Cyber Safety Directory: Purpose and Scope

The Cyber Safety Directory maps the professional service landscape, regulatory frameworks, and organizational categories that define cybersecurity practice in the United States. Entries span federal agencies, independent service providers, standards bodies, and sector-specific compliance resources. The directory functions as a structured reference for service seekers, compliance professionals, and researchers navigating a domain governed by overlapping statutory obligations and voluntary frameworks.

What Is Included

The directory organizes cybersecurity-relevant entities and resources across five primary classification types:

1. Regulatory and enforcement bodies — Federal agencies with statutory cybersecurity authority, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC), the Department of Health and Human Services Office for Civil Rights (HHS OCR), and the Securities and Exchange Commission (SEC).
2. Standards and framework authorities — Organizations that publish technical and governance standards used as compliance baselines, including the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Payment Card Industry Security Standards Council (PCI SSC).
3. Managed and professional service providers — Entities delivering operational cybersecurity services: managed security service providers (MSSPs), incident response firms, penetration testing organizations, and security operations center (SOC) operators.
4. Sector-specific compliance resources — Materials and organizations relevant to regulated verticals such as healthcare (HIPAA), financial services (GLBA, NY DFS Part 500), defense contracting (CMMC), and critical infrastructure (NERC CIP).
5. Certification and credentialing bodies — Organizations that administer professional qualifications recognized across the industry, such as (ISC)², ISACA, CompTIA, and EC-Council.

Entries do not include general-purpose IT vendors, consumer antivirus products, or organizations without a defined cybersecurity service mandate. The boundary between a cybersecurity-specific provider and a general IT firm is determined by primary service classification, not incidental security features.

The Cyber Safety Listings section provides the primary access point for browsing individual entries by category.

How Entries Are Determined

Inclusion decisions follow a structured qualification framework applied consistently across all candidate entries. An entity qualifies for listing when it meets at least one of the following conditions:

• Holds a defined regulatory role under a named federal or state statute (e.g., enforcement authority under 15 U.S.C. § 45 for the FTC, or breach notification jurisdiction under HIPAA's 45 CFR Part 164)
• Publishes a named cybersecurity standard or framework adopted by U.S. federal agencies or regulated sectors (e.g., NIST SP 800-53, ISO/IEC 27001)
• Delivers cybersecurity services as a primary business function, verified against public business registration and service documentation
• Holds an active accreditation from a recognized third-party body relevant to cybersecurity service delivery

Entries are distinguished from informational resources: a vendor publishing a blog on phishing does not qualify; a firm delivering NIST Cybersecurity Framework gap assessments as a contracted service does.

Regulatory bodies vs. service providers represent the directory's most significant classification boundary. Regulatory bodies hold statutory authority to investigate, penalize, or mandate organizational behavior. Service providers operate in the private sector with no enforcement power but deliver technical capabilities organizations use to satisfy regulatory requirements. These categories are listed separately and are not cross-classified.

Directory maintenance does not involve paid placement, sponsored positioning, or editorial endorsement. The How to Use This Cyber Safety Resource page details the navigation structure for locating entries within each classification tier.

Geographic Coverage

The directory operates at national scope within the United States. Federal regulatory coverage applies across all 50 states and U.S. territories for entities subject to federal statutes. State-level regulatory frameworks are documented where a state agency exercises distinct cybersecurity jurisdiction — 47 states maintain breach notification statutes with varying threshold and timeline requirements, and states including California (CCPA/CPRA), New York (NY DFS Part 500), and Colorado (CRS § 6-1-713) have enacted substantive cybersecurity program obligations beyond notification.

Service provider listings include firms operating nationally, regionally, or in specific metropolitan markets. Entries are tagged by operational footprint where that information is publicly available. International standards bodies such as ISO are included where their frameworks carry direct compliance relevance for U.S. organizations, but the directory does not extend to foreign regulatory agencies or non-U.S. enforcement bodies.

Critical infrastructure sectors receive expanded coverage reflecting the concentration of federal cybersecurity mandates in those verticals. CISA identifies 16 critical infrastructure sectors under Presidential Policy Directive 21 (PPD-21); service providers and regulatory resources aligned to those sectors are represented proportionally within the directory.

How to Use This Resource

The directory is organized to support three distinct use patterns:

Regulatory navigation — Compliance officers and legal teams identifying which agencies hold jurisdiction over their organization's data handling and incident reporting obligations. Starting points are the regulatory body listings, cross-referenced by sector and applicable statute.

Service provider identification — Security and IT professionals locating firms that deliver specific operational capabilities: threat detection, vulnerability management, forensic investigation, or compliance assessment. Provider entries are classified by service type, not by vendor tier or market share.

Framework and standards research — Researchers and practitioners locating the authoritative source for a named framework, control set, or certification standard. Each standards body entry links directly to the primary publication source rather than secondary summaries.

The Cyber Safety Directory: Purpose and Scope page serves as the reference anchor for understanding how the directory's classification logic was constructed. Readers unfamiliar with the regulatory landscape should orient against the regulatory body listings before navigating service provider categories, since provider compliance obligations are often defined by the same statutes those bodies enforce.

Search and filter functionality within the listings index is organized by classification type, sector, and geographic footprint. Entries are not ranked by performance, revenue, or editorial preference — alphabetical and categorical ordering reflects neutral classification only.