InfoSec Directory: Purpose and Scope

The InfoSec Authority directory maps cybersecurity service providers, consultancies, managed security service providers (MSSPs), credentialed practitioners, and specialist firms operating within the United States information security sector. This page defines the criteria governing which entities appear in the InfoSec Listings, the processes by which those entries are maintained, and the boundaries that separate this directory from adjacent reference formats. Readers navigating vendor selection, compliance program staffing, or independent research can use this scope statement to assess the relevance and reliability of any entry.

Standards for Inclusion

Inclusion in the InfoSec Authority directory is not determined by submission, payment, or placement fee. Entries are identified and evaluated through editorial research drawing on publicly verifiable signals in the cybersecurity professional and regulatory landscape.

The primary signals used to assess an entity are:

1. Credential and certification standing — verification of recognized professional certifications such as the Certified Information Systems Security Professional (CISSP), issued by (ISC)², or the Certified Information Security Manager (CISM), issued by ISACA. Both organizations publish active member and certification lookup tools against which individual practitioner claims can be checked.
2. Regulatory registration and compliance posture — for entities operating in regulated verticals, relevant standing with federal bodies such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC) under 16 C.F.R. Part 314 (the Safeguards Rule), or the Department of Health and Human Services (HHS) Office for Civil Rights under 45 C.F.R. Parts 160 and 164 (HIPAA Security Rule) constitutes a qualifying signal.
3. Operational scope — geographic and service-area claims must align with verifiable business records. An entity claiming national MSSP coverage must demonstrate operational infrastructure or documented client presence across multiple US regions.
4. Specialization depth — firms or practitioners are evaluated for demonstrated focus within identifiable cybersecurity domains: penetration testing, incident response, cloud security architecture, governance, risk and compliance (GRC), digital forensics, or identity and access management (IAM), among others.
5. Published audit or assessment authority — firms conducting formal audits under frameworks such as NIST SP 800-53 (csrc.nist.gov), SOC 2 under AICPA attestation standards, or FedRAMP authorization support are evaluated against the relevant framework's practitioner qualification requirements.

The distinction between an editorial directory and a sponsored listing platform is operationally significant. Sponsored platforms accept entries from any entity willing to pay, without applying verification criteria. This directory applies consistent evaluation standards before an entry is published in InfoSec Listings.

How the Directory Is Maintained

Entries undergo a structured review cycle tied to the renewal and publication calendars of the primary authoritative sources used during initial evaluation. Certification status with (ISC)² and ISACA, for example, is subject to annual continuing professional education (CPE) requirements and three-year renewal cycles respectively — both of which trigger re-verification in this directory's update workflow.

Three categories of source material govern ongoing maintenance:

• Primary regulatory records — active registration lookups from CISA's Known Exploited Vulnerabilities catalog, FTC enforcement records, and HHS OCR breach portal data, where relevant to a listed entity's regulatory standing.
• Standards body registries — certification validation tools published by (ISC)², ISACA, CompTIA, and the SANS Institute's GIAC credentialing arm.
• Public-record operational data — state business registration records, documented contractual relationships with federal agencies via SAM.gov, and published audit reports or third-party assessment findings.

Listings that cannot be cross-referenced against at least one named public-record source are held pending verification or excluded entirely. Entries in contested regulatory standing — such as firms subject to active FTC enforcement actions or firms that have lost FedRAMP authorization — are flagged for expedited review rather than allowed to remain in published status through a standard cycle.

What the Directory Does Not Cover

The InfoSec Authority directory does not index every cybersecurity-adjacent product vendor, software publisher, or general IT services firm. The scope is bounded by professional service delivery and practitioner credentialing within the information security sector specifically.

The following categories fall outside the directory's scope:

• Hardware and endpoint device manufacturers — firms whose primary output is physical security infrastructure (firewalls, HSMs, access control hardware) without an accompanying professional services practice.
• General IT managed services providers — MSPs offering network monitoring, help desk, or cloud migration services without a documented security-specific practice or relevant credentialing (e.g., no MSSP designation, no SOC 2 attestation, no certified security staff).
• Academic and research institutions — universities, research labs, and think tanks producing cybersecurity research are referenced in other areas of this network; they are not indexed as service providers.
• Self-reported listings without verifiable credentials — any firm or individual whose qualifications cannot be confirmed against at least one named external registry is excluded regardless of claimed specialization.

This boundary distinguishes the directory from generalist business listing platforms and from academic program indexes. For guidance on navigating the directory's structure and filter logic, see How to Use This InfoSec Resource.

Relationship to Other Network Resources

The InfoSec Authority directory operates as one component within a structured network of cybersecurity reference resources. The directory itself — accessible via InfoSec Listings — focuses on entity-level data: who provides services, under what credentials, and within what operational scope.

Complementary resources on the network address framework-level reference content: regulatory compliance requirements under FISMA (44 U.S.C. § 3551 et seq.), NIST Cybersecurity Framework (CSF) 2.0 implementation guidance, and sector-specific security program requirements under frameworks such as CMMC (Cybersecurity Maturity Model Certification) administered by the Department of Defense. Those reference pages are not directories — they do not index service providers. The directory does not replicate framework explanation content.

Researchers, procurement officers, and compliance program managers using both the directory and the framework reference sections together gain a complete operational picture: the regulatory requirements that define what qualified service providers must deliver, alongside the specific entities credentialed to deliver those services within the US market.