Cyber Safety Listings

The listings published on this site catalog cybersecurity service providers, practitioners, and organizations operating within the United States. Each entry is structured to support service seekers, compliance professionals, and researchers who need to identify qualified providers across a defined set of service categories. The Cyber Safety Directory Purpose and Scope page establishes the classification boundaries and inclusion criteria that govern which organizations appear here.

How listings are organized

Listings are grouped by primary service category, then subdivided by specialization and geographic reach. The top-level taxonomy reflects the functional divisions established within the NIST Cybersecurity Framework (CSF 2.0, published February 2024 by the National Institute of Standards and Technology), which organizes cybersecurity activities across six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Listings that correspond to multiple functions — a common pattern among managed security service providers — carry compound category tags rather than a single classification.

Within each category, entries are sorted by two secondary attributes:

1. Service delivery model — whether the provider operates as a managed service provider (MSP), a consulting firm, a solo practitioner, a training organization, or a technology vendor
2. Client sector focus — healthcare, financial services, critical infrastructure, state and local government, education, or general commercial

Providers whose scope spans more than one delivery model are cross-listed. Regulatory alignment is noted where relevant — for example, providers serving covered entities under the Health Insurance Portability and Accountability Act (HIPAA, 45 CFR Parts 160 and 164) are flagged separately from those whose primary compliance context is the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Risk and Authorization Management Program (FedRAMP).

What each listing covers

Each individual listing presents a standardized set of data fields drawn from publicly verifiable sources. No listing contains self-reported performance claims, promotional language, or unverified certifications.

Standard fields per entry:

1. Organization name and legal jurisdiction — state of incorporation or registration
2. Primary service category — mapped to one or more NIST CSF 2.0 core functions
3. Secondary specializations — such as penetration testing, incident response, digital forensics, security awareness training, or governance risk and compliance (GRC) consulting
4. Applicable industry frameworks — ISO/IEC 27001, NIST SP 800-53, CIS Controls (published by the Center for Internet Security), SOC 2, or sector-specific requirements
5. Certifications held by the organization — including FedRAMP Authorization status (maintained by the General Services Administration), StateRAMP status where applicable, and third-party audit attestations
6. Geographic service area — national, multi-state, or single state
7. Regulatory compliance context — HIPAA, Gramm-Leach-Bliley Act (GLBA), FERPA, CISA directives, or applicable state-level statutes

A listing marked practitioner rather than organization will substitute individual credential fields — such as CISSP (governed by (ISC)²), CISM (governed by ISACA), or Certified Ethical Hacker (CEH, governed by EC-Council) — in place of organizational certification fields. The How to Use This Cyber Safety Resource page explains how to filter between these entry types.

Geographic distribution

The directory covers all 50 US states and the District of Columbia. Coverage density reflects the actual distribution of registered cybersecurity service providers across the country, which is uneven. The Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors, and provider concentration tends to cluster in states that host significant federal contracting activity — Virginia, Maryland, and Texas — as well as major financial centers in New York and California.

State-level regulatory variation affects how listings are categorized in specific jurisdictions. Florida, for instance, maintains cybersecurity obligations for state agencies under Florida Statutes Chapter 282, Section 282.318, administered through the Florida Digital Service (FDS). Providers whose services are scoped specifically to meet those state-agency requirements are annotated accordingly. Similar annotations apply for providers operating under the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), which imposes prescriptive technical and governance requirements on covered financial institutions.

Providers with national scope — defined here as active service delivery in 25 or more states — appear in a dedicated national-scope tier at the top of each category listing before state-specific entries begin.

How to read an entry

Each entry is presented in a consistent block format. The organization or practitioner name appears as the entry header, followed by the primary category tag in brackets. Data fields follow in a fixed sequence matching the order described in the "What each listing covers" section above.

Two visual markers distinguish entry types at a glance:

• A solid border on the left edge of the entry block indicates an organizational listing with at least one third-party-verified certification on file.
• A dashed border indicates a listing where certification status is self-reported and pending independent verification.

Entries are reviewed on a rolling basis against publicly available sources including the CISA Known Exploited Vulnerabilities catalog, the HHS Office for Civil Rights breach portal, and state attorney general enforcement records. An entry carrying a regulatory notice flag indicates that the listed organization has an open or resolved enforcement action on record with a named federal or state agency within the prior 36-month window. The flag does not constitute an endorsement or a disqualification — it reflects documented public record.

For questions about a specific listing's classification or to report a factual discrepancy, the contact page routes inquiries to the directory's editorial review process.