Cybersecurity Network: Purpose and Scope

The National Online Safety Authority maintains a structured provider network of cybersecurity service providers, practitioners, and firms operating across the United States. This page defines the geographic scope of the provider network, the standards applied to providers, and the processes used to keep records accurate and current. The cybersecurity sector spans a broad range of regulated and credentialed service categories — from penetration testing and managed detection and response (MDR) to compliance consulting and incident response — and a structured provider network serves professionals and organizations navigating that landscape.

Geographic Coverage

The provider network covers cybersecurity service providers with active operations in the United States at the national scale. Providers are not restricted to a single state or metropolitan area; coverage extends to firms and practitioners serving clients across state lines, including those operating under federal procurement frameworks such as the Federal Risk and Authorization Management Program (FedRAMP) and those registered in the System for Award Management (SAM.gov).

Geographic scope distinctions apply as follows:

1. National providers — firms with documented service delivery capacity across 10 or more states, or those holding federal contract vehicles (e.g., GSA Schedule 70 successor vehicles under MAS IT Category).
2. Regional providers — firms with a primary footprint in a defined multi-state region (e.g., Mid-Atlantic, Pacific Northwest) but without national reach.
3. State-licensed specialists — practitioners whose services are governed by state-level licensing requirements, such as private investigator statutes that apply in jurisdictions like Texas (Texas Occupations Code, Chapter 1702) and Florida, which regulate certain digital forensic and surveillance activities.

Providers from all three categories appear in the network, with geographic scope clearly labeled on each entry. For context on how online safety services intersect with this geographic structure, see the Online Safety Providers page.

How to Use This Resource

The provider network is structured as a reference instrument for four primary audiences: organizations sourcing cybersecurity vendors, human resources and procurement professionals verifying credentials, researchers mapping the US cybersecurity service landscape, and journalists or policy analysts requiring sector-level data.

Entries are organized by service category, not alphabetically or by company size. Service categories align with the NIST Cybersecurity Framework (CSF) 2.0 function taxonomy — Govern, Identify, Protect, Detect, Respond, and Recover — allowing users to locate providers by the operational phase relevant to their need. A penetration testing firm, for example, maps primarily to the Identify and Protect functions, while an incident response retainer firm maps to Respond and Recover.

Filtering by credential type is also supported. The provider network distinguishes between providers holding:

• Organizational certifications — such as ISO/IEC 27001 certification (issued by accredited certification bodies under the ANSI National Accreditation Board) or SOC 2 attestation under AICPA standards.
• Practitioner certifications — including CISSP (ISC²), CISM (ISACA), and CEH (EC-Council).
• Federal authorization status — FedRAMP authorization, CMMC (Cybersecurity Maturity Model Certification) Level 2 or 3 assessor authorization under 32 CFR Part 170.

Detailed guidance on navigating the full provider network structure is available on the How to Use This Online Safety Resource page.

Standards for Inclusion

Not all cybersecurity-branded businesses qualify for provider network inclusion. The following minimum standards apply:

1. Verifiable legal existence — the entity must be registered with a state secretary of state office or equivalent, with an active status at the time of review.
2. Demonstrated cybersecurity scope — the primary or documented secondary business activity must fall within a recognized cybersecurity service category as defined by NICE Workforce Framework for Cybersecurity (NIST SP 800-181 Rev. 1).
3. At least one verifiable credential or authorization — at the organizational or practitioner level, drawn from the credential categories verified in the preceding section.
4. No active enforcement actions — providers under active FTC enforcement (FTC Act, Section 5), active CISA advisory sanctions, or state attorney general actions related to deceptive cybersecurity claims are excluded pending resolution.

The provider network does not include general IT support firms, telecommunications companies, or hardware vendors unless those entities operate a discrete, separately credentialed cybersecurity practice. This boundary distinguishes cybersecurity service providers from adjacent technology sectors. For comparison with the broader online safety service landscape, see the Online Safety Provider Network Purpose and Scope page.

How the Provider Network Is Maintained

Provider Network records are subject to a structured review cycle. Organizational providers undergo a full credential reverification annually, timed to align with common certification renewal windows — ISO/IEC 27001 certification requires a surveillance audit annually and a recertification audit every 3 years under ISO/IEC 17021-1 accreditation norms.

Interim updates are triggered by any of the following events:

• Public enforcement action by a named federal or state agency
• Expiration or revocation of a verified certification, as reported by the issuing body's public registry
• Change in business registration status at the state level
• Substantiated complaint submitted through the provider network's formal dispute intake process

Providers flagged for review enter a provisional status, which is displayed on the entry until reverification is complete. Entries that cannot be reverified within 60 days of flag are removed from active providers and archived.

The provider network does not accept paid placements, sponsored rankings, or advertising-linked prioritization. Ordering within categories reflects credential depth — the number and recency of independently verified qualifications — not commercial relationships. This standard is consistent with reference provider network practices described in NIST IR 8011, which addresses automation of security control assessments and implicitly frames the importance of verifiable, auditable records in security-related reference systems.