Cybersecurity Directory: Purpose and Scope

The Security Services Authority cybersecurity directory organizes verified service providers, professional categories, qualification standards, and regulatory frameworks relevant to cybersecurity practice across the United States. This page defines the directory's organizational logic, the criteria governing which listings appear, and the boundaries that separate this resource from adjacent reference materials. Researchers, procurement professionals, and compliance teams navigating the cybersecurity services sector will find the structural framing necessary to interpret listings accurately in the sections below. For a broader orientation to the site's structure, see How to Use This Security Services Resource.

How the directory is maintained

Entry maintenance follows a structured classification process anchored to established public frameworks rather than vendor self-reporting or commercial relationships. No listing appears in the Security Services Listings index without satisfying a discrete qualification check against the directory's governing taxonomy.

The review process operates in four phases:

1. Domain mapping — Each candidate entry is mapped to at least one function defined by the NIST Cybersecurity Framework (CSF) 2.0 — Govern, Identify, Protect, Detect, Respond, or Recover — or to a named compliance framework such as FISMA, the HIPAA Security Rule (45 CFR §§ 164.306–164.318), or PCI DSS v4.0. Entries that cannot be mapped to a recognized function or control domain are excluded.

2. Scope validation — The service category must fall within the cybersecurity services sector as defined by NIST SP 800-53 Rev. 5, which catalogs 20 control families covering access control, incident response, supply chain risk management, and related domains. General IT managed services, physical security installations, and unrelated network operations fall outside this scope boundary.

3. Qualification verification — Listings that reference professional credentials must name the issuing body. Recognized credentialing organizations include (ISC)², ISACA, CompTIA, and the SANS Institute's GIAC program. Listings that reference regulatory obligations must cite a named statute, agency, or standards document — not a paraphrase or marketing description.

4. Periodic revalidation — Entries are subject to revalidation cycles triggered by material changes in the regulatory environment, such as revisions to CISA guidance documents or updates to sector-specific security requirements issued by agencies including the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) or the Department of Health and Human Services Office for Civil Rights.

Service categories represented in the directory include managed detection and response (MDR), security operations center (SOC) services, penetration testing, vulnerability management, identity and access management (IAM), OT/ICS security, cloud security posture management (CSPM), and digital forensics and incident response (DFIR). Each category carries distinct regulatory touchpoints and qualification standards that the directory surfaces at the listing level.

What the directory does not cover

The directory's classification boundaries are as consequential as what it includes.

The following categories are explicitly outside scope:

• Physical security and access control hardware — Surveillance systems, badge readers, biometric entry systems, and related physical infrastructure fall under a separate security services taxonomy and are not cross-listed here.
• General IT managed services — Network monitoring, helpdesk operations, and IT asset management that lack a cybersecurity-specific mandate are excluded even when performed by firms that also offer cybersecurity services.
• Legal and compliance consulting — Law firms, privacy counsel, and regulatory advisory practices are not listed as cybersecurity service providers. Regulatory framing appears in directory entries only as context for the technical service being described.
• Academic and training programs — Degree programs, bootcamps, and certification preparation courses are not service listings. The NIST National Initiative for Cybersecurity Education (NICE) Workforce Framework provides the workforce role taxonomy referenced in qualifying service descriptions, but education providers are not directory entries.
• International providers without US operational presence — The directory operates at national scope within the United States. Providers without documented US-based service delivery or established US regulatory standing are not listed.
• Unverified or self-described specializations — A firm describing itself as a cybersecurity provider without mappable service lines, named credentials, or verifiable regulatory context does not qualify for inclusion.

Relationship to other network resources

The cybersecurity directory at Security Services Authority functions as a structured services index, distinct from reference or explanatory resources covering the same domain. The Security Services Directory Purpose and Scope page addresses the broader directory architecture across all security verticals, while the cybersecurity directory narrows to the service and provider landscape specific to information and operational technology security.

Regulatory bodies whose frameworks shape listing criteria include the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC) — particularly under the FTC Safeguards Rule, 16 CFR Part 314 — and sector-specific regulators including the Office of the Comptroller of the Currency (OCC) for financial services and the HHS Office for Civil Rights for healthcare. Where a service category intersects with critical infrastructure, CISA's designation of 16 critical infrastructure sectors under Presidential Policy Directive 21 (PPD-21) provides the sector boundary framework applied in classification.

The directory does not duplicate or replace the technical reference content maintained across network properties covering threat intelligence, incident response frameworks, or penetration testing methodology. Those resources address how cybersecurity functions operate; this directory addresses who provides those services at a professional and commercial level within the US market.

How to interpret listings

Each listing in the cybersecurity directory carries a structured set of fields that reflect the classification logic described above. Readers interpreting listings should apply the following framework:

Service category identifies the primary function the provider delivers, mapped to a NIST CSF 2.0 function or a named control domain from NIST SP 800-53 Rev. 5. A listing classified under "Detect" functions, for example, covers services such as SOC operations, managed SIEM, or threat hunting — not advisory or consulting services that may reference detection without delivering it operationally.

Credential and qualification markers reference the issuing body directly. An entry referencing Certified Information Systems Security Professional (CISSP) certification names (ISC)² as the issuing body; an entry referencing Certified Ethical Hacker (CEH) names EC-Council. Listings without a named credentialing body or regulatory anchor are classified as unverified and withheld from publication.

Regulatory applicability identifies the compliance frameworks or sector mandates most directly relevant to the service. This field is descriptive, not prescriptive — it indicates where the service category intersects with named regulatory obligations, not whether a specific provider satisfies those obligations for a specific organization.

Geographic scope distinguishes between national providers, regional providers operating across defined multi-state footprints, and state-specific providers. For OT/ICS and critical infrastructure security services, geographic scope intersects with sector-specific federal jurisdiction and is noted accordingly.

Listings do not constitute endorsements, rankings, or certifications of competency. The directory reflects whether an entry satisfies the classification and verification criteria described above — no more, no less.