Cyber Safety Directory: Purpose and Scope

The National Cyber Safety Authority directory maps the professional service landscape for cybersecurity providers, practitioners, and organizations operating across the United States. This reference covers the directory's geographic reach, organizational structure, listing standards, and maintenance procedures. It serves researchers, procurement officers, compliance teams, and individuals navigating the cyber safety service sector — not as an instructional resource, but as a structured index of how this sector is classified and accessed.

Geographic coverage

The directory operates at national scope, indexing cybersecurity services and providers across all 50 U.S. states and the District of Columbia. Federal regulatory frameworks from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) define baseline standards that apply uniformly at the federal level, while enforcement at the state level varies by jurisdiction. As of the Cybersecurity and Infrastructure Security Agency Act of 2018 (Pub. L. 115-278), CISA holds coordinating authority across 16 critical infrastructure sectors recognized under Presidential Policy Directive 21 (PPD-21), and providers serving any of those sectors are eligible for directory inclusion regardless of the state in which they are domiciled.

The directory does not restrict coverage to firms headquartered in a single metro region or state. A managed security service provider (MSSP) operating from Texas but serving healthcare clients in 12 states would qualify for a single listing that reflects its full operational footprint. Similarly, a forensic incident response firm with regional offices is indexed under its primary service geography rather than its registered corporate address.

Cross-border and multinational providers are included only when their primary commercial and legal presence is established within the United States under applicable federal and state licensing structures.

How to use this resource

The Cyber Safety Listings section organizes providers into structured professional categories. Each category corresponds to a recognized service type in the cybersecurity sector:

1. Managed Security Services (MSSS/MSSPs) — continuous monitoring, threat detection, and incident response delivered remotely or on-site
2. Cybersecurity Consulting and Risk Assessment — advisory services benchmarked against frameworks including NIST SP 800-53 and ISO/IEC 27001
3. Incident Response and Digital Forensics — post-breach investigation, evidence preservation, and remediation under standards aligned with NIST SP 800-61
4. Security Awareness Training — workforce education programs, including those structured around CISA's #StopRansomware guidance
5. Penetration Testing and Vulnerability Assessment — authorized offensive testing services following methodologies such as PTES (Penetration Testing Execution Standard) and OWASP
6. Compliance and Regulatory Advisory — services addressing requirements under HIPAA, FedRAMP, CMMC, GLBA, and state-level privacy statutes including the California Consumer Privacy Act (CCPA)
7. Identity and Access Management (IAM) — credential governance, multi-factor authentication deployment, and privileged access management

The distinction between Category 1 (MSSP/continuous monitoring) and Category 3 (incident response) is a functional boundary, not a vendor boundary — a single firm may hold listings in both categories if its verified service portfolio encompasses both ongoing operations and post-incident engagements.

Detailed instructions for navigating these categories and applying filters by service type, geography, or regulatory alignment are documented on the How to Use This Cyber Safety Resource page.

Standards for inclusion

Listings in this directory are evaluated against a defined set of inclusion criteria that reflect recognized professional and regulatory benchmarks. Meeting threshold requirements in 3 of the following 5 dimensions establishes baseline eligibility:

• Licensure and registration — valid business registration in at least 1 U.S. state, with no active regulatory sanctions from the Federal Trade Commission (FTC) or relevant state authority
• Framework alignment — demonstrable service alignment with at least 1 recognized standard: NIST Cybersecurity Framework (CSF), NIST SP 800-171, ISO/IEC 27001, SOC 2 Type II, or CMMC Level 1 through Level 3
• Practitioner credentialing — staff holding at least 1 recognized industry credential, such as CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), or CompTIA Security+
• Verifiable service history — documented client engagements, not limited to references; public case disclosures, certifications of compliance completion, or third-party audit letters are acceptable evidence
• Scope specificity — a defined and bounded service catalog that can be classified against the directory's 7 professional categories above

Providers offering general IT services without a distinct cybersecurity practice are excluded. The boundary between general IT managed services and qualified cybersecurity managed services is assessed against whether the provider's documented scope includes threat monitoring and incident response as primary deliverables, not incidental features.

How the directory is maintained

Directory records are subject to structured review cycles to ensure that listed providers continue to meet inclusion standards. Records flagged with compliance status changes — including FTC enforcement actions, state attorney general findings, or lapse in listed certifications — are reviewed within 30 days of a documented trigger event. The page at Cyber Safety Directory: Purpose and Scope is updated when structural classification criteria change in response to shifts in federal or state regulatory frameworks.

The directory's classification taxonomy is anchored to NIST's National Cybersecurity Workforce Framework (NICE Framework, NIST SP 800-181), which provides 52 defined work roles across 7 categories. When NICE Framework revisions produce new work role definitions, the directory's professional categories are reconciled against the updated taxonomy within 90 days.

Listings are not permanent. Providers that cease operations, surrender licenses, or sustain unresolved enforcement actions are removed from active listings and archived. Archived records are retained for reference purposes to support researchers and procurement teams conducting historical due diligence on prior vendor relationships.