Cybersecurity Directory: Purpose and Scope

The cybersecurity services sector in the United States operates across overlapping federal mandates, sector-specific regulations, and breach notification laws enacted in all 50 states. This directory catalogs verified cybersecurity service providers, practitioners, and reference resources organized within that regulatory environment. The scope covers identity protection, data security, incident response, managed security services, and compliance-adjacent domains relevant to individuals and organizations subject to US law. A clear explanation of what this directory includes — and what it deliberately excludes — is found in the How to Use This Cyber Safety Resource reference.

How entries are determined

Entries in this directory are evaluated against a structured set of inclusion criteria designed to ensure that listed resources reflect verifiable professional standing, not self-reported marketing claims. The evaluation process proceeds in four discrete phases:

1. Entity identification — The provider, practitioner, or resource is identified as operating within the cybersecurity sector as defined by NIST SP 800-12 Rev. 1, which establishes foundational terminology for information security programs and the organizational functions that support them.
2. Credential or qualification review — Practitioners are assessed for documented credentials from recognized certification bodies, including (ISC)², ISACA, CompTIA, or GIAC. Organizations are assessed for documented adherence to frameworks such as the NIST Cybersecurity Framework (CSF) or ISO/IEC 27001.
3. Regulatory alignment check — Entries are cross-referenced against the federal and state regulatory landscape in which they operate. Primary reference points include the Federal Trade Commission Act (15 U.S.C. § 45), the Gramm-Leach-Bliley Act (GLBA), HIPAA, and CISA's published guidance at cisa.gov.
4. Category assignment — Each entry is classified by primary service function using the NIST CSF's five core functions: Identify, Protect, Detect, Respond, and Recover. This classification determines placement within the directory's Cyber Safety Listings structure.

Entries that cannot be verified against at least one named regulatory framework or recognized credentialing body are excluded regardless of the provider's stated qualifications.

Geographic coverage

This directory operates at national scope within the United States. Coverage is structured around federal regulatory frameworks that establish baseline cybersecurity obligations across sectors, complemented by the state-level breach notification statutes active in all 50 states.

The federal reference architecture spans multiple sector-specific statutes. Healthcare entities fall under the HIPAA Security Rule (45 C.F.R. Parts 160 and 164), which mandates administrative, physical, and technical safeguards for electronic protected health information. Financial institutions are governed by the GLBA Safeguards Rule, updated by the Federal Trade Commission in 2023 to include specific requirements for access controls, encryption, and incident response programs. Critical infrastructure operators reference the Cybersecurity and Infrastructure Security Agency's (CISA) Cross-Sector Cybersecurity Performance Goals, published in 2022 as a baseline standard.

State-level coverage reflects the regulatory authority of all 50 state attorneys general over breach notification obligations and, increasingly, proactive data security requirements. California's CCPA/CPRA framework, New York's SHIELD Act, and the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) represent the most expansive state-level mandates currently enforced. Providers listed in this directory are indexed against the states in which they are licensed or registered to operate.

International providers are excluded from directory listings unless they maintain a verified US-based operational entity subject to domestic regulatory oversight.

How to use this resource

This directory is structured as a reference instrument for service seekers, compliance officers, security practitioners, and researchers navigating the cybersecurity services market. It is not organized as a ranked list or a vendor comparison tool.

Navigation follows the NIST CSF functional categories. A practitioner seeking incident response services should filter by the "Respond" function; an organization evaluating identity protection vendors should begin with the "Protect" category. Each listing entry contains the provider's primary service classification, geographic operating scope, and the regulatory frameworks against which the provider's qualifications have been assessed.

Comparison: Managed Security Service Providers (MSSPs) vs. Independent Practitioners

MSSPs and independent cybersecurity practitioners occupy distinct positions in the service landscape:

• MSSPs operate at organizational scale, delivering continuous monitoring (often 24/7/365), threat detection, and response capabilities across client environments. They are typically assessed against SOC 2 Type II attestation standards and may hold FedRAMP authorization for federal engagements.
• Independent practitioners provide specialized advisory, assessment, or implementation services. Qualification verification centers on individual certifications — the CISSP (Certified Information Systems Security Professional) requires a minimum of 5 years of cumulative paid work experience in 2 or more of the 8 CISSP Common Body of Knowledge domains, as documented by (ISC)².

Both categories are listed within the directory's Cyber Safety Listings, with classification tags distinguishing organizational from individual providers.

Standards for inclusion

Inclusion in this directory requires verified satisfaction of at least one criterion from each of the following three categories:

Credential or Framework Alignment
- Active certification from (ISC)², ISACA, CompTIA, GIAC, or an equivalent ANSI-accredited body
- Documented ISO/IEC 27001 certification from an accredited certification body
- SOC 2 Type II audit report issued within the preceding 24 months
- FedRAMP authorization status as listed on the FedRAMP Marketplace

Regulatory Standing
- Demonstrated compliance program aligned to at least one applicable federal statute (HIPAA, GLBA, FISMA, or equivalent)
- Active registration or licensure in the state(s) of operation where professional licensing is required

Operational Verification
- Verifiable business registration in at least one US jurisdiction
- Publicly accessible service description consistent with the directory's defined cybersecurity functional categories

Entries are reviewed on a defined cycle. Providers whose credentials lapse, whose regulatory standing changes materially, or whose service scope shifts outside the directory's defined categories are reclassified or removed. The full scope of what this directory covers is detailed in the Cybersecurity Directory: Purpose and Scope reference, which also documents the categories of resources this directory does not include.