Contact
Advanced Security Authority serves as a national reference provider network for the cybersecurity services sector, covering providers, practitioners, and firm classifications across the United States. This page describes the service area, the information required for effective correspondence, and the response framework that governs inquiry handling. Submissions related to provider network providers, professional credential verification, and sector classification questions are routed through structured review before a response is issued.
Service area covered
Advanced Security Authority operates as a national-scope cybersecurity provider network, structured to serve professionals, organizations, and researchers seeking to navigate the commercial and regulatory landscape of cybersecurity services in the United States. The provider network's scope encompasses the following distinct service and inquiry categories:
- Provider provider inquiries — requests from cybersecurity firms, managed security service providers (MSSPs), and independent practitioners to be evaluated for provider network inclusion
- Credential and qualification questions — inquiries related to licensing frameworks, certification standards, and professional designation verification (e.g., CISSP, CISM, CEH as recognized by (ISC)², ISACA, and EC-Council respectively)
- Regulatory classification questions — questions regarding how specific services align with frameworks such as NIST SP 800-53 (Security and Privacy Controls for Information Systems), CISA sector designations, or FTC Safeguards Rule applicability
- Provider Network accuracy corrections — submissions identifying factual errors in existing providers, including outdated firm names, credential lapses, or changed service scope
- Research and reference requests — inquiries from academic institutions, policy researchers, or journalists requiring structural information about the cybersecurity services sector
Geographic scope is national. The provider network does not provide region-restricted referrals, and all 50 U.S. states fall within the operational scope of the service classification framework. Submissions from non-U.S. entities that operate in U.S. jurisdictions are evaluated on a case-by-case basis against applicable federal standards.
What to include in your message
Incomplete submissions are the primary cause of delayed or unresolved inquiry responses. The following breakdown identifies the required and conditional fields by inquiry type.
For provider provider requests:
- Legal business name and primary operating state
- Service category (e.g., penetration testing, incident response, SOC operations, identity and access management)
- Applicable certifications held by the firm or its principals, with issuing body named (e.g., SOC 2 Type II issued by an AICPA-licensed CPA firm)
- Any relevant federal or state authorization — for example, FedRAMP authorization status for cloud service providers, as maintained by the FedRAMP Marketplace
- Number of credentialed practitioners on staff, specifying designation type
For regulatory classification questions:
- The specific framework or statute in question — cite the regulation by name and section where possible (e.g., HIPAA Security Rule, 45 CFR §164.312 for healthcare-sector inquiries)
- The nature of the service or product being evaluated
- The jurisdiction or sector context
For accuracy corrections:
- The provider in question, identified by firm name or provider network entry reference
- The specific field requiring correction
- Supporting documentation type (e.g., state licensure record, certification body database screenshot)
Comparison — provider requests vs. correction submissions: A new provider request enters an evaluation queue that involves credential verification against named certification body databases. A correction submission enters a faster editorial review track, typically requiring only documentation that contradicts the current published record. The two tracks differ in processing time and the depth of verification required.
Response expectations
Response timelines are governed by inquiry category and completeness of the submitted information.
- Provider provider evaluations proceed through a credential verification phase that cross-references named certification bodies — including (ISC)², ISACA, CompTIA, and the SANS Technology Institute — before a provider decision is issued. This phase requires a minimum of 5 business days for standard submissions.
- Regulatory classification questions are addressed on a reference basis only. Responses describe how specific frameworks apply to defined service categories; no legal advice or compliance determinations are provided. These responses reference authoritative public sources, including NIST CSRC, CISA advisories, and published rulemaking from federal agencies.
- Accuracy correction submissions are reviewed against the provider network's source documentation and resolved within 3 to 7 business days, depending on whether third-party verification is required.
- Research and reference inquiries receive responses that direct the requestor to publicly available datasets, including CISA's Known Exploited Vulnerabilities Catalog and the National Vulnerability Database (NVD) maintained by NIST.
Submissions that lack the required fields identified in the section above are returned with a request for supplemental information before review proceeds.
Additional contact options
For inquiries specifically related to how provider classifications are structured within the network framework, the Advanced Security Providers page documents the taxonomy used to categorize cybersecurity service providers by specialization, credential tier, and regulatory alignment.
Questions about the scope, methodology, or organizational structure of the provider network itself are addressed on the page, which outlines the criteria used for inclusion and the framework standards applied in classification decisions.
Submissions referencing specific federal cybersecurity mandates — including the Cybersecurity Maturity Model Certification (CMMC) program administered by the U.S. Department of Defense for defense industrial base contractors — should identify the applicable CMMC level and contract context in the message body to enable accurate routing.
Report a Data Error or Correction
Found incorrect information, an outdated fact, or a broken link? Use the form below.
To report a correction or suggest an update:
Please include the page URL and a description of the issue.
For general questions:
References
- CISA advisories
- CISA's Known Exploited Vulnerabilities Catalog
- FTC Safeguards Rule
- FedRAMP Marketplace
- HIPAA Security Rule, 45 CFR §164.312
- NIST CSRC
- NIST SP 800-53
- National Vulnerability Database (NVD)