Federal Agencies Responsible for Online Safety in the US

The United States distributes responsibility for online safety across more than a dozen federal agencies, each operating under distinct statutory authority and jurisdictional boundaries. No single agency holds comprehensive oversight of the entire digital environment — jurisdiction is divided by sector, threat type, population served, and the nature of the harm. Understanding how these agencies are structured, where their authority begins and ends, and how they interact is essential for organizations navigating compliance obligations, researchers mapping the regulatory landscape, and professionals advising on digital risk. The Online Safety Listings maintained on this site provide a structured view of the service providers and institutional bodies operating within this framework.

Definition and scope

Federal online safety authority refers to the legal mandates, enforcement powers, and regulatory functions granted by Congress to specific executive-branch agencies to address harms occurring in or through digital environments. These harms include data breaches, identity theft, child exploitation, critical infrastructure attacks, consumer fraud, and content-based threats.

The scope of federal jurisdiction is shaped primarily by four factors:

1. Sector — financial, healthcare, telecommunications, defense, education
2. Population — children, consumers, federal employees, critical infrastructure operators
3. Threat vector — cybercrime, privacy violation, network intrusion, deceptive practice
4. Statutory basis — the enabling legislation that created or expanded an agency's mandate

No overarching "online safety" statute consolidates all federal authority. Instead, jurisdiction is assembled from legislation including the Children's Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission Act, the Cybersecurity Information Sharing Act of 2015, and the Cybersecurity Enhancement Act of 2014 (CISA.gov Legislative Resources).

How it works

Federal online safety oversight functions through a layered architecture of primary regulators, sector-specific enforcers, law enforcement bodies, and coordinating entities. The structure is not hierarchical in a single chain of command — it is concurrent, with multiple agencies holding authority over the same organization depending on context.

Primary regulatory and enforcement bodies:

1. Federal Trade Commission (FTC) — Holds broad authority over unfair or deceptive acts and practices under 15 U.S.C. § 45. The FTC is the primary federal enforcer of COPPA, which applies to online operators collecting personal data from children under 13. Civil penalties under COPPA can reach $51,744 per violation (FTC COPPA Rule).

2. Cybersecurity and Infrastructure Security Agency (CISA) — Established under the Cybersecurity and Infrastructure Security Agency Act of 2018 (P.L. 115-278), CISA coordinates the protection of 16 designated critical infrastructure sectors. CISA does not hold independent enforcement authority but issues binding operational directives to federal civilian agencies (CISA About).

3. Federal Bureau of Investigation (FBI) — The FBI's Internet Crime Complaint Center (IC3) serves as the national intake point for cybercrime reports. In 2023, IC3 received 880,418 complaints representing potential losses exceeding $12.5 billion (FBI IC3 2023 Annual Report).

4. National Institute of Standards and Technology (NIST) — NIST publishes the Cybersecurity Framework (CSF), now at version 2.0, and Special Publication 800-series guidance that defines baseline security controls referenced across federal and private-sector compliance programs (NIST CSF 2.0).

5. Department of Health and Human Services (HHS) / Office for Civil Rights (OCR) — Enforces HIPAA Security and Privacy Rules for covered entities. Penalty tiers range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS OCR HIPAA Penalties).

6. Securities and Exchange Commission (SEC) — Enforces cybersecurity disclosure requirements for publicly traded companies, including rules adopted in 2023 requiring material incident disclosure within 4 business days (SEC Cybersecurity Disclosure Rules).

7. Federal Communications Commission (FCC) — Regulates broadband providers and telecommunications carriers, including data breach notification requirements under the Communications Act.

Common scenarios

The multi-agency structure creates predictable jurisdictional patterns across common online safety scenarios:

Healthcare data breach — A hospital network experiencing a ransomware attack triggering patient data exposure falls under HHS/OCR for HIPAA enforcement, CISA for critical infrastructure coordination, and the FBI for criminal investigation. Three separate agencies are engaged simultaneously under three separate statutory frameworks.

Children's app data collection — A mobile app collecting location and behavioral data from users under 13 triggers FTC jurisdiction under COPPA. If the app is distributed through an educational platform, the Family Educational Rights and Privacy Act (FERPA), enforced by the Department of Education, may also apply.

Financial institution breach — A bank breach activates the Gramm-Leach-Bliley Act Safeguards Rule (enforced by the FTC for non-bank financial institutions and by the OCC, FDIC, or Federal Reserve for chartered banks), plus potential SEC disclosure obligations if the institution is publicly traded.

Critical infrastructure attack — A cyberattack on an energy grid operator triggers CISA coordination, FBI criminal investigation, and Department of Energy sector-specific oversight — all concurrent, with no single agency holding exclusive jurisdiction.

The Online Safety Directory Purpose and Scope page provides context on how this jurisdictional complexity maps to service-sector classifications used across the directory.

Decision boundaries

The distinctions between agencies are not administrative preferences — they are defined by statutory text and judicial interpretation. Three primary classification axes determine which agency governs a given situation:

Sector vs. general jurisdiction: The FTC operates as the default federal privacy and consumer protection enforcer when no sector-specific statute applies. Where HIPAA, GLBA, or the Family Educational Rights and Privacy Act applies, sector-specific regulators displace or supplement FTC authority. The Supreme Court's decision in FTC v. AT&T Mobility LLC (2017) narrowed FTC jurisdiction over common carriers, illustrating how statutory definitions create coverage gaps.

Civil enforcement vs. criminal prosecution: CISA, the FTC, the SEC, and HHS/OCR operate civil enforcement frameworks. Criminal prosecution of cybercrime falls to the Department of Justice and the FBI under statutes including the Computer Fraud and Abuse Act (18 U.S.C. § 1030). The same incident can generate both parallel tracks.

Federal civilian vs. national security: Threats to federal civilian agency systems fall under CISA's authority. Threats involving national security, intelligence systems, or defense networks fall under the National Security Agency (NSA) and U.S. Cyber Command, operating under Title 10 and Title 50 authorities — entirely outside the civilian regulatory framework.

For professionals assessing which compliance obligations apply to a specific organization or incident type, the How to Use This Online Safety Resource page describes the classification logic applied throughout this directory.

References

• Federal Trade Commission — COPPA Rule
• Cybersecurity and Infrastructure Security Agency (CISA) — About CISA
• CISA — Federal Cybersecurity Laws and Regulations
• FBI Internet Crime Complaint Center (IC3) — 2023 Annual Report
• NIST Cybersecurity Framework 2.0
• HHS Office for Civil Rights — HIPAA Enforcement
• SEC — Cybersecurity Disclosure Final Rules (2023)
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls
• Computer Fraud and Abuse Act — 18 U.S.C. § 1030