Cybersecurity Directory: Purpose and Scope

The Information Security Authority cybersecurity directory organizes publicly available information about security service categories, regulatory frameworks, practitioner qualifications, and threat disciplines relevant to US-based organizations. This page defines the directory's geographic reach, the logic behind its listing structure, the standards applied to inclusion decisions, and the process by which records are reviewed and updated. Professionals navigating the cybersecurity service sector, researchers mapping the regulatory landscape, and organizations benchmarking their security posture against recognized standards will find the directory's scope and limits defined here.

Geographic Coverage

The directory operates at national scope, covering the United States as a unified regulatory and service market. Federal frameworks — including the NIST Cybersecurity Framework (CSF), FISMA (44 U.S.C. § 3551 et seq.), and sector-specific regulations published by agencies such as the Department of Health and Human Services under HIPAA (45 CFR Parts 160 and 164) — apply broadly across jurisdictions and form the primary regulatory layer indexed here.

State-level variation is acknowledged where it materially affects service category structure. All 50 states have enacted data breach notification statutes, each with distinct trigger thresholds, notification timelines, and covered entity definitions, as documented by the National Conference of State Legislatures. The directory names these statutory instruments and links to breach notification requirements without interpreting their application to specific fact patterns.

Critical infrastructure sectors — defined across 16 categories by the Cybersecurity and Infrastructure Security Agency (CISA) — receive dedicated coverage. Sector-specific security obligations for energy, healthcare, financial services, and water systems differ from general commercial requirements. The directory's coverage of critical infrastructure protection and OT/ICS security reflects those structural distinctions.

Listings do not extend to non-US regulatory instruments (e.g., the EU's NIS2 Directive or UK Cyber Essentials scheme) except where a US-based organization's compliance obligations explicitly require engagement with cross-border frameworks.

How to Use This Resource

The directory is structured as a reference index, not a procurement tool or ranked comparison engine. Readers navigating the directory fall into three primary categories:

1. Service seekers — Organizations or procurement officers mapping the cybersecurity vendor landscape against a specific functional need, such as security operations center capabilities, penetration testing providers, or managed detection and response services.
2. Compliance researchers — Legal, audit, and risk teams cross-referencing regulatory obligations against recognized frameworks, including information security frameworks and cybersecurity compliance requirements.
3. Workforce and credentialing professionals — Practitioners and hiring managers reviewing the qualifications landscape indexed under cybersecurity certifications and cybersecurity workforce categories.

The cybersecurity listings section organizes entries by service function, not by vendor name or product line. Each category page describes the service type's functional definition, the professional qualifications typically associated with it, and the regulatory or standards contexts in which it operates. The cybersecurity vendor categories reference provides a crosswalk between functional categories and market segment terminology.

The directory does not replace licensed professional judgment. Listings describe publicly documented frameworks, agency mandates, and industry categories — they do not constitute legal, compliance, or procurement advice.

Standards for Inclusion

Inclusion in the directory requires that a listed category, framework, certification body, or regulatory instrument meet at least one of the following four criteria:

1. Formal recognition by a named federal or state authority — Examples include frameworks published by NIST (csrc.nist.gov), mandates enforced by the Federal Trade Commission under 15 U.S.C. § 45, or sector rules issued by the Securities and Exchange Commission under its 2023 cybersecurity disclosure rules (17 CFR Parts 229 and 249).
2. Adoption by a recognized standards body — Including the International Organization for Standardization (ISO/IEC 27001), the Center for Internet Security (CIS Controls), the SANS Institute, or (ISC)², ISACA, and CompTIA for credentialing categories.
3. Operational prevalence at scale — Service categories that appear as line items in formal RFP structures, federal acquisition vehicles (e.g., GSA Schedule 70), or industry analyst frameworks such as those published by Gartner or Forrester qualify on the basis of documented market function.
4. Direct linkage to a regulatory enforcement action or statutory obligation — Categories tied to CISA's Binding Operational Directives, HHS Office for Civil Rights enforcement under HIPAA, or FINRA cybersecurity examination priorities are included on the basis of regulatory mandate.

Categories that consist solely of vendor marketing terminology without an independent standards definition, regulatory anchor, or professional credentialing body are excluded. The distinction between an established service category — such as identity and access management, which maps to NIST SP 800-63 and ISO/IEC 24760 — and a proprietary product label is enforced at the editorial level.

How the Directory Is Maintained

Directory records are reviewed against source documents held at named authoritative bodies. NIST publications, CISA advisories, and statutory texts at ecfr.gov serve as primary reference anchors. When a framework is revised — for example, when NIST released Cybersecurity Framework version 2.0 in February 2024, expanding its scope from critical infrastructure to all organizations — affected category pages are updated to reflect the current version.

The maintenance process applies four discrete review triggers:

1. Statutory or regulatory amendment — New or amended federal rules that alter the scope, definition, or enforcement posture of a covered category prompt immediate record review.
2. Standards body version release — New major versions of indexed standards (e.g., CIS Controls v8, ISO/IEC 27001:2022) trigger updates to the affected category and any cross-referenced entries.
3. Periodic structural audit — All listings undergo full structural review on a defined cycle to confirm that category boundaries, named credentialing bodies, and regulatory citations remain accurate.
4. Reader-submitted discrepancy reports — Documented errors in statutory citations, framework version numbers, or agency names are reviewed against primary sources before correction.

The directory does not reproduce proprietary vendor documentation, real-time threat intelligence, or live vulnerability data. Live indicators of compromise and active CVE patch timelines are maintained by the CISA Known Exploited Vulnerabilities Catalog and the NIST National Vulnerability Database — those sources are referenced within relevant category pages but are not duplicated here.

Entries covering emerging or contested categories — such as cyber risk management quantification methodologies or cybersecurity maturity models where multiple competing frameworks coexist — include explicit notation of definitional boundaries and the specific body whose definition governs the listing.