Cybersecurity Directory Listing Submission Criteria

The criteria governing directory listing submissions define which cybersecurity organizations, firms, and practitioners qualify for inclusion in a structured public reference registry. These standards exist to ensure that listed entities meet baseline professional, organizational, and operational thresholds — protecting the integrity of the directory and the researchers, procurement officers, and compliance teams who rely on it. The criteria apply across provider categories, from managed security service providers (MSSPs) to individual consultants, and reference frameworks established by federal agencies and recognized standards bodies.

Definition and scope

Submission criteria for a cybersecurity directory are the documented requirements an entity must satisfy before a listing is created, published, or maintained. The scope covers organizational eligibility, credential verification, service classification accuracy, jurisdictional disclosures, and ongoing compliance with the directory's accuracy standards.

The cybersecurity listings maintained on this site encompass providers operating across the full cybersecurity workforce roles and definitions taxonomy — including assessment and audit firms, incident response providers, identity and access management specialists, training organizations, and technology vendors. Each category carries distinct eligibility thresholds tied to the nature of the service offered.

Scope is national, covering US-based entities as well as foreign firms offering services to US-domiciled clients under federal or state regulatory jurisdictions. The cybersecurity directory purpose and scope page describes the broader rationale for the registry's design.

How it works

The submission and review process follows a structured sequence of four phases:

1. Pre-qualification screening — The submitting entity completes a structured intake form identifying its primary service category, legal business name, state of incorporation or registration, and any federal contract vehicles or certifications held. Submissions that cannot be mapped to a recognized NICE Workforce Framework category (NIST SP 800-181) are flagged for secondary review.

2. Credential and license verification — Claimed certifications — such as CISSP, CISM, CompTIA Security+, or sector-specific credentials detailed at cybersecurity certifications and credentials — are verified against issuing body registries. For entities claiming CMMC compliance authorization or federal contractor status, documentation referencing the DoD's CMMC program under 32 CFR Part 170 is required.

3. Classification review — Submitted service descriptions are cross-referenced against recognized category definitions. A firm claiming "critical infrastructure protection" services must demonstrate alignment with CISA's 16 critical infrastructure sectors as defined under Presidential Policy Directive 21 (PPD-21). Misclassification — whether intentional or through imprecision — results in reclassification or deferral pending clarification.

4. Ongoing accuracy maintenance — Listed entities are subject to periodic re-verification. Any material change to the entity's credentials, ownership, regulatory standing, or service scope must be reported within 90 days of the change. Listings that fail re-verification are suspended pending correction.

Common scenarios

The submission criteria operate differently depending on the submitting entity type. Three scenarios illustrate the primary classification boundaries:

Scenario A: Independent cybersecurity consultant. An individual practitioner seeking a listing must hold at least one active, verifiable professional credential from a recognized body — (ISC)², ISACA, CompTIA, GIAC, or equivalent. Solo practitioners without formal credentials but with documented federal contracting history may qualify under an experience-based pathway, subject to reference verification. Regulatory framing under this scenario often involves FISMA compliance support or state-level advisory work.

Scenario B: Managed Security Service Provider (MSSP). A firm offering continuous monitoring, SOC operations, or threat detection services must provide documentation of operational controls — typically mapped to the NIST Cybersecurity Framework (CSF 2.0, published February 2024 by NIST). MSSPs serving healthcare clients must additionally demonstrate familiarity with HIPAA Security Rule requirements at 45 CFR §§ 164.302–164.318, as covered at healthcare cybersecurity HIPAA standards. MSSPs serving financial sector clients face additional scrutiny under GLBA Safeguards Rule provisions.

Scenario C: Cybersecurity training organization. Entities providing workforce awareness or technical training must demonstrate curriculum alignment with a recognized framework — NIST SP 800-50 (Building an Information Technology Security Awareness and Training Program) or the NICE Cybersecurity Workforce Framework. Organizations claiming compliance training for federal contractors are reviewed against CMMC compliance reference standards.

Decision boundaries

The submission review process applies explicit inclusion and exclusion thresholds. The following distinctions govern edge-case determinations:

Included vs. excluded entity types. Technology product vendors are listed only when they also offer professional services with measurable cybersecurity outcomes — a firewall manufacturer without a professional services arm does not qualify as a cybersecurity services provider. Pure software resellers are excluded unless they provide licensed implementation, configuration, or advisory services under a separately credentialed team.

Active vs. lapsed credentials. A credential that was valid at the time of initial submission but has since lapsed does not satisfy the listing maintenance requirement. The issuing body's public verification registry — not the submitting entity's self-attestation — is the authoritative source. Entities holding credentials from bodies not recognized by a US federal agency, DoD component, or major standards organization (ISO/IEC, ANSI) are evaluated on a case-by-case basis.

Geographic eligibility. Foreign entities must demonstrate a US legal presence (registered agent, US-domiciled subsidiary, or active GSA Schedule contract) to qualify. Entities operating exclusively outside US jurisdiction are out of scope regardless of credential status.

Regulatory standing. Any entity subject to an active FTC consent order, SEC enforcement action, or state attorney general cybersecurity-related action is ineligible for active listing until the matter is resolved. This boundary applies to firms and to named individual practitioners listed under their own credentials.

References

• NIST SP 800-181 Rev 1 — NICE Cybersecurity Workforce Framework
• NIST Cybersecurity Framework (CSF) 2.0
• NIST SP 800-50 — Building an IT Security Awareness and Training Program
• CISA Critical Infrastructure Sectors (PPD-21)
• DoD CMMC Program — 32 CFR Part 170
• HIPAA Security Rule — 45 CFR §§ 164.302–164.318 (HHS)
• (ISC)² Credential Verification
• ISACA Certification Registry
• CompTIA Verification Service (CertMetrics)
• GIAC Certification Verification