Contact

Security Services Authority operates as a national reference directory for the cybersecurity services sector in the United States. This page documents how to reach the editorial and administrative office, the geographic and subject-matter scope of inquiries accepted, what information to include when submitting a message, and what response timelines apply. Inquiries related to directory listings, editorial accuracy, and sector coverage fall within the scope of this office.

How to reach this office

The administrative office for Security Services Authority accepts written inquiries submitted through the contact page associated with this domain. All correspondence is routed to the editorial and directory management team, which holds responsibility for listing accuracy, sector classification decisions, and reference content published across the site.

Inquiries fall into four distinct categories handled by this office:

  1. Directory listing submissions — requests to add, update, or remove a provider listing within the Security Services Listings index
  2. Editorial corrections — factual disputes or accuracy concerns related to published reference content
  3. Licensing and credential verification requests — questions about how provider qualifications, certifications, or regulatory standing are verified before listing acceptance
  4. Scope and coverage questions — inquiries about which cybersecurity service categories, geographic markets, or regulatory frameworks fall within the directory's coverage boundaries

Correspondence unrelated to cybersecurity services, directory operations, or editorial matters falls outside this office's remit and will not receive a substantive response. Regulatory enforcement inquiries should be directed to the appropriate federal or state agency — CISA for critical infrastructure and cybersecurity incidents, or the FTC for consumer data protection matters.

Service area covered

Security Services Authority maintains national scope across the contiguous United States, Alaska, and Hawaii. The directory covers cybersecurity service providers operating under US jurisdiction and subject to US regulatory frameworks, including those administered by CISA, NIST, the FTC, HHS (under HIPAA), and sector-specific bodies such as NERC CIP for energy and the FFIEC for financial services.

The directory's subject-matter coverage spans the following service verticals within cybersecurity:

  1. Managed security services (MSSPs)
  2. Penetration testing and vulnerability assessment
  3. Incident response and forensic services
  4. Identity and access management (IAM) solutions
  5. OT/ICS security — providers serving industrial environments governed by NIST SP 800-82 Rev. 3 standards
  6. Cloud security — including IaaS, PaaS, and SaaS protection frameworks
  7. Governance, risk, and compliance (GRC) consulting
  8. Security awareness and workforce training programs

Providers operating exclusively in non-US jurisdictions are outside the directory's current geographic scope. Providers serving both US and international markets are eligible for listing if their US operations constitute a defined, separately addressable service offering.

The distinction between product vendors and service providers represents a classification boundary enforced editorially: Security Services Authority indexes service providers — firms delivering professional services, managed services, or consulting — not software or hardware product manufacturers without a distinct professional services arm.

What to include in your message

Incomplete submissions account for a substantial portion of delayed or unresolved inquiries. To ensure accurate processing, all messages should include the following structured information:

For directory listing submissions:
- Legal business name and doing-business-as (DBA) name if applicable
- Primary service category (matched to one of the 8 verticals listed above)
- Geographic service footprint (states served or national coverage)
- Relevant certifications or regulatory credentials (e.g., SOC 2 Type II, FedRAMP authorization, CMMC level, CISA-recognized status)
- Primary point of contact name, title, and business email address

For editorial corrections:
- The specific URL of the page containing the disputed content
- The exact text or data point in question
- The correction being requested, with a named public source supporting the correction (e.g., a NIST publication, a CISA advisory, or a federal statute citation)

For licensing and credential verification questions:
- The specific certification, license, or regulatory designation in question
- The issuing body or framework (e.g., ISC², CompTIA, ISACA, CMMC Accreditation Body)
- The context in which verification is being requested

Messages that omit the relevant category, lack a named contact, or provide no supporting detail will be returned for clarification before any substantive review begins.

Response expectations

The editorial process reviews incoming correspondence in the order received. Listing submissions undergo a 2-stage review: an initial completeness check in a timely manner, followed by a credential and classification review that typically requires an additional 10 to 15 business days depending on the complexity of the service category and the volume of documentation provided.

Editorial correction requests are prioritized by materiality. Corrections involving a misclassified regulatory framework, an inaccurate statutory citation, or an erroneous credential claim are escalated above general content improvement suggestions. The NIST Cybersecurity Framework (CSF 2.0) and CISA's published advisories serve as primary reference authorities for resolving disputes about technical accuracy in editorial content.

Scope and coverage inquiries receive a written determination — either confirmation that a provider category falls within the directory's defined verticals or a reasoned explanation of why it falls outside current scope. Coverage scope is reviewed on an annual basis against updates to federal regulatory frameworks and CISA's evolving critical infrastructure sector designations.

No response channel associated with this directory constitutes legal counsel, regulatory advice, or professional certification guidance. Parties seeking formal regulatory determination should engage directly with the relevant agency: HHS Office for Civil Rights for HIPAA matters, CISA for critical infrastructure cybersecurity, or the applicable state attorney general for state-level data protection statutes.

Report a Data Error or Correction

Found incorrect information, an outdated fact, or a broken link? Use the form below.

Read Next

Security Services Listings Each entry represents a distinct provider profile drawn from publicly verifiable business and licensing records. Security Services Directory: Purpose and Scope This page defines the directory's organizational logic, classification standards, scope boundaries, and the regulatory... How to Use This Security Services Resource This page describes the scope of content covered within this reference directory, how to locate specific topics, how published...