Home  /  Empower and Protect  /  Cybersecurity isn’t the same thing as information assurance.

Cybersecurity isn’t the same thing as information assurance.

By Frank Johnson •  July 7, 2014

Last March the DoD announced the retirement of DIACAP in favor of an information-assurance approach based on NIST’s risk management framework (RMF). This transition had been anticipated for quite awhile, and was a welcome development in getting all elements of the federal government aligned on the same approach to information risk management.

But one aspect of this change has drawn little comment from the DoD’s information community: the revised DoDI 8500.01 that accompanied this change now directs that the term “cybersecurity” be used throughout the DoD instead of the term “information assurance.”

That’s a major change that bears further review. It’s one thing to rename the document itself from “Information Assurance” to “Cybersecurity” in recognition of its focus on security in the cyber domain. But to do a “global search-and-replace” on these terms across the DoD suggests that they’re either synonymous or even perhaps that cybersecurity is higher up on the evolutionary scale than IA.

In fact, cybersecurity is not the same thing as information assurance. Cybersecurity is a sub-set of information security, which itself is a sub-discipline of information assurance, which encompasses higher-level concepts such as strategy, law, policy, risk management, training, and other disciplines that transcend a particular medium or domain.

Securing Cyberspace Doesn’t Secure or Assure All Information in All Media

Both NIST and the Intelligence Community recognize these distinctions in their own instructions, special publications, and glossaries. First, NIST and the Intelligence Community define “cyberspace” as:

a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. [emphasis added]

In the same documents, both NIST and the IC define “cybersecurity” as “the ability to protect or defend the use of cyberspace from cyber attacks,” i.e.,

an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. [emphasis added]

In other words, “cybersecurity” focuses primarily on defending the infrastructure of information systems — computers, networks, and communications — and secondarily on protecting data and information within the cyber domain. Cybersecurity doesn’t include defending and protecting information outside the cyber domain, which constitutes a lot of documents and records within the DoD.

The distinction between cybersecurity and information assurance is reflected in both the NIST and IC definitions of “information assurance”:

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

This definition makes no reference to cyberspace infrastructure and encompasses all information in both digital and analog forms. Ironically, DoD has traditionally defined “information assurance” the same way, as “assuring the confidentiality, integrity, authentication, non-repudiation, and availability of information.”

However, as of March 2014, the DoD is applying that definition to the term “cybersecurity” and has also expanded the definition so that it (almost) covers “information assurance.” DoD now defines “cybersecurity” as:

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. 

This new definition mashes up elements of higher-level concepts like IA and information security with references to cyber infrastructure, inflating the term “cybersecurity” to encompass concepts it doesn’t and shouldn’t address. Things like disaster-recovery planning are an awkward fit in this definition, and the security and assurance of paper-based information isn’t covered at all.

(And if “cybersecurity” now includes “restoration of” computer-and-communications infrastructure, wouldn’t any IT service technician be considered “cybersecurity personnel”?)

Are Paper Shredders Really a Cybersecurity Solution?

Sticking your head into any office at the Pentagon will reveal that information in the DoD is still recorded, shared, and stored in paper and other non-cyber media. (You could even argue that information on CDs and USB drives wouldn’t be considered “cyber” when these devices aren’t connected to a network.) The DoD also still contends to some degree with information in legacy media such as acetate film and magnetic tape. These non-cyber documents, records, and media require measures for security and assurance that don’t involve the cyber domain.

The idea of assuring and securing paper-based information may seem quaint in 2014. But paper is still a widely used medium for disseminating information within the defense community. (It certainly isn’t considered “quaint” by DoD and VA healthcare officials who deal with stacks of unprocessed paper files holding sensitive medical and personally identifiable information.)

That’s why DoD instructions for protecting classified information continue to specify how paper documents should be dated, marked, protected per the assigned classification level, and destroyed by authorized means when no longer needed. And it’s why DoD continues to specify physical security standards of storage facilities for paper records and other physical information media.

Most professionals in this field would agree that these measures have nothing to do with cybersecurity. These measures are part of information security (ensuring that the information in these media is protected from creation to destruction) and assurance (validating that the information in these media is authentic, trustworthy, and accessible).

Curiously, DoD’s previous definition of cybersecurity was even more sweeping and less precise in its inclusion of “the security of information in all its forms (electronic, physical)” [emphasis added]. However, in finally aligning its information-risk-management process with that of NIST and the IC, this was DoD’s opportunity to conform its definition of cybersecurity with theirs and leave its perfectly valid definition of information assurance intact.

Instead, in its haste to retire DIACAP and embrace the RMF, the DoD seems to have orphaned the discipline of securing and assuring information in every media or environment, including non-cyber. That could cause major concerns over time.


Fretting over the definition of information assurance vs. cybersecurity may seem like a minor point. But it’s been said that “a choice of words is a choice of worlds.” It’s important that the terminology we use in our profession truly reflects what we do in our work. It helps avoid conflict, violated expectations, inefficiencies, and gaps in the measures we put in place to assure both information and information systems.

My hope is that the powers­-that-be will soon recognize and change this decision before too much confusion ensues.




Download a comparison of definitions of information assurance, information security, and cybersecurity.



Frank Johnson

Frank Johnson is the director of strategic content at Telos Corporation. Follow him on Twitter: @fmjohnson See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.


  • Paul Capasso Paul Capasso says:

    Our nation and DoD faces many challenges when it comes to cyberspace. One in particular has to do with definitions of terms within the cyber domain. From the beginning, definitions within the cyber realm have and continue to plague our nation today. Definitions create the field of play of how we will and can operate in cyberspace. They form the foundation of cyberspace operations, the do’s and don’ts, the right and wrong list of activities. They are the boundaries to which we must interact.

    Because they often are interdependent and touch upon every aspect of our society (political, diplomatic, economic, legal), coming to agreement on these critical definitions across the federal government has become inherently complicated. This becomes even more critical at the international level. In the absence of commonly agreed upon definitions and the lack of direct translations of specific terms, the whole concept of cyber security can go up in flames and impede international agreements and policies. The bottom line is that words matter and the sooner we get our hands around the “cyber babble” the better off we all will be.

  • Steve Sharp says:

    This is an excellent start. What I’d like to see is some examples of what makes each definition different. For example, your discussion about paper artifacts illustrates they are part of IA but not cybersecurity or IT security.

    As a side note to differences in understandings, is it cyber security or cybersecurity? My spell checker insists it is cyber security but the DOD seems to differ.

  • John Klemens John Klemens says:

    Yes, words do matter. Actions matter more. I believe the intent is not to, “…do a “global search-and-replace” on these terms across the DoD…” nor “… suggests that they’re either synonymous or even perhaps that cybersecurity is higher up on the evolutionary scale than IA.”

    My belief is that the change to cybersecurity (or cyber security) is to focus the professionals responsible for securing cyberspace and the information traversing, being processed and stored by its components to perform those actions necessary to secure the cyberspace components and by extension the information within them. Once outside the cyber domain then information security or information assurance, if you prefer, actions are required to protect that same information. Cybersecurity and information assurance are not synonymous, and shouldn’t cause confusion, they are interrelated and both must and do exist.

    Finally, everyone has security responsibilities. IT personnel–including the IT service technician mentioned, HR personnel, F&A; personnel, etc., everyone has the duty and responsibility to protect the information they have access to in cyber or physical form.

  • Frank Johnson Frank Johnson says:

    Hi, Paul,

    Thanks so much for your comments.

    This ==> “In the absence of commonly agreed upon definitions and the lack of direct translations of specific terms, the whole concept of cyber security can go up in flames and impede international agreements and policies. The bottom line is that words matter and the sooner we get our hands around the ‘cyber babble’ the better off we all will be.”

    Amen. Perfectly expressed.

  • Frank Johnson Frank Johnson says:

    Hi, Steve:

    To your second question first: DoD and most government agencies use one word, and that’s what I use. For a long time when you searched “cybersecurity,” Google would ask, “Did you mean cyber security?” But recently it has simply been returning hits on both, I guess reflecting an increasing usage of the single word on the web.

    To your first point, part of the challenge is that there is so much “borrowing” of terms in the various definitions of IS, IA, IT security, and cybersecurity. Many of the organizations that define these disciplines do so by re-purposing the “CIANA” elements (confidentiality, availability, integrity, non-repudiation and authentication). So they end up being nearly identical definitions for the different concepts. Paper-based information not being IT security or cybersecurity is just an obvious one.

    I think another area where there’s a difference (to me, anyway) is in the areas of theory and principles. In other words, I think some principles of securing and assuring information transcend media, formats, and even eras. Would a single maxim have kept the unknown Confederate courier from wrapping the battle plans for Antietam around a bunch of cigars and also kept the unknown American soldier from plugging an agent.btz-infected flash drive into the CENTCOM network? If so, that would be a higher-level principle of information security, not constrained by time or technology.

    “Information security” or “information assurance”? I think you could argue those examples both ways. When you look at the table we included with this post, or the Wikipedia entries on each, both definitions overlap each other. IS seems to refer most often to defensive measures, implying the protection of information in a potentially hostile environment, whereas IA encompasses all of that plus everything having to do with sound information “hygiene” even in a neutral context (e.g., backing up hard-drives, offsite storage of digital and paper archives, disaster recovery planning, etc.).

    What are your thoughts on the differences among them?

  • Frank Johnson Frank Johnson says:

    Hi, John,

    Thanks, very good points. I shouldn’t think DoD would want to get rid of such a useful term as “information assurance.” But it struck me that their new expanded definition of “cybersecurity,” combined with explicitly stating that the term cybersecurity “is to be used throughout DoD instead of the term ‘information assurance (IA)’,” almost implies that all DoD information is in the cyber domain, which obviously isn’t true even in 2014.

    I can appreciate their desire to re-title DODI 8500.01 from “Information Assurance” to “Cybersecurity” in order to fit more comfortably in the 8500-8599 series of issuances. But I would have expected them to also publish a new issuance — called “Information Assurance” perhaps? — that does comprehend the higher-level theory and principles of securing and assuring information in all media and formats. Because, to your concluding point, everyone indeed has security responsibilities for information in cyber AND physical form.

  • Steve Sharp says:

    The cynic in me wonders if the reason for DOD wanting to replace the term IA with Cybersecurity is based on funding. It’s called: Cyber Command not Information Assurance Command, Cyber Kill Chain not IA kill chain, etc. Cyber is much “sexier” term and you’re likely to get more budgets for training Cyber Security specialists and Cyber Defense tools than you are IA managers. Once you get our funding you can worry about any confusion caused by using cybersecurity.

  • Adventure74 says:

    DoD replaced the term “IA” with “Cybersecurity”. Debating whether IA and Cybersecurity are the same…..well, DoD made it that way for them. Commercially, they may be different. Just go with the flow and like someone said, “Cybersecurity is sexier than IA.”

  • Thelma T Wandahl-Bundesen says:

    Frank, you have a very valid concern and I appreciate your insights. I am in the process of updating our company policies and need to better understand these nuances in the hope of doing a better job on the next version of our policies.
    I was trying to download your chart but couldn’t due to server or no longer available link.

    Would you mind sharing your chart?

    Please advise.

    Thank you,

  • Frank Johnson Frank Johnson says:

    Thank you very much for your comment and for reaching out to me. I have fixed the links to the chart and have also updated the links in the chart itself. I hope this will be of some help as you update your company policies in these areas.

Leave a Reply

Your email address will not be published.

1 × 1 =