Security Services Directory: Purpose and Scope

The Security Services Authority directory catalogs professional cybersecurity service providers, vendor categories, and practitioner specializations operating within the United States security services market. This page defines the directory's organizational logic, classification standards, scope boundaries, and the regulatory frameworks that anchor its taxonomy. It serves as the authoritative reference for interpreting listings and understanding how this resource relates to the broader professional landscape it maps.

How the directory is maintained

Directory maintenance follows a structured classification process anchored to established public frameworks rather than proprietary or self-reported criteria. No listing enters the directory without satisfying a discrete scope and source check against the governing taxonomy.

The classification framework draws primarily from two public standards bodies:

1. NIST Cybersecurity Framework (CSF 2.0) — published by the National Institute of Standards and Technology, which organizes security functions across six core domains: Govern, Identify, Protect, Detect, Respond, and Recover. Each service category within this directory maps to at least one CSF 2.0 function.
2. NIST Special Publication 800-53, Rev. 5 — the Security and Privacy Controls for Information Systems and Organizations document, which catalogs 20 control families. Service providers whose offerings address named control families (such as AC — Access Control, IR — Incident Response, or RA — Risk Assessment) are classified accordingly.

The review process runs through four discrete phases:

1. Scope mapping — The candidate service or provider category is mapped to at least one control domain or named compliance framework, including FISMA (44 U.S.C. § 3551 et seq.), the HIPAA Security Rule (45 CFR Part 164), or PCI DSS v4.0.
2. Regulatory alignment check — Listings that reference regulatory obligations must cite a named statute, agency rule, or standards document. Entries referencing CISA guidance or FTC Safeguards Rule requirements link to primary-source documents at the point of attribution.
3. Service category validation — The provider or category must fall within the cybersecurity services sector — managed detection and response, penetration testing, OT/ICS security, identity and access management, incident response, security awareness training, or adjacent professional disciplines. General IT support, hardware resale, and unrelated managed services are excluded.
4. Verification pass — Each listing is checked against publicly available organizational records, industry certifications, or regulatory registrations before classification is finalized.

Updates to listings reflect changes in regulatory scope, framework revisions, or verified changes in provider service offerings. The Security Services Listings section reflects the current classification state of all active entries.

What the directory does not cover

The directory is a professional reference for the cybersecurity services sector. It does not function as a procurement platform, endorsement registry, or consumer review system. Specific exclusions include:

• General IT managed services that lack a defined cybersecurity scope — network administration, desktop support, and helpdesk functions without a security-specific mandate are outside classification boundaries.
• Physical security services — guarding, access control hardware, alarm monitoring, and surveillance operations constitute a separate professional sector with distinct licensing regimes governed at the state level through bodies such as the Bureau of Security and Investigative Services (BSIS) in California and equivalent agencies in other jurisdictions. Physical security services are not within this directory's taxonomy.
• Legal and compliance advisory services that do not include a technical cybersecurity delivery component. Law firms and regulatory consultants advising on data privacy statutes — without delivering security assessments, testing, or monitoring services — fall outside scope.
• Cybersecurity product vendors whose primary offering is software or hardware rather than professional services. Tool categories (SIEM platforms, endpoint detection products, firewall appliances) are referenced in context but are not listed as service providers.
• Academic or training institutions offering degree programs or certifications without an affiliated professional services practice.

Understanding these exclusion boundaries is necessary for accurate interpretation of the Security Services Listings and distinguishes this directory from broader IT or business services registries.

Relationship to other network resources

This directory operates as the structured service index within a reference network that also includes substantive technical and regulatory content. The directory itself does not reproduce framework definitions, regulatory analysis, or technical explanations — those functions belong to the reference and explanation pages within the same network.

The How to Use This Security Services Resource page provides operational guidance on navigating listings, applying filters, and interpreting classification categories in practice. Researchers and procurement professionals unfamiliar with the directory's structure should consult that page before working through the listing index.

Regulatory framing within listings — references to CISA's 16 critical infrastructure sectors, NIST control families, or sector-specific rules such as NERC CIP for the energy sector (NERC CIP Standards) — reflects the authoritative public sources that anchor each classification. Those sources are cited at the listing level; this page documents the citation policy that governs them.

How to interpret listings

Each listing in this directory presents structured classification data, not marketing copy or editorial assessment. Readers should interpret listing fields as follows:

• Service category — The primary CSF 2.0 function or NIST 800-53 control family the provider's core offering addresses. A provider listed under "Incident Response" maps to the Respond and Recover functions of CSF 2.0 and the IR control family of NIST SP 800-53 Rev. 5.
• Sector alignment — Where a provider specializes in a regulated sector — healthcare, financial services, energy, federal contracting — the listing notes the governing framework (HIPAA Security Rule, GLBA Safeguards Rule, NERC CIP, FedRAMP). Sector alignment does not indicate regulatory endorsement by the named agency.
• Credential references — Listings may note publicly verifiable professional certifications such as those issued by (ISC)² (CISSP), ISACA (CISM, CRISC), or GIAC. Credential references reflect publicly stated provider qualifications, not independent verification by this directory.
• Geographic scope — Listings specify whether service delivery is national, regional, or state-specific. For providers operating across state lines in regulated professions, applicable state licensing requirements govern practice — not directory classification.

A contrast worth drawing explicitly: a listing's presence in a specific service category (for example, Penetration Testing under the Protect function) indicates taxonomic classification, not a ranking, rating, or comparative evaluation against other listed providers. The directory presents a structured map of the service sector; assessments of individual provider quality are outside its function. Full navigation of all active provider entries is available through the Security Services Listings index.