Cybersecurity Directory: Purpose and Scope

The identitysecurityauthority.com cybersecurity directory organizes publicly available information about identity security frameworks, compliance obligations, practitioner certifications, and threat categories relevant to US-based organizations. This page defines what the directory covers, how its listings are structured, and where its scope ends. These boundaries exist to help professionals and researchers locate the right type of resource without misapplying directory content to decisions that require licensed professional judgment. The directory's subject matter centers on identity — the authentication, authorization, governance, and lifecycle management functions that underpin access control across enterprise and public-sector environments.

What the directory does not cover

The directory does not provide legal advice, regulatory compliance determinations, or vendor procurement guidance. Listings describe publicly documented frameworks, agencies, and practice categories — they do not constitute endorsements of any product, service, or organization.

The following four content types fall outside the directory's scope:

1. Real-time threat intelligence feeds — Live indicators of compromise (IOCs), CVE patch timelines, or active incident advisories are maintained by primary sources such as the CISA Known Exploited Vulnerabilities Catalog and the NIST National Vulnerability Database. These feeds are not reproduced within directory listings.

2. Jurisdiction-specific legal opinions — State breach notification laws vary in trigger thresholds, timelines, and exemptions. The National Conference of State Legislatures tracks enactment across 50 states, but the directory names these statutes without interpreting their application to specific organizational fact patterns.

3. Vendor product reviews or rankings — No commercial security tool, managed detection platform, or software vendor is rated, scored, or compared within these listings. The identity-security-vendors-and-tools page catalogs categories of tooling but does not endorse specific products.

4. Active incident response engagements — The directory references identity security incident response as a defined practice category but does not facilitate connections to retainer services, breach coaches, or active remediation providers.

Relationship to other network resources

This directory sits within a broader reference structure that separates reference cataloging from explanatory content. The distinction matters operationally: a directory entry names a framework, defines its scope, and identifies the governing body — it does not teach the framework's implementation sequence.

Explanatory depth on foundational concepts is handled by subject-specific reference pages. For instance, the mechanics of access policy enforcement are addressed under Identity and Access Management (IAM), while the policy model that governs what access is permitted appears under Role-Based Access Control and Attribute-Based Access Control. Directory listings reference these pages where a topic requires contextual grounding that exceeds catalog scope.

Regulatory framing across the identity security domain draws from named federal and state frameworks. The directory acknowledges NIST SP 800-63 (Digital Identity Guidelines) as a foundational standard, alongside sector-specific mandates including HIPAA Security Rule provisions at 45 CFR §164.312 (U.S. Department of Health and Human Services), NYDFS Cybersecurity Regulation 23 NYCRR 500 (New York State Department of Financial Services), and the CMMC Model v2.0 (U.S. Department of Defense). These frameworks appear as classification anchors within listings, not as compliance checklists.

The directory does not replicate content maintained by primary standards bodies. NIST's Cybersecurity Framework and the AICPA's SOC 2 criteria remain authoritative at their source; directory entries reference and contextualize them rather than reproduce them.

How to interpret listings

Each listing within the directory follows a consistent structure designed to support professional navigation rather than introductory instruction. A listing entry contains:

1. Category classification — The practice domain the listing belongs to (e.g., authentication protocols, governance frameworks, threat categories, or certification bodies).
2. Scope boundary — A concise statement of what the listed framework, standard, or practice covers and what it explicitly excludes.
3. Governing or defining authority — The named agency, standards body, or professional organization responsible for the framework (e.g., NIST, CISA, (ISC)², ISACA).
4. Relevant regulatory intersections — Where a listing connects to a named compliance mandate, that relationship is identified without rendering an interpretation of applicability.
5. Cross-references — Links to related directory pages where adjacent concepts require disambiguation.

Two listing types appear throughout the directory and operate differently. Framework listings describe technical or policy standards maintained by recognized bodies — NIST SP 800-207 (Zero Trust Architecture) is a framework listing, as is the Zero Trust Identity Model reference page. Practice category listings describe functional disciplines — Privileged Access Management, Identity Governance and Administration, and Federated Identity Management are practice categories that may encompass multiple frameworks, tools, and certification pathways simultaneously.

Readers should treat listing content as a structured starting point. Where a listing references a statutory threshold, penalty ceiling, or certification requirement, that figure originates from the named public source and should be verified against the authoritative document before application.

Purpose of this directory

The directory addresses a structural gap in how identity security information is organized for practitioners, procurement teams, and compliance officers navigating a fragmented landscape. The identity security domain spans authentication protocols, access governance, threat detection, regulatory compliance, and workforce certification — domains that are technically adjacent but institutionally separated across NIST, CISA, sector regulators, and professional certification bodies including (ISC)² and ISACA.

The directory's organizing logic maps the sector along three axes: threat categories (such as Credential Theft and Account Takeover and Phishing and Identity Attacks), control frameworks (such as Multi-Factor Authentication and Passwordless Authentication), and compliance and governance obligations tracked under Identity Security Compliance (US) and Identity Security NIST Frameworks.

This three-axis structure allows a reader to enter the directory from any of three professional contexts — threat response, control implementation, or compliance mapping — and navigate to adjacent categories without losing orientation. A compliance officer researching audit requirements arrives through the governance axis; a security architect evaluating authentication options arrives through the control framework axis; a threat analyst investigating an access anomaly arrives through the threat category axis.

The directory reflects the public record as maintained by named regulatory and standards authorities. It does not establish policy, certify practitioners, or adjudicate vendor capability claims. Its function is classification, cross-referencing, and scope definition within the identity security sector as it is formally structured by the institutions that govern it.