Contact

Cyber Safety Authority serves as a national-scope reference directory for cybersecurity service categories, provider classifications, regulatory frameworks, and sector-specific compliance structures. This contact page describes the scope of inquiries the directory handles, what information to include when submitting a message, and how different request types are processed. Listing-related inquiries, research requests, and editorial corrections follow distinct workflows outlined below.

Service area covered

Cyber Safety Authority operates at the national level across the United States, covering cybersecurity service sectors subject to federal regulatory frameworks including the NIST Cybersecurity Framework (CSF 2.0), the Federal Information Security Modernization Act (FISMA, 44 U.S.C. § 3551 et seq.), and sector-specific mandates enforced by agencies including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC), and the Department of Health and Human Services (HHS) Office for Civil Rights.

The directory covers 4 primary inquiry categories:

1. Listing and directory submissions — requests to add, update, or remove a cybersecurity service provider, firm, or resource from the Cyber Safety Listings.
2. Editorial and factual corrections — identified errors in regulatory citations, agency names, statute references, or classification descriptions across published pages.
3. Research and reference inquiries — questions from policy researchers, compliance professionals, journalists, or institutional staff seeking clarification on how the directory's classification system is structured.
4. Partnership and republication requests — formal inquiries regarding data attribution, reference licensing, or content coordination with other public-interest or regulatory publications.

Inquiries outside these 4 categories — including requests for legal advice, professional referrals, or cybersecurity incident response services — fall outside the scope of this directory. For incident response resources, CISA maintains a 24-hour hotline documented at cisa.gov/report. For regulatory guidance, the relevant federal agency (FTC, HHS OCR, or CISA depending on sector) maintains public-facing guidance portals.

What to include in your message

Message quality directly determines processing speed. Incomplete submissions are deprioritized. The following structured breakdown applies across all 4 inquiry categories:

For listing submissions:
- Legal name of the organization or provider
- Primary cybersecurity service category (e.g., managed security services, penetration testing, compliance consulting, incident response)
- Geographic service coverage — national, multi-state, or state-specific
- Any applicable certification or accreditation held (e.g., FedRAMP authorization, ISO/IEC 27001 certification, SOC 2 Type II attestation)
- The specific listing page or category where the entry should appear, referencing the Cyber Safety Listings

For editorial corrections:
- The exact URL of the page containing the error
- The current text as published
- The proposed correction, with a citation to the authoritative public source (statute, agency publication, or standards document) supporting the change
- NIST, CISA, and HHS OCR publications are accepted as primary sources; unnamed secondary sources are not sufficient for regulatory claim corrections

For research inquiries:
- Organizational affiliation, if applicable
- The specific classification question or framework ambiguity being investigated
- Whether the inquiry relates to a published page (provide the URL) or to the directory's overall scope and methodology (described at Cyber Safety Directory Purpose and Scope)

For partnership and republication requests:
- The requesting organization's name and public web presence
- The specific content or data being requested for use
- The intended publication context and audience

Response expectations

Cyber Safety Authority distinguishes between 2 tiers of response handling: editorial and operational.

Editorial inquiries — factual corrections, regulatory citation disputes, and classification structure questions — are reviewed against primary sources including NIST Special Publications, CISA advisories, and the relevant federal statute text. The review standard is whether a correction can be independently verified through a named public document. Corrections supported by statute or agency guidance (e.g., HIPAA Security Rule, 45 CFR Part 164; FISMA, 44 U.S.C. § 3551) are prioritized. Corrections based solely on practitioner opinion or vendor materials are not actioned without independent corroboration.

Listing submissions are evaluated against the directory's classification framework. A submission that does not clearly map to a recognized cybersecurity service category — as defined within the NIST CSF 2.0 function taxonomy (Govern, Identify, Protect, Detect, Respond, Recover) or an equivalent sector-specific regulatory structure — will be returned for clarification before processing advances.

Response timelines vary by inquiry type and completeness. Incomplete submissions that are missing required fields described in the prior section are held pending supplemental information rather than rejected outright. Submissions received with full documentation and a verifiable public-source citation are processed before incomplete counterparts regardless of submission sequence.

Additional contact options

For cybersecurity regulatory guidance, the following named public agencies maintain direct contact and reporting channels:

• CISA (Cybersecurity and Infrastructure Security Agency) — incident reporting, critical infrastructure protection inquiries, and federal agency coordination: cisa.gov/contact-us
• FTC (Federal Trade Commission) — cybersecurity and data security complaints related to commercial entities: ftc.gov/contact
• HHS Office for Civil Rights — HIPAA Security Rule compliance inquiries and breach reporting for covered entities and business associates: hhs.gov/hipaa/filing-a-complaint
• NIST Computer Security Resource Center — framework documentation, SP 800-series publications, and standards clarification: csrc.nist.gov

Professionals seeking to understand how this directory is organized — including how service categories are classified and how coverage scope is defined — should consult How to Use This Cyber Safety Resource before submitting a listing or research inquiry. That reference describes the classification logic and source standards applied across all published content on this domain.