Information Security Listings

The listings published on this directory cover organizations, frameworks, certification bodies, regulatory agencies, and professional practice categories operating within the US information security sector. This page documents the verification status of listed entries, identifies known coverage gaps, explains how listing categories are structured, and describes the process by which listing currency is maintained. The scope aligns with the Directory Purpose and Scope document that governs what this resource does and does not include.

Verification status

Listings are classified under one of three verification states, each reflecting a different level of source corroboration applied at the time of publication.

1. Confirmed — The listed entity, framework, or body has been verified against at least one named primary source: a federal agency publication, a standards body release, a statutory register, or an official regulatory filing. Examples include entities documented by the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), or the Federal Trade Commission (FTC).

2. Referenced — The entry appears in authoritative secondary sources — industry association directories, published academic curricula, or government contractor registries — but has not been independently verified against a primary regulatory or standards document.

3. Pending review — Entries submitted or identified through systematic sector scanning that have not yet completed the corroboration cycle. These remain visible to support sector mapping but are flagged accordingly.

As of the last audit cycle, confirmed entries make up the largest share of listings in the regulatory bodies, standards frameworks, and certification categories. Pending review entries are concentrated in the managed security service provider and consultancy subcategories, where organizational boundaries shift more frequently than in credentialing bodies.

No listing carries an implied endorsement of any product, service, or organization. For methodology details, see How to Use This Information Security Resource.

Coverage gaps

The directory operates at national scope within the United States. Documented gaps exist in four areas.

State-level regulatory bodies — Forty-seven US states have enacted data protection or breach notification statutes as of the National Conference of State Legislatures' published tracker, but enforcement bodies vary in how publicly they document their cybersecurity-adjacent authority. Listings for state attorneys general acting in a data protection capacity are incomplete outside the 12 states that have published dedicated consumer privacy enforcement frameworks.

Emerging practice subcategories — Disciplines such as operational technology (OT) security, industrial control systems (ICS) hardening, and AI model security governance have formal frameworks — including NIST SP 800-82 for ICS environments (NIST SP 800-82, Rev 3) — but the corresponding professional services landscape is not yet comprehensively indexed here.

International bodies with US jurisdictional reach — Entities such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which produce standards like ISO/IEC 27001 with direct application to US-based organizations, are listed at the framework level but not at the level of individual accredited certification auditors operating domestically.

Vendor-neutral training providers — Accredited academic programs and corporate training providers whose curricula map to frameworks such as NIST SP 800-53 (Rev 5) or CISA's Workforce Development resources are underrepresented relative to the size of this market segment.

Listing categories

Listings are organized into six top-level categories, each with defined classification boundaries.

1. Regulatory and enforcement bodies — Federal and state agencies with statutory authority over information security requirements. Includes CISA, the FTC, the Department of Health and Human Services Office for Civil Rights (HHS OCR, which enforces HIPAA Security Rule requirements under 45 CFR Part 164), and the Securities and Exchange Commission (SEC), which issued cybersecurity disclosure rules codified at 17 CFR Part 229 and 249 in 2023.

2. Standards and frameworks bodies — Organizations that publish control catalogs, risk management frameworks, or audit standards. Includes NIST, ISO/IEC, the Center for Internet Security (CIS), and the Payment Card Industry Security Standards Council (PCI SSC).

3. Professional certification bodies — Entities that administer credentialing examinations and maintain active certificate registries. (ISC)², ISACA, CompTIA, GIAC, and EC-Council represent the 5 largest certification-issuing bodies by active certificate holder count in the US market.

4. Managed security service providers (MSSPs) — Organizations delivering contracted security operations, monitoring, or incident response under service agreements. This category applies classification boundaries distinct from in-house security teams and point-solution software vendors.

5. Consultancy and advisory firms — Professional services organizations providing assessment, strategy, architecture, or audit services. Listings distinguish between general IT consultancies with security practices and firms whose stated primary practice is information security.

6. Research and threat intelligence organizations — Entities publishing original vulnerability research, threat actor analysis, or sector-specific risk reporting. Includes government-affiliated bodies such as CISA's advisories program and independent research institutions.

The contrast between categories 4 and 5 is operationally significant: MSSPs typically maintain continuous monitoring obligations under contract, while consultancy firms engage episodically. These are treated as separate listing types rather than subcategories of a single service provider classification.

How currency is maintained

Listing accuracy degrades over time in proportion to how frequently the underlying sector changes. Regulatory citations are reviewed against the Electronic Code of Federal Regulations (eCFR) on a rolling basis. Standards framework listings are updated when the issuing body publishes a new revision — for example, NIST Special Publication versioning triggers a review of all listings that cite the affected document.

The maintenance process follows four discrete phases:

1. Trigger identification — A change event is logged: a regulatory amendment, a certification body reorganization, a framework revision, or a flagged submission through the contact channel.
2. Source corroboration — The change is confirmed against the primary issuing authority's official publication or register before any listing is modified.
3. Classification review — The updated entry is checked against category boundary definitions to determine whether reclassification is warranted.
4. Status update — The listing's verification status is revised and the audit timestamp is updated.

Entries in the pending review state are processed in batches rather than individually, prioritizing categories where regulatory enforcement activity creates the highest risk of stale information — primarily the regulatory and enforcement bodies category and, secondarily, the professional certification bodies category where credential status changes affect practitioner qualification claims.

For a complete view of how this directory's listings relate to the broader information security service landscape, the Information Security Listings index page provides category-level navigation across all active listing types.