How to Use This InfoSec Resource

InfoSec Authority is a structured reference directory covering the cybersecurity service sector, regulatory landscape, and professional discipline categories relevant to US organizations. This page describes how the directory is organized, how content is classified and maintained, and how distinct professional audiences can locate the most relevant material within it. The cybersecurity domain operates under overlapping obligations from federal bodies including NIST, CISA, FTC, HHS, and the Department of Defense's CMMC program office, making classification precision a functional requirement for any reference resource operating in this space.

How to Use Alongside Other Sources

InfoSec Authority is designed to function as a structured entry point and cross-reference layer — not as a replacement for primary regulatory or standards documents. Every substantive technical or regulatory claim on this site is traceable to a named public source. Where a specific figure or statutory requirement appears, the originating agency or document is named at the point of use.

The primary external authorities that govern the subject matter covered across this directory include:

1. NIST (National Institute of Standards and Technology) — Cybersecurity Framework (CSF) 2.0, the SP 800 publication series including SP 800-53 Rev 5, and Identity and Access Management practice guides, all hosted at csrc.nist.gov
2. CISA (Cybersecurity and Infrastructure Security Agency) — sector-specific advisories, the Known Exploited Vulnerabilities (KEV) catalog, and Zero Trust Maturity Model guidance, available at cisa.gov
3. HHS Office for Civil Rights — HIPAA Security Rule requirements under 45 C.F.R. Parts 160 and 164, governing technical safeguards for protected health information
4. FTC (Federal Trade Commission) — enforcement actions and the Safeguards Rule under 16 C.F.R. Part 314, applying to financial institutions and their service providers
5. DoD CMMC Program Office — Cybersecurity Maturity Model Certification requirements for defense contractors, published at dodcio.defense.gov

When a regulation or standard cited on this site conflicts with a more recent primary-source publication, the primary source takes precedence. Practitioners conducting compliance assessments, vendor evaluations, or policy research should verify all referenced requirements directly against the issuing body's current publication.

Feedback and Updates

Cybersecurity regulatory guidance does not follow a single fixed publication cycle. NIST issues revisions to Special Publications on a rolling basis — SP 800-53 Rev 5 was finalized in September 2020 with subsequent errata released through csrc.nist.gov. CISA updates its KEV catalog without a fixed annual schedule. HHS Office for Civil Rights periodically revises HIPAA enforcement guidance, and the FTC Safeguards Rule underwent a material amendment effective June 2023.

Content across this directory is cross-referenced against named public standards at the time of publication. When a regulatory body issues a material change — such as a revised penalty structure or an updated framework version — affected reference entries are flagged for editorial review. The site does not assert real-time currency for any regulatory figure or technical specification; readers should treat all cited thresholds and requirements as reference points requiring independent verification against current agency publications.

Structural corrections, broken citations, and factual disputes can be submitted through the contact page. Editorial decisions follow a defined source hierarchy: enacted federal statute takes precedence over agency rule, agency rule takes precedence over guidance documents, and guidance documents take precedence over framework recommendations.

Purpose of This Resource

InfoSec Authority exists to map the US cybersecurity service sector with reference-grade precision — classifying professional categories, regulatory obligations, technical disciplines, and service types against named standards and statutory frameworks. The directory does not publish marketing content, promotional rankings, or vendor endorsements.

The distinction between this resource and general cybersecurity publications is structural. Where a general publication might describe a topic conceptually, this directory classifies it: identifying which regulatory body governs it, which framework addresses it, which professional credentials apply to it, and how it relates to adjacent service categories. The InfoSec Listings section reflects this approach — entries are organized by function and regulatory domain, not by commercial prominence.

The scope of the resource, including the domains and professional categories it covers, is documented in the InfoSec Directory Purpose and Scope reference page. That page defines classification boundaries, describes which sectors receive dedicated coverage, and identifies the regulatory instruments used to delineate service categories.

Two distinct content types appear across this site. Regulatory reference content describes statutory requirements, enforcement mechanisms, and compliance frameworks with citations to enacted law or agency rule. Technical reference content describes tools, architectures, protocols, and professional disciplines, grounded in named standards bodies such as NIST, ISO/IEC, and the Internet Engineering Task Force (IETF).

Intended Users

Three primary professional audiences use this directory, each with distinct navigation needs:

Compliance and legal professionals — attorneys, compliance officers, and risk managers operating under sector-specific obligations such as HIPAA, GLBA, FISMA, or state-level breach notification laws. These readers typically navigate by regulatory framework or enforcement body, and prioritize statutory citations and penalty structures over technical implementation detail.

Technical practitioners — security architects, penetration testers, incident responders, and managed security service providers (MSSPs). These readers navigate by discipline, credential type, or technical framework. NIST SP 800-61 (Computer Security Incident Handling Guide) and the MITRE ATT&CK framework, which catalogs over 400 adversary techniques across 14 tactic categories, are among the reference instruments most relevant to this audience.

Researchers and procurement professionals — policy analysts, contracting officers, and organizational decision-makers evaluating vendor qualifications, regulatory readiness, or sector benchmarks. This group benefits from the classification structure described in How to Use This InfoSec Resource and the comparative framework breakdowns embedded throughout the directory.

No section of this directory constitutes legal, regulatory, or professional advice. Content describes the structure of the cybersecurity service sector and its governing instruments — the application of those instruments to any specific organization's circumstances requires qualified professional judgment independent of this reference.