Listing Criteria and Standards for This Directory
The criteria governing which cybersecurity service providers appear in this directory reflect the professional, regulatory, and operational standards that define qualified practice in the US cybersecurity services sector. Listings are evaluated against objective qualification markers — not commercial relationships or self-reported claims. This page documents the specific standards applied, the classification logic used to assign providers to service categories, and the thresholds that determine inclusion, exclusion, or conditional listing status.
Definition and scope
Directory listing criteria establish the minimum and preferred standards a cybersecurity service provider must meet to appear within a given service category. These standards function as a quality floor: they differentiate verified professional practice from unverified commercial presence.
The scope of this directory covers US-operating cybersecurity service providers across 18 discrete service categories — from managed security service providers and penetration testing firms to digital forensics providers and OT/ICS security providers. Each category carries category-specific criteria layered on top of universal baseline requirements.
The foundational reference standards for listing evaluation are drawn from recognized public frameworks and regulatory bodies, including:
- NIST Cybersecurity Framework (CSF) (NIST SP 800-53) — used to assess whether a provider's service scope maps to recognized control families
- CISA (Cybersecurity and Infrastructure Security Agency) — provides sector-specific standards and approved vendor guidance for critical infrastructure providers
- ISO/IEC 27001 — used as a credential benchmark for providers claiming information security management competency
- SOC 2 Type II attestation — applied as a trust services criteria marker for providers handling client data environments
Listing scope is limited to service providers, not product-only vendors. A firm selling a security software platform without associated professional services does not qualify for inclusion in the cybersecurity service providers categories covered here.
How it works
Evaluation proceeds through a structured 4-phase process:
-
Category classification — The provider's primary and secondary service offerings are mapped to the directory's 18 service categories using NIST CSF functional domains (Identify, Protect, Detect, Respond, Recover) as the organizing taxonomy. A provider may qualify for listing in multiple categories if distinct service lines meet the criteria for each.
-
Credential verification — Applicable staff-level and organizational-level credentials are assessed. Staff credentials recognized include certifications such as CISSP (Certified Information Systems Security Professional, governed by (ISC)²), CEH (Certified Ethical Hacker, EC-Council), and OSCP (Offensive Security Certified Professional). Organizational credentials include ISO 27001 certification, SOC 2 Type II attestation, and FedRAMP authorization for providers serving federal clients.
-
Regulatory alignment check — For sector-specific providers, compliance framework alignment is evaluated. A healthcare cybersecurity provider must demonstrate HIPAA Security Rule competency (45 CFR Part 164); a financial sector cybersecurity provider must demonstrate familiarity with FFIEC guidance and applicable state financial regulators.
-
Operational history assessment — Providers are assessed for demonstrated operating history in their claimed service category. Firms with fewer than 24 months of documented service delivery in a given category are listed as provisional, not standard, entries.
Common scenarios
Three scenarios account for the majority of listing evaluation decisions:
Scenario A: Multi-service provider with uneven credential depth. A firm offering both penetration testing and incident response services may hold strong offensive security credentials (OSCP, GPEN) while lacking GCFE or GCFE-equivalent credentials on the response side. In this case, the firm qualifies for the penetration testing category at standard tier but is provisionally listed under incident response firms pending credential completion.
Scenario B: Compliance consulting firm seeking listing under risk management. A firm delivering risk and compliance consulting services is assessed against its demonstrated framework competency — specifically, whether its methodology references NIST CSF, ISO 27001, or CMMC as named, documented practice frameworks rather than marketing language. The absence of framework-specific methodology documentation results in denial or conditional listing.
Scenario C: MSP claiming cybersecurity services without dedicated security staff. A managed IT service provider that adds cybersecurity language to its service description without a dedicated security operations function does not meet the threshold for listing under security operations center providers. The distinction between general IT managed services and cybersecurity-specific managed security services follows the CISA and MSSPs industry definitional boundary.
Decision boundaries
Listing decisions fall into four categories:
| Decision | Criteria Met | Credential Status |
|---|---|---|
| Standard listing | All baseline + category criteria | Active, verified credentials |
| Provisional listing | Baseline met; 1+ category criteria pending | Credentials in progress or < 24 months history |
| Conditional listing | Baseline met; sector compliance gap | Framework alignment documentation pending |
| Denial | Baseline criteria not met | No verifiable credentials or < 12 months history |
The baseline criteria — applicable to every provider regardless of category — require: (1) a verifiable US business entity registration, (2) at least 1 staff member holding an active, named cybersecurity credential from a recognized credentialing body, (3) a documented service methodology referencing at least 1 named public framework, and (4) no active regulatory enforcement actions from FTC, CISA, or applicable sector regulators.
Provisional listings are reviewed at 12-month intervals. Standard listings are subject to re-verification at 24-month intervals or upon material change in the provider's credential status. The full landscape of provider categories covered by these criteria is accessible through the cybersecurity listings index.
References
- NIST SP 800-53, Rev 5 — Security and Privacy Controls for Information Systems and Organizations
- NIST Cybersecurity Framework (CSF) 2.0
- CISA — Cybersecurity and Infrastructure Security Agency
- 45 CFR Part 164 — HIPAA Security Rule (eCFR)
- (ISC)² — CISSP Certification
- EC-Council — CEH Certification
- Offensive Security — OSCP Certification
- AICPA — SOC 2 Trust Services Criteria
- ISO/IEC 27001 — Information Security Management
- FFIEC — Federal Financial Institutions Examination Council Cybersecurity Resources