Cybersecurity Directory: Purpose and Scope

The National Online Safety Authority's cybersecurity directory maps the service landscape for individuals, families, small businesses, and researchers seeking structured access to protection resources, regulatory references, and threat-specific guidance across the United States. The directory spans consumer-facing cybersecurity topics — from identity protection and phishing defense to ransomware response and AI-generated content risks — organized by threat category, user population, and regulatory context. Accurate navigation of this sector requires knowing not only what services exist, but which federal bodies govern them, what qualification standards apply to listed organizations, and how the directory's own inclusion criteria are enforced.

Geographic Coverage

This directory operates at national scope within the United States, with primary reference anchoring in federal regulatory frameworks administered by the Federal Trade Commission (FTC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST). State-level resources are documented where they reflect distinct statutory requirements — for example, California's Consumer Privacy Act (CCPA), Virginia's Consumer Data Protection Act (CDPA), and Texas's Data Privacy and Security Act each impose obligations that affect how services are structured and delivered in those jurisdictions.

Federal frameworks referenced throughout the directory include NIST's Cybersecurity Framework (CSF) 2.0, the FTC's identity theft regulations under 16 C.F.R. Part 603, and CISA's Known Exploited Vulnerabilities catalog. For child and adolescent user populations, coverage extends to the Children's Online Privacy Protection Act (COPPA), enforced by the FTC, and resources related to children's online safety and teen cybersecurity awareness.

Geographic scope is defined in terms of service accessibility, not physical address. A service qualifies for inclusion under national coverage if it serves users in all 50 states or documents its jurisdictional limitations explicitly. Services restricted to a single state or metropolitan area are tagged accordingly and cross-referenced under state online safety resources.

How to Use This Resource

The directory is organized along two primary axes: threat category and user population. These axes are independent and intersecting — a single listing may appear under both a threat category (e.g., phishing) and a user population (e.g., seniors).

Threat categories covered include:

1. Account compromise and credential theft
2. Social engineering (phishing, romance scams, tech support fraud)
3. Malware and ransomware exposure
4. Privacy and data exposure risks
5. Child and adolescent online safety
6. Financial fraud (including cryptocurrency fraud and scam networks)
7. Identity theft and dark web exposure
8. Device and network-level vulnerabilities

User population segments include individual consumers, minors and parents, seniors, small business operators, and researchers or professionals seeking credentialed resources. The cybersecurity listings section presents the full indexed catalog, sortable by both axes.

For regulatory and legal researchers, the directory surfaces statutes, agency guidance documents, and enforcement records rather than consumer-facing tips. The online safety laws and regulations (US) section provides statutory cross-references organized by federal and state jurisdiction.

Professionals navigating the directory for credentialing or training information should cross-reference the online safety certifications and training section, which documents recognized certification bodies including CompTIA, (ISC)², and ISACA, along with their examination prerequisites and renewal cycles.

Standards for Inclusion

Directory listings must meet defined criteria across four dimensions before inclusion is confirmed:

1. Organizational legitimacy — The listing must represent a verifiable legal entity: a registered nonprofit, accredited educational institution, government agency, or commercially licensed service provider. Anonymous or unverifiable sources are excluded.
2. Content accuracy — Claims made by listed organizations must be consistent with published guidance from NIST, CISA, the FTC, or equivalent recognized standards bodies. Organizations that contradict established regulatory definitions are flagged or removed.
3. Scope specificity — Listings must clearly identify the populations served, geographic coverage, and the threat categories addressed. Generalist claims without documented specialization are listed under general consumer resources, not specialized threat categories.
4. Currency of information — Technical guidance that references deprecated protocols, obsolete threat models, or superseded regulatory standards is ineligible. NIST SP 800-53 Rev. 5, for example, is the current baseline for federal information system security controls; resources citing only earlier revisions without acknowledgment of updates are reviewed before inclusion.

A key distinction governs how commercial services are classified versus government or nonprofit resources. Commercial service providers — including VPN vendors, identity monitoring services, and endpoint protection vendors — are indexed separately from government agencies and nonprofit advocacy organizations. This separation prevents confusion between fee-based products and no-cost public resources. For example, VPN usage for personal safety references both commercial providers and free/open-source alternatives, with explicit labeling for each.

How the Directory Is Maintained

Directory content is subject to structured review against a defined set of trigger conditions rather than fixed calendar intervals. Review triggers include:

• Regulatory updates — New FTC rulemaking, CISA advisories, or NIST framework revisions initiate review of all affected listings within that threat category.
• Organizational status changes — Mergers, licensing revocations, or accreditation lapses result in immediate listing suspension pending re-verification.
• Threat landscape shifts — Emergence of new threat vectors (such as deepfake threats or AI-generated content risks) triggers creation of new listing categories and reclassification of existing entries where scope overlap is identified.
• User-submitted corrections — Factual discrepancies reported through the directory's review process are logged, evaluated against named public sources, and resolved with documented rationale.

The directory does not accept paid placement, sponsored listings, or affiliate-linked entries. Inclusion decisions are made solely on the basis of the four-dimensional criteria described above. Organizations seeking listing review should reference the submission standards documented under the how to use this cybersecurity resource section, which includes the full submission checklist and the appeals process for declined listings.

Editorial review draws on published standards from CISA's Shields Up guidance, the FTC's Consumer Information library, and NIST's National Cybersecurity Center of Excellence (NCCoE) project publications — each of which constitutes a named, publicly accessible reference corpus against which listing claims are evaluated.