Cybersecurity Directory: Purpose and Scope

The national cybersecurity service landscape spans federal agencies, private contractors, regulatory bodies, standards organizations, and sector-specific compliance programs — a complex ecosystem that professionals, procurement officers, and researchers must navigate without a unified public reference. This directory maps that landscape by cataloging the organizations, frameworks, regulations, and professional categories that define cybersecurity practice and governance in the United States. Coverage extends from federal mandates under FISMA and CIRCIA to sector-specific programs addressing healthcare, energy, and financial infrastructure. The scope is national, with particular depth in federally regulated industries and critical infrastructure sectors.

What Is Included

This directory covers the structured categories of the US cybersecurity sector as they exist across regulatory, professional, and operational dimensions. Entries fall into five primary classification groups:

1. Regulatory and statutory frameworks — federal laws, executive orders, and agency-issued mandates that establish enforceable cybersecurity requirements. This includes cybersecurity executive orders, the US Cybersecurity Regulatory Framework, and sector-specific rulemaking from agencies such as HHS, FERC, and the SEC.

2. Federal agencies and programs — civilian, defense, and intelligence-community bodies with direct cybersecurity missions. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) represent distinct agency types: CISA operates as a civilian coordination hub, while NSA's cybersecurity directorate focuses on national security systems under Title 10 and Title 50 authority.

3. Standards and compliance frameworks — published technical and procedural standards from bodies including NIST, ISO, and the Payment Card Industry Security Standards Council (PCI SSC). The NIST Cybersecurity Framework, currently at version 2.0, and NIST SP 800-53 Rev 5 are referenced as foundational control catalogs across federal and contractor environments.

4. Workforce, certification, and credentialing programs — professional certifications (CISSP, CISM, Security+), federal workforce initiatives under the NICE Framework (NIST SP 800-181), and federal cybersecurity grant programs that fund state and local workforce development.

5. Threat landscape and incident reporting structures — coverage of the national cyber threat landscape, including ransomware, nation-state actors, and supply chain risks, alongside the reporting obligations established by CIRCIA and sector-specific regulators.

How Entries Are Determined

Inclusion in this directory is governed by three criteria applied consistently across all entry categories.

Regulatory or statutory basis: An entry qualifies if it is established by, or directly referenced in, federal statute, presidential directive, agency rulemaking, or an internationally recognized standards body publication. Commercially branded products and services without a regulatory anchor are outside scope.

Sector relevance and coverage breadth: Priority is given to frameworks, agencies, and programs that affect 2 or more critical infrastructure sectors as defined by Presidential Policy Directive 21 (PPD-21), which designates 16 critical infrastructure sectors. Sector-specific entries — such as energy sector cybersecurity or healthcare cybersecurity — are included when a distinct regulatory or operational framework governs that sector separately from general federal requirements.

Public accessibility of source material: Entries reference publicly available documents, agency guidance, or open regulatory filings. Classified programs, proprietary frameworks, and vendor-specific methodologies without a public standards analog are excluded.

This approach distinguishes the directory from a vendor marketplace or procurement database. The Cybersecurity Maturity Model Certification (CMMC) program, for example, appears as a regulatory framework entry — not as a listing of individual CMMC third-party assessment organizations (C3PAOs), which are cataloged separately under the cybersecurity listings section.

Geographic Coverage

Coverage is national in scope, encompassing federal law, multistate regulatory programs, and interstate infrastructure frameworks. The 50 states plus the District of Columbia each maintain independent cybersecurity statutes, breach notification laws, and in some cases dedicated cybersecurity offices — all of which are indexed under state cybersecurity laws overview and data breach notification laws (US).

Federal entries apply uniformly across jurisdictions unless a specific exemption or carveout exists in statute. State-level entries are indexed by jurisdiction and cross-referenced with any federal preemption provisions. As of the 118th Congress, no single federal data breach notification statute has preempted state law, leaving a patchwork of 50-plus distinct notification regimes — a structural condition that cyber incident reporting requirements documentation addresses in detail.

Territorial and tribal nation cybersecurity programs, including those funded through CISA's Tribal Cybersecurity Grant Program, are represented where public program documentation exists.

How to Use This Resource

This directory is structured for three primary user types: compliance and legal professionals verifying regulatory obligations, security practitioners identifying applicable frameworks or certifications, and researchers mapping the institutional structure of US cybersecurity governance.

Navigating by regulatory obligation begins with the US Cybersecurity Regulatory Framework overview, which organizes federal requirements by sector and agency authority. From there, sector-specific pages — such as financial sector cybersecurity or OT/ICS cybersecurity — provide discrete regulatory stacks relevant to each environment.

Navigating by professional domain begins with the cybersecurity certifications guide or cybersecurity workforce national overview, both of which map credential categories to job role classifications under the NICE Framework.

Navigating by threat or risk topic begins with the national cyber threat landscape index, which links to specific threat categories including election security, ransomware, and nation-state activity.

Terminology used throughout the directory follows definitions published by NIST in the NIST Cybersecurity Framework and CNSSI 4009 (Committee on National Security Systems Instruction). Where terms carry distinct meanings across frameworks, the cybersecurity glossary documents the variance explicitly.

References

• Cybersecurity and Infrastructure Security Agency (CISA) — Federal civilian agency coordinating national cybersecurity and critical infrastructure protection efforts.
• National Security Agency – Cybersecurity Directorate — NSA component focused on cybersecurity of national security systems under Title 10 and Title 50 authority.
• NIST Cybersecurity Framework (CSF 2.0) — NIST's voluntary framework providing standards, guidelines, and best practices for managing cybersecurity risk.
• NIST SP 800-53 Rev 5 — NIST special publication providing a catalog of security and privacy controls for federal information systems and organizations.
• NIST SP 800-181 Rev 1 – NICE Workforce Framework for Cybersecurity — Framework establishing a common taxonomy and lexicon for the cybersecurity workforce.
• Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) — Federal statute establishing mandatory cyber incident reporting requirements for critical infrastructure sectors.
• Federal Information Security Modernization Act (FISMA) — Federal law establishing cybersecurity requirements for federal agencies and their contractors.
• HHS – HIPAA Security Rule — HHS regulatory framework establishing cybersecurity requirements for healthcare entities.
• Federal Energy Regulatory Commission (FERC) – Cybersecurity — FERC cybersecurity oversight and rulemaking for the energy sector, including coordination with NERC CIP standards.
• U.S. Securities and Exchange Commission – Cybersecurity — SEC cybersecurity disclosure rules and rulemaking applicable to publicly traded companies and financial infrastructure.