How to Use This Information Security Resource

Information Security Authority is a structured reference directory covering the cybersecurity service sector, the professional categories that operate within it, and the regulatory obligations that govern US organizations. The directory spans technical discipline categories, licensing and qualification standards, and the federal and state frameworks that define compliance expectations. The cybersecurity domain in the United States involves overlapping obligations from at least five major federal bodies — NIST, CISA, FTC, HHS, and the Department of Defense's CMMC program office — making precise classification a functional requirement for anyone conducting vendor research, compliance mapping, or policy analysis.

How to navigate

The directory is organized around service categories, regulatory domains, and professional credential structures rather than alphabetical listing or vendor-driven groupings. Readers approaching the resource for the first time should begin with the Information Security Directory: Purpose and Scope page, which establishes the structural boundaries of what is and is not covered, how service categories are delineated, and how the directory relates to named external standards bodies including NIST, CISA, and ISO/IEC.

Navigation follows a three-layer structure:

1. Domain-level categories — broad disciplinary areas such as network security, endpoint protection, identity and access management, and incident response
2. Service-type classifications — distinctions between managed services, professional services, consulting engagements, and technology product categories within each domain
3. Regulatory framing — cross-references to the specific federal frameworks, statutes, or agency guidance instruments that apply to each category

Professional audiences — including security practitioners, procurement officers, compliance managers, and policy researchers — will find the regulatory framing layer the most operationally relevant. Content in that layer is grounded in named instruments such as NIST SP 800-53 Rev 5, the HIPAA Security Rule under 45 CFR Part 164, and FTC Safeguards Rule provisions under 16 CFR Part 314.

What to look for first

The starting point depends on the reader's purpose. Three primary use patterns describe how this directory is typically engaged:

• Compliance mapping — Readers identifying which controls or service categories apply to a specific regulatory obligation should start with the regulatory framing sections, which cross-reference the originating statute or framework for each requirement. CISA's Known Exploited Vulnerabilities (KEV) catalog and NIST's Cybersecurity Framework (CSF) 2.0 are the two most referenced external instruments.
• Vendor or service evaluation — Readers assessing service providers should consult the Information Security Listings section, which presents categorized entries with classification context rather than promotional descriptions.
• Credential and qualification research — Readers evaluating practitioner qualifications, certifications, or licensing requirements will find structured breakdowns of credential categories, including distinctions between vendor-neutral certifications (such as CISSP from ISC², or CISM from ISACA) and vendor-specific technical certifications.

A meaningful contrast in credential classification: vendor-neutral certifications assess domain-level competency and are awarded by independent bodies with published exam blueprints and continuing education requirements. Vendor-specific certifications assess product-level proficiency and are issued directly by technology companies. The two categories are not interchangeable in compliance documentation or procurement qualification criteria.

How information is organized

Content published in this directory follows a classification framework with discrete review stages before inclusion:

1. Source identification — Each factual claim is traced to a named public document, statute, or standards publication. No unattributed statistics, fabricated regulatory citations, or vendor-sourced claims without named corroboration appear in directory content.
2. Classification boundary review — Content distinguishing between control types — such as preventive versus detective controls, or administrative versus technical safeguards under 45 CFR §164.312 — is checked against the originating framework's own taxonomy rather than secondary interpretation.
3. Regulatory currency assessment — Where a statute or framework version is material to the classification, the specific version is named. For example, references to the NIST Cybersecurity Framework distinguish between CSF 1.1 and CSF 2.0, which introduced the Govern function as a sixth core function alongside the original five.

The Information Security Listings section organizes entries by service category and regulatory domain simultaneously, allowing a reader to identify, for instance, which managed detection and response providers operate under frameworks relevant to CMMC Level 2 requirements versus those structured around HIPAA technical safeguard obligations — two overlapping but structurally distinct compliance environments.

Limitations and scope

This directory covers the US national cybersecurity service sector. It does not extend to international procurement frameworks, non-US regulatory instruments, or state-specific licensing regimes beyond federal baseline requirements. Where state-level obligations are material — such as the California Consumer Privacy Act (CCPA) or New York's SHIELD Act — those frameworks are referenced in context but are not the primary organizational axis.

The directory does not constitute legal advice, compliance certification, or professional recommendation. Regulatory interpretation for specific organizational circumstances requires qualified legal or security counsel. Named agencies and frameworks — including CISA, NIST, HHS Office for Civil Rights, and the FTC — maintain authoritative primary sources that supersede any secondary classification published here.

Content scope excludes physical security systems, operational technology (OT) security outside of crossover with IT network environments, and classified government cybersecurity programs not publicly documented through named agency publications. The distinction between IT security and OT/ICS security is material: OT environments governed by ICS-CERT guidance and NERC CIP standards operate under different threat models and control architectures than enterprise IT environments addressed by the NIST SP 800 series.

Readers requiring services outside these boundaries should consult the primary agency sources directly: csrc.nist.gov for NIST publications, cisa.gov for infrastructure protection guidance, and hhs.gov/hipaa for HIPAA Security Rule requirements.