these distinctions in their own instructions, special publications, and glossaries. First, NIST and the Intelligence Community define “cyberspace” as:
a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. [emphasis added]
In the same documents, both NIST and the IC define “cybersecurity” as “the ability to protect or defend the use of cyberspace from cyber attacks,” i.e.,
an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. [emphasis added]
In other words, “cybersecurity” focuses primarily on defending the infrastructure of information systems — computers, networks, and communications — and secondarily on protecting data and information within the cyber domain. Cybersecurity doesn’t include defending and protecting information outside the cyber domain, which constitutes a lot of documents and records within the DoD.
The distinction between cybersecurity and information assurance is reflected in both the NIST and IC definitions of “information assurance”:
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
This definition makes no reference to cyberspace infrastructure and encompasses all information in both digital and analog forms. Ironically, DoD has traditionally defined “information assurance” the same way, as “assuring the confidentiality, integrity, authentication, non-repudiation, and availability of information.”
However, as of March 2014, the DoD is applying that definition to the term “cybersecurity” and has also expanded the definition so that it (almost) covers “information assurance.” DoD now defines “cybersecurity” as:
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
This new definition mashes up elements of higher-level concepts like IA and information security with references to cyber infrastructure, inflating the term “cybersecurity” to encompass concepts it doesn’t and shouldn’t address. Things like disaster-recovery planning are an awkward fit in this definition, and the security and assurance of paper-based information isn’t covered at all.
(And if “cybersecurity” now includes “restoration of” computer-and-communications infrastructure, wouldn’t any IT service technician be considered “cybersecurity personnel”?)
Are Paper Shredders Really a Cybersecurity Solution?
Sticking your head into any office at the Pentagon will reveal that information in the DoD is still recorded, shared, and stored in paper and other non-cyber media. (You could even argue that information on CDs and USB drives wouldn’t be considered “cyber” when these devices aren’t connected to a network.) The DoD also still contends to some degree with information in legacy media such as acetate film and magnetic tape. These non-cyber documents, records, and media require measures for security and assurance that don’t involve the cyber domain.
The idea of assuring and securing paper-based information may seem quaint in 2014. But paper is still a widely used medium for disseminating information within the defense community. (It certainly isn’t considered “quaint” by DoD and VA healthcare officials who deal with stacks of unprocessed paper files holding sensitive medical and personally identifiable information.)
That’s why DoD instructions for protecting classified information continue to specify how paper documents should be dated, marked, protected per the assigned classification level, and destroyed by authorized means when no longer needed. And it’s why DoD continues to specify physical security standards of storage facilities for paper records and other physical information media.
Most professionals in this field would agree that these measures have nothing to do with cybersecurity. These measures are part of information security (ensuring that the information in these media is protected from creation to destruction) and assurance (validating that the information in these media is authentic, trustworthy, and accessible).
Curiously, DoD’s previous definition of cybersecurity was even more sweeping and less precise in its inclusion of “the security of information in all its forms (electronic, physical)” [emphasis added]. However, in finally aligning its information-risk-management process with that of NIST and the IC, this was DoD’s opportunity to conform its definition of cybersecurity with theirs and leave its perfectly valid definition of information assurance intact.
Instead, in its haste to retire DIACAP and embrace the RMF, the DoD seems to have orphaned the discipline of securing and assuring information in every media or environment, including non-cyber. That could cause major concerns over time.
Fretting over the definition of information assurance vs. cybersecurity may seem like a minor point. But it’s been said that “a choice of words is a choice of worlds.” It’s important that the terminology we use in our profession truly reflects what we do in our work. It helps avoid conflict, violated expectations, inefficiencies, and gaps in the measures we put in place to assure both information and information systems.
My hope is that the powers-that-be will soon recognize and change this decision before too much confusion ensues.
Download a comparison of definitions of information assurance, information security, and cybersecurity.