How to Use This Cyber Safety Resource

Cyber Safety Authority is a structured reference directory covering the cybersecurity service sector in the United States, organized to serve professionals, researchers, and service seekers navigating a regulatory environment shaped by overlapping federal mandates. The Cyber Safety Listings index presents categorized service provider information, while the Directory Purpose and Scope page establishes the classification framework governing what is included and why. Understanding how this resource is organized allows readers to locate relevant information efficiently and apply it alongside authoritative primary sources.

How to navigate

The directory is structured around three distinct professional audiences, each with different research objectives and entry points.

Service seekers — procurement officers, IT directors, and operations managers — arrive with defined operational problems: a compliance gap under a named framework such as NIST SP 800-53, an incident response requirement, or a third-party audit that demands documented technical controls. These users should begin with the service category listings and filter by regulatory context.

Industry professionals — security analysts, consultants, and vendor representatives — use the directory to benchmark service categories, understand how credentialing standards map to listed providers, and research how the sector is segmented across disciplines such as managed detection and response, penetration testing, and compliance advisory services.

Researchers and policy professionals — those studying the structure of the US cybersecurity services market, regulatory obligations, or workforce qualification standards — will find the framework and regulatory sections most useful as entry points.

Navigation follows a top-down structure:

  1. Start at the directory index for broad category orientation
  2. Use service category pages to identify relevant professional disciplines
  3. Cross-reference regulatory framing against named agency sources
  4. Consult the Directory Purpose and Scope page for classification boundary definitions

What to look for first

The US cybersecurity regulatory environment is governed by at least five major federal bodies — NIST, CISA, FTC, HHS, and the Department of Defense's CMMC program office — each operating under distinct statutory authorities and applicable to different industry sectors. Readers should identify which regulatory regime applies to their context before navigating service category listings.

For healthcare-adjacent organizations, the relevant anchor is the HIPAA Security Rule under 45 CFR Part 164, administered by the HHS Office for Civil Rights. For financial institutions, the FTC Safeguards Rule under 16 CFR Part 314 governs information security program requirements. Defense contractors must align with CMMC (Cybersecurity Maturity Model Certification) requirements tied to DFARS clause 252.204-7021. Organizations without sector-specific mandates typically anchor to the NIST Cybersecurity Framework (CSF) 2.0, which structures controls across six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.

The distinction between administrative safeguards (policy, training, access governance) and technical safeguards (encryption, access control systems, logging) is a classification boundary that appears throughout the directory and corresponds directly to control taxonomies used in NIST SP 800-53 and the HIPAA Security Rule. Recognizing this distinction at the outset allows faster identification of relevant service categories.

How information is organized

Content across this directory is organized into three structural layers:

Regulatory context — Each major service category is anchored to the regulatory frameworks that generate demand for that service. A penetration testing category entry, for example, references NIST SP 800-115 (Technical Guide to Information Security Testing) and CISA advisories where applicable, rather than relying on vendor-defined scope.

Service category classification — Categories are defined by function, not by vendor marketing terminology. The distinction between a managed security service provider (MSSP) and a managed detection and response (MDR) provider, for instance, reflects meaningful operational differences: MSSPs typically offer broad coverage including firewall management and log aggregation, while MDR providers focus on threat detection, investigation, and containment with defined response SLAs. These are treated as distinct categories, not interchangeable labels.

Credentialing and qualification standards — Where professional certifications and organizational accreditations are referenced, the directory cites the issuing body. Certifications such as CISSP (issued by (ISC)²), CISM (issued by ISACA), and CompTIA Security+ carry different scope and examination requirements. CISSP requires a minimum of 5 years of paid work experience in 2 or more of the 8 CBK domains; CompTIA Security+ has no mandatory prerequisite. These distinctions matter when evaluating provider qualifications.

Content is evaluated against named, publicly accessible standards documents and regulatory instruments — not vendor literature or unattributed commentary. Primary reference bodies include NIST, CISA, HHS Office for Civil Rights, the FTC, and the CMMC program office within the Department of Defense.

Limitations and scope

This directory operates within the United States national regulatory environment. It does not cover EU/EEA obligations under the NIS2 Directive, UK-specific NCSC frameworks, or ISO/IEC 27001 certification requirements except where those standards intersect with US federal compliance requirements for multinational organizations.

Content published here constitutes reference material for navigating the service sector. It does not constitute legal counsel, compliance certification guidance, security engineering advice, or a substitute for engagement with qualified licensed professionals. Readers responsible for organizational security posture, incident response planning, or regulatory audit preparation should treat this directory as a structured entry point, not a terminal authority.

The Cyber Safety Listings index reflects provider categories as defined by publicly documented service frameworks and regulatory demand signals. Inclusion in the directory does not constitute endorsement, vetting, or performance certification of any listed entity. Credential verification for specific providers should be conducted directly with the relevant issuing body — (ISC)² for CISSP, ISACA for CISM and CRISC, and the CMMC Accreditation Body (CMMC-AB) for certified third-party assessment organizations (C3PAOs).

Scope is bounded to service sectors where formal regulatory or framework obligations exist. Categories without a named regulatory driver, published standards reference, or established professional credentialing pathway are outside the current classification boundary of this directory.

Read Next

Cyber Safety Listings Each entry is structured to support service seekers, compliance professionals, and researchers who need to identify qualified... Cyber Safety Directory: Purpose and Scope Entries span federal agencies, independent service providers, standards bodies, and sector-specific compliance resources. Cybersecurity Directory: Purpose and Scope This directory catalogs verified cybersecurity service providers, practitioners, and reference resources organized within that...