Cybersecurity Directory: Purpose and Scope

The national cybersecurity service landscape spans federal agencies, private contractors, regulatory bodies, standards organizations, and sector-specific compliance programs — a complex ecosystem that professionals, procurement officers, and researchers must navigate without a unified public reference. This directory maps that landscape by cataloging the organizations, frameworks, regulations, and professional categories that define cybersecurity practice and governance in the United States. Coverage extends from federal mandates under FISMA and CIRCIA to sector-specific programs addressing healthcare, energy, and financial infrastructure. The scope is national, with particular depth in federally regulated industries and critical infrastructure sectors.

What Is Included

This directory covers the structured categories of the US cybersecurity sector as they exist across regulatory, professional, and operational dimensions. Entries fall into five primary classification groups:

1. Regulatory and statutory frameworks — federal laws, executive orders, and agency-issued mandates that establish enforceable cybersecurity requirements. This includes cybersecurity executive orders, the US Cybersecurity Regulatory Framework, and sector-specific rulemaking from agencies such as HHS, FERC, and the SEC.

2. Federal agencies and programs — civilian, defense, and intelligence-community bodies with direct cybersecurity missions. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) represent distinct agency types: CISA operates as a civilian coordination hub, while NSA's cybersecurity directorate focuses on national security systems under Title 10 and Title 50 authority.

3. Standards and compliance frameworks — published technical and procedural standards from bodies including NIST, ISO, and the Payment Card Industry Security Standards Council (PCI SSC). The NIST Cybersecurity Framework, currently at version 2.0, and NIST SP 800-53 Rev 5 are referenced as foundational control catalogs across federal and contractor environments.

4. Workforce, certification, and credentialing programs — professional certifications (CISSP, CISM, Security+), federal workforce initiatives under the NICE Framework (NIST SP 800-181), and federal cybersecurity grant programs that fund state and local workforce development.

5. Threat landscape and incident reporting structures — coverage of the national cyber threat landscape, including ransomware, nation-state actors, and supply chain risks, alongside the reporting obligations established by CIRCIA and sector-specific regulators.

How Entries Are Determined

Inclusion in this directory is governed by three criteria applied consistently across all entry categories.

Regulatory or statutory basis: An entry qualifies if it is established by, or directly referenced in, federal statute, presidential directive, agency rulemaking, or an internationally recognized standards body publication. Commercially branded products and services without a regulatory anchor are outside scope.

Sector relevance and coverage breadth: Priority is given to frameworks, agencies, and programs that affect 2 or more critical infrastructure sectors as defined by Presidential Policy Directive 21 (PPD-21), which designates 16 critical infrastructure sectors. Sector-specific entries — such as energy sector cybersecurity or healthcare cybersecurity — are included when a distinct regulatory or operational framework governs that sector separately from general federal requirements.

Public accessibility of source material: Entries reference publicly available documents, agency guidance, or open regulatory filings. Classified programs, proprietary frameworks, and vendor-specific methodologies without a public standards analog are excluded.

This approach distinguishes the directory from a vendor marketplace or procurement database. The Cybersecurity Maturity Model Certification (CMMC) program, for example, appears as a regulatory framework entry — not as a listing of individual CMMC third-party assessment organizations (C3PAOs), which are cataloged separately under the cybersecurity listings section.

Geographic Coverage

Coverage is national in scope, encompassing federal law, multistate regulatory programs, and interstate infrastructure frameworks. The 50 states plus the District of Columbia each maintain independent cybersecurity statutes, breach notification laws, and in some cases dedicated cybersecurity offices — all of which are indexed under state cybersecurity laws overview and data breach notification laws (US).

Federal entries apply uniformly across jurisdictions unless a specific exemption or carveout exists in statute. State-level entries are indexed by jurisdiction and cross-referenced with any federal preemption provisions. As of the 118th Congress, no single federal data breach notification statute has preempted state law, leaving a patchwork of 50-plus distinct notification regimes — a structural condition that cyber incident reporting requirements documentation addresses in detail.

Territorial and tribal nation cybersecurity programs, including those funded through CISA's Tribal Cybersecurity Grant Program, are represented where public program documentation exists.

How to Use This Resource

This directory is structured for three primary user types: compliance and legal professionals verifying regulatory obligations, security practitioners identifying applicable frameworks or certifications, and researchers mapping the institutional structure of US cybersecurity governance.

Navigating by regulatory obligation begins with the US Cybersecurity Regulatory Framework overview, which organizes federal requirements by sector and agency authority. From there, sector-specific pages — such as financial sector cybersecurity or OT/ICS cybersecurity — provide discrete regulatory stacks relevant to each environment.

Navigating by professional domain begins with the cybersecurity certifications guide or cybersecurity workforce national overview, both of which map credential categories to job role classifications under the NICE Framework.

Navigating by threat or risk topic begins with the national cyber threat landscape index, which links to specific threat categories including election security, ransomware, and nation-state activity.

Terminology used throughout the directory follows definitions published by NIST in the NIST Cybersecurity Framework and CNSSI 4009 (Committee on National Security Systems Instruction). Where terms carry distinct meanings across frameworks, the cybersecurity glossary documents the variance explicitly.