Contact

InfoSec Authority operates as a national-scope cybersecurity provider network and reference resource covering service providers, practitioners, and regulatory frameworks across the United States. This page describes the scope of inquiries the provider network handles, what information to include when reaching out, how responses are structured, and what alternative channels exist for specific request types. Accurate intake information accelerates routing and reduces back-and-forth on submissions tied to providers, editorial questions, or data corrections.

Service area covered

InfoSec Authority covers the United States cybersecurity services sector at a national level, indexing providers and practitioners across the full spectrum of information security disciplines. The provider network spans the following classification domains:

1. Managed Security Services (MSS) — organizations providing outsourced monitoring, detection, and incident response functions, typically aligned with frameworks published by NIST, such as the NIST Cybersecurity Framework (CSF)
2. Penetration Testing and Vulnerability Assessment — firms and practitioners conducting adversarial testing under scoped rules of engagement, subject to professional standards including those referenced by the Cybersecurity and Infrastructure Security Agency (CISA)
3. Compliance and Audit Services — providers operating under regulatory regimes including HIPAA (administered by the HHS Office for Civil Rights), the FTC Safeguards Rule (16 CFR Part 314), and the FFIEC IT Examination Handbook
4. Identity and Access Management (IAM) — vendors and integrators offering authentication, privileged access, and provider network services solutions
5. Security Awareness and Training — providers delivering workforce programs referenced under standards such as NIST SP 800-50
6. Incident Response and Digital Forensics — firms providing post-breach investigation, evidence handling, and remediation services

Inquiries outside the US cybersecurity services sector — including requests related to international regulatory jurisdictions, non-cybersecurity IT services, or general technology consulting without a security mandate — fall outside the provider network's documented scope and may not receive a substantive response.

The provider network does not provide legal advice, compliance determinations, or regulatory guidance. Questions involving specific legal obligations under statutes such as HIPAA, GLBA, or state breach notification laws should be directed to qualified legal counsel or the relevant regulatory body.

What to include in your message

Complete intake information is the single most important factor in processing speed. Incomplete submissions are held pending clarification, which delays all downstream steps.

For provider submissions or updates, include:

• Applicable certifications or credentials (e.g., ISO/IEC 27001 certification, SOC 2 Type II attestation, CISA-recognized designations)

For editorial or data correction requests, include:

For research or data licensing inquiries, include:

Submissions without a verifiable business email address — including those using free consumer webmail domains unconnected to a registered business entity — are deprioritized in the processing queue.

Response expectations

The provider network operates on a structured triage model. Provider submissions with complete documentation are reviewed on a rolling basis. Editorial corrections tied to a specific named public source are typically addressed faster than general content feedback, because the verification step is reduced when the source is already identified.

Response timeframes by request type:

• Provider submissions (complete): Initial acknowledgment as processing allows; editorial decision as processing allows
• Data corrections with source citation: Review as processing allows
• Research or licensing inquiries: Initial response as processing allows; substantive response timeline varies by scope
• General questions: Addressed as capacity allows; no guaranteed processing period

Submissions that require legal interpretation — such as whether a specific provider qualifies as a HIPAA Business Associate under 45 CFR § 160.103, or whether a service falls within CISA's defined critical infrastructure sectors — are outside the scope of provider network editorial staff and will not receive a regulatory determination.

Additional contact options

For certain request types, named external bodies are the appropriate first contact rather than the provider network itself.

• Regulatory complaints or enforcement inquiries involving HIPAA violations should be directed to the HHS Office for Civil Rights
• Cybersecurity incident reporting for critical infrastructure operators is handled by CISA's 24/7 Operations Center
• FTC Safeguards Rule compliance questions are addressed through the Federal Trade Commission's Bureau of Consumer Protection
• NIST framework clarifications are published through the NIST Computer Security Resource Center (CSRC)

The InfoSec Providers section of this provider network contains the complete, browsable index of verified providers. The page documents the editorial criteria and classification methodology used to structure the provider network. Researchers seeking to understand how the resource is organized should consult How to Use This InfoSec Resource before submitting a data inquiry, as it addresses the most common structural questions without requiring a direct exchange.

References

• 16 CFR Part 314
• CISA's 24/7 Operations Center
• Cybersecurity and Infrastructure Security Agency (CISA)
• FFIEC IT Examination Handbook
• Federal Trade Commission's Bureau of Consumer Protection
• HHS Office for Civil Rights
• HHS Office for Civil Rights
• NIST Computer Security Resource Center (CSRC)
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-50
• ISO/IEC 27001