How to Use This Cybersecurity Resource

Information Security Authority is a structured reference directory covering the cybersecurity service sector, regulatory landscape, and technical discipline categories relevant to US organizations. This page describes how the directory is organized, how content is classified and verified, and how different professional audiences can extract the most relevant material from the resource. The cybersecurity domain in the United States is governed by overlapping obligations from at least five major federal bodies — NIST, CISA, FTC, HHS, and the Department of Defense's CMMC program office — making classification precision a functional requirement, not a stylistic choice.

Feedback and updates

Content accuracy across this directory depends on alignment with named, publicly accessible standards documents and regulatory instruments. The primary reference sources used for technical and regulatory grounding include:

1. NIST (National Institute of Standards and Technology) — Cybersecurity Framework (CSF) 2.0 and the SP 800 publication series, hosted at csrc.nist.gov
2. CISA (Cybersecurity and Infrastructure Security Agency) — advisories, the Known Exploited Vulnerabilities (KEV) catalog, and sector-specific guidance at cisa.gov
3. HHS Office for Civil Rights — HIPAA Security Rule technical safeguard requirements under 45 CFR Part 164
4. FTC — Safeguards Rule provisions under 16 CFR Part 314, applicable to financial institutions and related entities
5. DoD CMMC Program Office — Cybersecurity Maturity Model Certification requirements applicable to defense contractors

When a factual claim in any topic page becomes inconsistent with an update to a governing standard — such as a revision to NIST SP 800-53 or a new CISA advisory affecting a threat category — that page is flagged for review. Structural corrections to classification boundaries (for example, distinguishing preventive controls from detective controls within a given framework's taxonomy) are handled separately from factual updates to regulatory figures or penalty thresholds.

Substantive corrections to content on this resource can be submitted through the contact page. Submissions citing a specific named public document, statute, or framework publication receive priority review.

Purpose of this resource

Information Security Authority functions as a reference directory for the cybersecurity discipline as it operates within the United States — covering service categories, professional qualifications, regulatory frameworks, and technical control domains. It is not a vendor marketplace, a training platform, or a certification preparation tool.

The cybersecurity directory purpose and scope page defines the boundaries of this resource in detail. The core function is to describe the service and regulatory landscape with enough specificity that practitioners, researchers, and decision-makers can locate relevant frameworks, understand how sectors are classified, and identify which standards bodies or agencies govern a given domain.

Coverage spans three broad categories:

• Regulatory and compliance frameworks — including US cybersecurity regulations, breach notification requirements, and cybersecurity compliance requirements across federal and sector-specific mandates
• Technical control domains — including subject areas such as identity and access management, vulnerability management, encryption standards, and zero-trust architecture
• Service and workforce categories — including cybersecurity vendor categories, cybersecurity certifications, and cybersecurity workforce classification structures

Content on this resource does not constitute legal, compliance, or professional advice. Each topic page describes a domain as it exists within public standards and regulatory instruments — the application of those standards to a specific organization requires qualified professional judgment.

Intended users

Three primary professional audiences use this directory, each with distinct research patterns:

Security practitioners and engineers — Professionals responsible for implementing or operating security controls. This audience typically enters through a technical domain (such as penetration testing, incident response, or security operations center structure) and uses the directory to cross-reference framework requirements, identify adjacent control categories, or confirm classification boundaries between overlapping disciplines.

Compliance and risk professionals — Professionals managing regulatory obligations, audit cycles, or enterprise risk programs. This audience typically enters through a regulatory lens — frameworks such as NIST CSF, HIPAA, or CMMC — and navigates toward related technical control pages or sector-specific requirements. Topic areas like cyber risk management, third-party risk management, and cybersecurity maturity models are primary reference points for this group.

Researchers, procurement officers, and organizational decision-makers — Professionals evaluating the service sector or researching vendor categories, workforce qualifications, or insurance requirements. This audience benefits most from the directory's classification structure, including distinctions between cybersecurity insurance as a risk-transfer mechanism versus security awareness training as an administrative control.

The distinction between these audiences matters because the same topic can carry different relevance depending on role. Threat intelligence, for instance, is a practitioner tool, a vendor service category, and a compliance input under frameworks like NIST SP 800-53's RA (Risk Assessment) control family — three distinct frames for the same subject.

How to navigate

The primary entry point for topical research is the Cybersecurity Listings index, which organizes cybersecurity subjects into retrievable groupings by domain category. From that index, each subject links to a topic-specific reference page.

Navigation follows a three-layer structure:

1. Directory layer — The listings index, functioning as a classified inventory of cybersecurity subjects organized by domain: network security, identity management, incident response, compliance frameworks, and related categories.
2. Context layer — Individual topic pages that define a subject's regulatory relevance, applicable standards, and common implementation scenarios. Each page signals its classification scope explicitly — a page covering application security will not conflate its subject with devsecops pipeline governance, even where the two domains intersect.
3. Reference layer — Supporting material including regulatory citations, named agency guidance, and framework cross-references, with inline attribution to originating documents.

Three navigation paths serve different research needs:

• By regulatory domain — Content tied to NIST SP 800-53, HIPAA Security Rule (45 CFR Part 164), FTC Safeguards Rule (16 CFR Part 314), or sector-specific mandates is reachable through compliance-oriented category labels within the listings index.
• By threat category — Content organized around attacker techniques, threat actor behavior, or specific attack surfaces (such as ransomware defense, phishing and social engineering, or insider threat programs) is grouped under threat-oriented labels.
• By control domain — Technical and administrative controls are organized under the taxonomy used by NIST CSF 2.0's six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Topics such as multi-factor authentication, privileged access management, and data loss prevention fall within the Protect function; digital forensics and siem-and-log-management fall within Detect and Respond.

For first-time visitors without a specific subject in mind, the information security frameworks page provides a structured overview of the major governance frameworks that shape how cybersecurity is practiced and regulated across US organizations — establishing the conceptual map that the rest of the directory elaborates.