Contact

The contact section of the National Security Authority cybersecurity reference network provides structured guidance for researchers, industry professionals, regulatory staff, and service-sector participants who need to direct inquiries, submission requests, or listing-related communications to the appropriate channel. This page identifies the categories of inbound communication this office handles, the information required for a complete submission, and the geographic and subject-matter boundaries of the service area. Inquiries falling outside those boundaries are redirected to the relevant federal or sector-specific body.

Additional contact options

The cybersecurity reference sector spans multiple regulatory frameworks, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and sector-specific authorities operating under statutes such as the Federal Information Security Modernization Act (FISMA) and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Depending on the nature of an inquiry, the appropriate point of contact may not be this office.

Professionals seeking regulatory guidance on compliance frameworks should consult NIST Cybersecurity Framework documentation published at csrc.nist.gov or contact CISA directly through its official intake portals at cisa.gov/report. Incident reporting obligations under CIRCIA route to CISA's 24-hour Operations Center, reachable at (888) 282-0870, as published by CISA.

For matters involving the Department of Defense contractor supply chain, the Cybersecurity Maturity Model Certification (CMMC) program operates through the Cyber AB (formerly the CMMC Accreditation Body) at cyberab.org — a distinct channel from this reference network. Questions about federal cybersecurity agencies more broadly, including NSA's cybersecurity mission, should be directed to those agencies' published public contact points.

Listing corrections, data accuracy disputes, or classification change requests for entries within the cybersecurity listings directory are handled through this office's editorial intake process, described below.

How to reach this office

This office handles four defined categories of inbound communication:

1. Listing submissions — Requests to add a qualifying cybersecurity service provider, firm, or public-sector entity to the reference directory, subject to the qualification criteria outlined in cybersecurity directory purpose and scope.
2. Listing corrections — Factual disputes, outdated information, or misclassification flags for existing directory entries.
3. Editorial and research inquiries — Requests from journalists, academic researchers, policy analysts, or government staff seeking clarification on directory methodology, source citations, or sector classification frameworks.
4. Regulatory reference questions — Questions about where a specific compliance topic, such as state cybersecurity laws or cyber incident reporting requirements, is addressed within the network's reference structure.

Communications in these four categories are accepted through the primary contact form linked in the site template. General cybersecurity technical support, incident response engagement, or law enforcement reporting fall outside this office's scope and should be directed to CISA, the FBI's Internet Crime Complaint Center (IC3) at ic3.gov, or sector-specific regulators.

Response timelines for listing submissions average 5 to 10 business days. Editorial and research inquiries involving complex classification questions may require up to 15 business days depending on source verification requirements.

Service area covered

This reference network operates at national scope, covering cybersecurity service providers, regulatory frameworks, threat intelligence categories, and workforce qualification standards operating within or directly affecting the United States. The geographic boundary is the 50 states plus U.S. territories where federal cybersecurity statutes apply.

The subject-matter scope includes:

• Federal regulatory frameworks (FISMA, CIRCIA, executive orders governing cybersecurity)
• Critical infrastructure sectors as defined by Presidential Policy Directive 21 (PPD-21), which designates 16 critical infrastructure sectors under DHS/CISA oversight
• State-level cybersecurity laws and breach notification statutes across all 50 states, catalogued in data breach notification laws
• Workforce and certification standards, including those administered by bodies such as (ISC)², CompTIA, and ISACA, referenced in cybersecurity certifications guide
• Emerging federal architecture mandates, including zero trust architecture requirements under Office of Management and Budget (OMB) Memorandum M-22-09

Inquiries related to international cybersecurity frameworks — such as the EU's NIS2 Directive or ISO/IEC 27001 compliance programs outside U.S. jurisdiction — fall outside the primary scope of this office. Cross-border matters with a U.S. nexus (such as multinational firms subject to both CMMC and foreign equivalent standards) may be addressed within the directory where a clear U.S. regulatory dimension exists.

What to include in your message

Incomplete submissions generate processing delays. The following information should accompany every inbound communication, categorized by request type.

For listing submissions:
- Legal name of the organization or individual practitioner
- Primary business address and state of operation
- NAICS code or equivalent sector classification (e.g., NAICS 541512 — Computer Systems Design Services)
- Applicable certifications or accreditations held (e.g., FedRAMP authorization status, CMMC level, SOC 2 Type II attestation)
- Named regulatory frameworks under which the entity operates (e.g., HIPAA Security Rule for healthcare cybersecurity providers, NERC CIP for energy sector entities)

For listing corrections:
- The specific directory entry URL or name in question
- The factual error identified, with a citation to a named public source supporting the correction
- Contact information for follow-up verification

For editorial and research inquiries:
- Institutional affiliation (if applicable)
- The specific topic, page, or classification methodology under inquiry
- Intended publication or use context, where relevant to determining appropriate scope of response

For regulatory reference questions:
- The statute, framework, or agency in question
- The specific aspect of the US cybersecurity regulatory framework that is unclear or requires cross-referencing

Messages submitted without the applicable fields listed above will be returned for completion before processing begins. Submissions involving cybersecurity information sharing arrangements or public-private partnerships with government entities may require additional verification of organizational standing before listing placement proceeds.