Cybersecurity Listings

The cybersecurity listings on this directory represent organizations, service providers, regulatory bodies, and professional certification programs operating within the United States data protection and cybersecurity sector. Each entry is structured to support service seekers, procurement officers, compliance professionals, and researchers locating specific types of cybersecurity expertise or oversight authority. The scope spans federal regulatory frameworks, state-level enforcement bodies, and private-sector service categories governed by standards issued by agencies including NIST, CISA, and the FTC. Understanding how these listings are organized and what they include — and exclude — determines how efficiently a user can navigate to the correct category of information or provider.

What each listing covers

Listings in this directory correspond to one of four primary categories within the US cybersecurity and data protection service sector:

1. Regulatory and enforcement bodies — federal and state agencies with statutory authority over data security, including the Federal Trade Commission (FTC) under 15 U.S.C. § 45, the Department of Health and Human Services Office for Civil Rights (OCR) under HIPAA, and state attorneys general enforcing laws such as the California Consumer Privacy Act as amended by CPRA.
2. Certified service providers — organizations offering cybersecurity services whose practitioners hold credentials recognized by named standards bodies, including (ISC)² CISSP, ISACA CISM, CompTIA Security+, or those operating under CMMC (Cybersecurity Maturity Model Certification) requirements administered by the Department of Defense.
3. Standards and framework references — published frameworks and technical standards that govern service delivery benchmarks, including NIST Privacy Framework, NIST SP 800-53 Rev 5, and ISO/IEC 27001.
4. Sector-specific compliance programs — specialized service categories tied to regulated industries, such as healthcare cybersecurity and data protection, financial sector obligations under GLBA, and government agency data protection requirements under FISMA.

Each listing names the entity type, jurisdiction or geographic coverage, applicable regulatory standard, and a classification tag identifying which of these four categories the entry falls under.

Geographic distribution

Listings are distributed across national-scope and state-specific coverage zones. At the federal level, listings reflect the oversight authority of agencies such as CISA (Cybersecurity and Infrastructure Security Agency), the FTC, and the SEC — each operating under distinct statutory mandates with national jurisdiction.

At the state level, distribution reflects the uneven development of state data privacy law. As of 2023, 12 states had enacted comprehensive consumer data privacy laws, according to the National Conference of State Legislatures (NCSL). Listings covering state-specific compliance requirements — such as CCPA/CPRA compliance in California or state data privacy laws across the broader legislative landscape — are tagged with the applicable state jurisdiction.

Service provider listings are geographically indexed by primary service area. National-scope providers appear in the primary index; regionally concentrated firms are tagged with the states in which they hold active registration or licensure. Providers delivering services under federal contracts are listed separately under the DOD CMMC or FedRAMP authorization frameworks, which carry their own verification requirements independent of state-level licensing.

How to read an entry

Each listing entry follows a standardized structure designed for rapid professional reference rather than general-audience orientation. A complete entry includes:

• Entity name and type — legal name, with designation as regulatory body, service provider, standards body, or sector program
• Jurisdiction — federal, multi-state, or single-state, with named statute or regulatory authority where applicable
• Classification tag — one of the four primary categories described above
• Credential or authorization standard — the specific certification, accreditation, or regulatory authorization the entity holds (e.g., FedRAMP Authorization, CMMC Level 2, HITRUST CSF certification)
• Regulatory cross-reference — links to applicable statutory or framework references, such as data breach notification requirements, HIPAA data protection requirements, or third-party vendor data security obligations under applicable law
• Scope note — a brief description of what the entity covers and what it explicitly excludes from its mandate or service delivery

Entries do not include editorial ratings, comparative rankings, or performance assessments. The directory's function is structural identification, not evaluation.

What listings include and exclude

Included:

• US-domiciled cybersecurity service providers with verifiable credentials from named certification bodies
• Federal and state regulatory bodies with active statutory data protection mandates
• Published frameworks and standards with traceable public-domain documentation (NIST, CISA, FTC guidelines)
• Sector-specific compliance programs tied to regulated industries, including incident response and data breach services, data encryption standards compliance providers, and privacy impact assessment practitioners

Excluded:

• Foreign entities or multinational organizations whose primary regulatory authority is outside the United States
• Providers operating solely under self-attestation with no third-party credential verification from a named standards body
• Legal firms providing privacy law counsel — those fall under bar-regulated professional services, not cybersecurity service provider categories
• Products, software platforms, or technology vendors not associated with a named professional services classification

The directory does not cover data brokerage activity directly, though data broker regulation in the US is addressed in the framework reference section. Similarly, biometric data protection laws and employee data privacy protections appear as cross-referenced regulatory topics rather than as standalone listing categories, reflecting their function as compliance overlays across the primary four service classifications rather than independent service verticals.

Listings are drawn from publicly verifiable sources and do not include entities that have received active enforcement actions without resolution from the FTC, OCR, or state attorneys general with jurisdiction over data security practices, as documented in FTC data security enforcement records and agency enforcement databases.