Security Directory: Purpose and Scope

The National Security Authority directory catalogs cybersecurity service providers, consultancies, managed security service providers (MSSPs), and related professional firms operating within the United States. Entries span organizational types, service specializations, and credential levels across the full US national market. The directory is structured to serve procurement professionals, agency contracting officers, compliance teams, and independent researchers who need reliable, structured access to the security services sector. Coverage is organized around established regulatory frameworks, recognized credentialing standards, and verified professional categories.

How entries are determined

Entry determination follows a structured qualification process grounded in the regulatory and credentialing standards that govern the US cybersecurity services market. The cybersecurity sector is subject to oversight from multiple federal bodies — including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) — and entry criteria reflect the compliance frameworks these bodies publish.

Qualifying organizations are assessed against 4 primary categories of criteria:

1. Licensure and registration — State-level business registration, applicable professional licensing (e.g., private investigator statutes for certain security firms), and federal contractor registration through the System for Award Management (SAM.gov) where relevant.
2. Credential verification — Staff or organizational credentials aligned to recognized bodies such as (ISC)², ISACA, CompTIA, or EC-Council. Firms holding ISO/IEC 27001 certification or operating under NIST SP 800-53 (NIST SP 800-53 Rev. 5) compliance frameworks receive classification priority.
3. Service scope documentation — Publicly documented service categories including penetration testing, incident response, security operations center (SOC) management, risk assessment, and compliance consulting.
4. Geographic service footprint — Confirmation of US national service delivery capability, whether through distributed office presence, remote service delivery, or federal contracting scope.

Listings that do not meet the minimum threshold across these 4 categories are excluded from the Security Listings index pending re-evaluation.

Geographic coverage

The directory covers the United States at national scope, with entries organized to reflect the federal, state, and regional structure of the US cybersecurity market. Service providers are indexed by primary state of incorporation and by declared service delivery regions.

Federal contractors operating under the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity provisions — particularly DFARS 252.204-7012, which mandates adequate security safeguards for covered defense information — form a distinct subcategory within the national directory. These firms are differentiated from commercial-only providers because their qualification requirements, audit obligations, and contractual frameworks differ substantially.

State-level variation is material in this sector. California's Consumer Privacy Act (CCPA), Texas's Identity Theft Enforcement and Protection Act, and New York's SHIELD Act each impose distinct compliance obligations on security firms operating in those jurisdictions. The directory classifies firms by their declared compliance jurisdictions to allow users to filter by applicable state law environments.

The directory does not restrict geographic coverage by metropolitan area or region — the full US national market is in scope, including territories where federal cybersecurity frameworks apply.

How to use this resource

The Security Listings index is the primary access point for browsing and filtering the directory. Entries are classified by service category, organizational type, credential level, and geographic service footprint, supporting targeted searches rather than general browsing.

Professionals using this directory for vendor evaluation should treat the listing structure as a starting point for due diligence rather than a substitute for it. Entry into the directory confirms that a firm meets baseline documentation and credential criteria; it does not constitute endorsement or independently verify current operational status.

Procurement teams working within federal acquisition frameworks should cross-reference directory listings against SAM.gov registration status and, where applicable, against the CISA-maintained list of approved cybersecurity services and the NSA's Commercial Solutions for Classified (CSfC) Components List. The How to Use This Security Resource page provides a structured walkthrough of the filtering and evaluation workflow specific to this directory.

Researchers using the directory for market analysis can apply credential and service-scope filters to map the density and distribution of US cybersecurity service capacity by category.

Standards for inclusion

Inclusion standards are calibrated against the frameworks that define professional legitimacy in the US cybersecurity services market. Two contrasting inclusion pathways exist — one for commercially oriented firms and one for government-aligned providers — and the classification boundaries between them shape how entries appear in the directory.

Commercial cybersecurity firms qualify primarily through credential documentation, service scope transparency, and state business registration. A firm offering penetration testing services, for example, must demonstrate that staff hold at least one active certification from a recognized body — (ISC)²'s CISSP, ISACA's CISM, or Offensive Security's OSCP are accepted benchmarks — and must provide documented service scope that maps to recognizable NIST Cybersecurity Framework (NIST CSF 2.0) function categories: Identify, Protect, Detect, Respond, or Recover.

Government-aligned and federal contractor firms face additional inclusion criteria: active SAM.gov registration, demonstrated familiarity with CMMC (Cybersecurity Maturity Model Certification) requirements as administered by the Department of Defense, and where applicable, FedRAMP authorization status for cloud-based service offerings.

Firms that operate exclusively in physical security — access control hardware installation, guard services, alarm monitoring — without a documented cybersecurity service component do not qualify under this directory's vertical scope. The boundary between physical and cyber security services is defined by whether the firm's documented scope includes network, endpoint, identity, or data security functions as outlined in NIST SP 800-53.

Entries are subject to periodic re-verification. Firms that allow credential documentation to lapse, that lose SAM.gov registration status, or that materially alter their declared service scope may be reclassified or removed from the Security Listings index. The full standards applied to this process are described on the Security Directory Purpose and Scope reference page.