How to Use This Cybersecurity Resource

The national cybersecurity landscape encompasses a dense network of federal agencies, regulatory frameworks, compliance mandates, sector-specific requirements, and workforce standards — all of which interact across public and private sector boundaries. This reference covers the structure of that landscape, from foundational statutory authorities such as FISMA to sector-level obligations in healthcare, energy, and finance. The scope is national, with an emphasis on how institutions, practitioners, and researchers can locate relevant regulatory bodies, service categories, and authoritative standards within a single structured reference. Understanding how this resource is organized is the fastest path to the specific information relevant to a given professional context.

Purpose of this resource

This reference functions as a structured index of the U.S. cybersecurity service sector — organized around regulatory authority, professional categories, compliance standards, and threat domains rather than marketing or commercial rankings. The cybersecurity directory purpose and scope section defines the full boundary of coverage.

The cybersecurity sector in the United States operates under a layered framework. At the federal level, the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Department of Defense (DoD) each carry distinct mandates. NIST's Cybersecurity Framework (CSF), now in version 2.0, provides a voluntary but widely adopted baseline across 16 critical infrastructure sectors as designated under Presidential Policy Directive 21. CISA's statutory authority derives from the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278). These are not background details — they are the structural coordinates that define which regulations apply to which organizations.

The resource catalogs both mandatory compliance domains (such as the Cybersecurity Maturity Model Certification for DoD contractors) and voluntary frameworks (such as the NIST Cybersecurity Framework), making the distinction between regulatory obligation and best-practice guidance explicit at every entry.

Intended users

Three primary professional categories navigate this resource with distinct objectives:

1. Compliance and legal professionals — Attorneys, GRC analysts, and compliance officers searching for the regulatory instruments that apply to their organization's sector. Relevant anchors include sector-specific cybersecurity regulations, state cybersecurity laws overview, and cyber incident reporting requirements.

2. Cybersecurity practitioners and vendors — Security engineers, managed service providers, and technology vendors assessing how federal standards such as zero-trust architecture mandates (per OMB Memorandum M-22-09) or cloud security national standards affect technical implementation or service offerings.

3. Researchers, policy analysts, and procurement officials — Those mapping the threat environment, reviewing public-private partnership structures, or evaluating federal grant programs. Entries covering supply chain cybersecurity risks, cybersecurity public-private partnerships, and cybersecurity grants and federal programs serve this segment directly.

Academic institutions and workforce development bodies also reference the cybersecurity workforce national and cybersecurity certifications guide sections when assessing NICE Framework alignment or hiring standards.

How to navigate

The resource is organized into five functional zones, each addressing a distinct layer of the cybersecurity landscape:

1. Regulatory and statutory framework — Covers federal law, executive orders, and agency mandates. Starting points: US cybersecurity regulatory framework, federal cybersecurity agencies, and cybersecurity executive orders.

2. Sector-specific obligations — Covers vertical regulatory regimes including HIPAA for healthcare, NERC CIP for the energy sector, and GLBA/DORA considerations for financial institutions. See healthcare cybersecurity national, energy sector cybersecurity, and financial sector cybersecurity.

3. Threat landscape and incident categories — Covers nation-state actors, ransomware, and supply chain vectors as classified by CISA and the Office of the Director of National Intelligence (ODNI). See national cyber threat landscape and nation-state cyber threats.

4. Technical and architectural standards — Covers NIST SP 800-series publications, zero-trust architecture requirements, OT/ICS-specific controls, and cloud security baselines. See zero-trust architecture federal and OT/ICS cybersecurity.

5. Workforce, certification, and awareness — Covers NICE Framework job categories, DoD 8140 certification requirements, and CISA-led awareness programs. See cybersecurity certifications guide and national cybersecurity awareness programs.

Regulatory vs. framework entries — a key distinction:
Regulatory entries (FISMA, CMMC, CIRCIA) describe mandatory obligations with enforcement mechanisms and penalty structures. Framework entries (NIST CSF, ISO/IEC 27001) describe voluntary or contractually referenced standards without direct federal enforcement authority. Conflating these two categories is one of the most common errors in compliance planning. Each entry in this reference explicitly identifies which category applies.

What to look for first

The entry point depends on organizational context:

• Federal agencies and contractors: Begin with FISMA and CMMC, then cross-reference DoD cybersecurity requirements.
• Critical infrastructure operators: Begin with critical infrastructure protection and the sector-specific entry relevant to the organization's primary vertical.
• Organizations assessing incident reporting obligations: The CIRCIA overview covers the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which established 72-hour reporting requirements for covered entities — rulemaking was assigned to CISA under that statute.
• Service providers and vendors: The cybersecurity listings section catalogs active service categories, qualification standards, and regulatory touchpoints relevant to market participation.
• Data breach legal obligations: Data breach notification laws (US) catalogs the 50-state patchwork alongside federal sector-specific requirements.

The cybersecurity glossary resolves terminology conflicts across frameworks — a practical first stop when a term carries different definitions under NIST, CISA, and DoD usage simultaneously.

References

• Cybersecurity and Infrastructure Security Agency (CISA) — Lead federal agency for cybersecurity and critical infrastructure protection; statutory authority established under Public Law 115-278.
• NIST Cybersecurity Framework (CSF) — Voluntary framework developed by the National Institute of Standards and Technology providing baseline cybersecurity practices across critical infrastructure sectors; current version 2.0.
• NIST Computer Security Resource Center (CSRC) — Repository of NIST cybersecurity standards, guidelines, and special publications including the SP 800 series.
• Presidential Policy Directive 21 (PPD-21) — Federal directive designating 16 critical infrastructure sectors and assigning sector-specific agency responsibilities.
• Federal Information Security Modernization Act (FISMA) — Foundational federal statute establishing cybersecurity requirements for federal agencies and contractors.
• Cybersecurity Maturity Model Certification (CMMC) — Department of Defense program establishing mandatory cybersecurity compliance requirements for DoD contractors.
• U.S. Department of Health and Human Services — HIPAA — Federal regulatory framework governing cybersecurity and privacy requirements in the healthcare sector.
• Federal Energy Regulatory Commission (FERC) — Federal agency overseeing cybersecurity compliance in the energy sector, including NERC CIP standards enforcement.
• NERC Critical Infrastructure Protection (CIP) Standards — Mandatory reliability and cybersecurity standards for the bulk electric system in North America.
• Federal Financial Institutions Examination Council (FFIEC) — Cybersecurity Resources — Interagency body providing cybersecurity examination guidance and resources for financial sector institutions.