Cybersecurity Directory: Purpose and Scope

The cybersecurity services sector spans thousands of licensed firms, certified practitioners, managed service providers, and specialized consultancies operating under a fragmented but increasingly codified regulatory environment. This directory provides a structured reference to that service landscape, organized by provider category, certification standing, and service scope. The listings cover organizations operating under frameworks established by bodies including the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the Committee on National Security Systems (CNSS). For researchers, procurement officers, and security program managers navigating vendor selection or compliance obligations, the Security Systems Listings page provides the primary index of categorized providers.

How to use this resource

This directory functions as a structured reference index, not a ranked marketplace or endorsement registry. Entries are organized by service category and cross-referenced against publicly documented qualification standards. The directory supports three primary use cases:

1. Provider identification — locating firms or practitioners that hold specific certifications (e.g., FedRAMP authorization, CMMC Level 2 or Level 3 assessment credentials, or SOC 2 Type II attestation) relevant to a given procurement or compliance context.
2. Regulatory alignment mapping — matching service provider capabilities to specific framework requirements, including NIST SP 800-53 control families, NIST SP 800-171 for Controlled Unclassified Information (CUI) environments, or CISA's Cross-Sector Cybersecurity Performance Goals.
3. Credential verification support — identifying organizations whose stated qualifications can be checked against public registries such as the FedRAMP Marketplace or the CMMC Accreditation Body's assessor database.

Entries do not constitute procurement recommendations. The How to Use This Security Systems Resource page provides detailed guidance on interpreting listing fields, certification codes, and scope designations.

Standards for inclusion

Inclusion in this directory requires that a listed entity meet at least one of the following documented qualification thresholds:

1. Active federal authorization or assessment credential — FedRAMP authorization, Authorization to Operate (ATO) support designation, or listing in the CMMC Third-Party Assessment Organization (C3PAO) registry maintained by the Cyber AB.
2. Recognized third-party certification — ISO/IEC 27001 certification from an accredited certification body, SOC 2 Type II report issued by a licensed CPA firm under AICPA attestation standards, or PCI DSS Level 1 Service Provider validation.
3. State or federal licensing where applicable — private security firm licensing required under applicable state statutes (42 states maintain distinct licensing schemes for security contractors), or registration under the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 requirements for covered contractor information systems.
4. Documented sector-specific compliance standing — HIPAA Business Associate Agreement (BAA) capacity for healthcare IT providers, or demonstrated alignment with NERC CIP standards for entities serving electric utility environments.

A critical distinction governs inclusion boundaries: product vendors (hardware manufacturers, software publishers) are listed separately from service providers (managed security service providers, incident response firms, penetration testing consultancies, and compliance assessors). These two categories operate under different qualification standards and serve different procurement pathways. Conflating them produces misaligned vendor shortlists — a recognized failure mode in federal and critical infrastructure procurement documented in GAO reporting on IT acquisition.

How the directory is maintained

Directory records are reviewed against public registries on a structured cycle. Certification statuses — particularly FedRAMP authorizations, CMMC C3PAO listings, and ISO/IEC 27001 certificates — carry defined expiration or re-assessment windows. FedRAMP authorizations, for example, require annual assessment under the continuous monitoring requirements described in NIST SP 800-137. ISO/IEC 27001 certificates carry a 3-year validity period with mandatory surveillance audits at 12-month intervals.

Updates are triggered by four conditions:

1. Expiration or withdrawal of a listed certification
2. Changes to a provider's scope of services or geographic operating area
3. Regulatory actions, debarment proceedings, or public enforcement notices from agencies including the FTC, HHS Office for Civil Rights, or DoD
4. Verified additions from the Cyber AB assessor registry, FedRAMP Marketplace, or equivalent authoritative public source

Listing disputes or corrections are directed through the process described on the Security Systems Directory Purpose and Scope reference page, which outlines evidentiary requirements for record amendments.

What the directory does not cover

The directory's scope is bounded by service category, qualification standing, and operational sector. The following fall outside current listing criteria:

• Academic and research institutions — university cybersecurity programs, federally funded research and development centers (FFRDCs), and think tanks are not listed as service providers, even where they publish frameworks used in commercial practice.
• Unverified or self-attested claims — entities whose only qualification evidence is a self-published compliance checklist or vendor-issued certification without third-party attestation do not meet inclusion standards.
• International providers without US operational presence — firms headquartered outside the United States that do not maintain a documented US operating entity, FedRAMP authorization, or DFARS compliance posture are excluded from national scope listings.
• Consumer-facing security products — antivirus software publishers, VPN consumer services, and retail identity protection products occupy a distinct market segment governed by FTC consumer protection standards rather than the B2B and government procurement frameworks that define this directory's scope.
• Threat intelligence data brokers — organizations that aggregate and resell threat feeds without providing managed security services, assessments, or implementation support fall outside the service-provider classification used here.

The boundary between a managed security service provider (MSSP) and a pure software-as-a-service (SaaS) security vendor is a recurring classification question. The operative distinction applied here is whether the entity provides human-delivered security functions — monitoring, incident response, advisory, or assessment — versus automated tooling alone. Entities providing both are listed under the service-provider category with product affiliations noted.