Cybersecurity Listings

The listings published on identitysecurityauthority.com catalog the practitioners, frameworks, service categories, and regulatory reference points that constitute the identity security sector in the United States. Each listing is drawn from publicly documented sources and structured to support researchers, procurement professionals, and compliance teams navigating a sector governed by overlapping federal standards, state statutes, and industry certification bodies. The full scope of the directory, including what it does and does not cover, is defined on the Cybersecurity Directory: Purpose and Scope page.

How currency is maintained

Listings are cross-referenced against authoritative public sources rather than vendor-supplied data. Primary reference bodies include the National Institute of Standards and Technology (NIST Cybersecurity Framework), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Conference of State Legislatures, which tracks state-level breach notification law adoption across all 50 states.

Practitioner certification data is validated against issuing bodies — including ISC2 (which administers the CISSP), ISACA (CISM, CISA), and CompTIA (Security+). Regulatory framing is anchored to enacted statute and published agency guidance rather than proposed rulemaking. When a framework is revised — such as NIST SP 800-53, which reached Revision 5 in September 2020 — listings are updated to reflect the current published version rather than the superseded edition.

The identity-security-nist-frameworks page provides detail on how NIST publications map to specific identity security controls, including the 20 control families in NIST SP 800-53 Rev 5.

How to use listings alongside other resources

Directory listings describe service categories, frameworks, and practitioner qualifications at a reference level. They are not substitutes for primary regulatory documents, licensed legal counsel, or active threat intelligence feeds. The CISA Known Exploited Vulnerabilities Catalog and the NIST National Vulnerability Database supply real-time technical advisories that fall outside the scope of static directory listings.

When using listings to evaluate service providers, practitioners, or frameworks, three parallel reference types are most productive:

1. Regulatory primary sources — The full text of applicable statutes (e.g., HIPAA under 45 C.F.R. Parts 160 and 164, or GLBA under 15 U.S.C. § 6801) establishes mandatory control baselines that listings summarize but do not reproduce in full.
2. Standards body publications — NIST Special Publications, ISO/IEC 27001, and CISA guidance documents provide the technical depth that directory listings index and cross-reference.
3. Practitioner certification registries — ISC2, ISACA, and CompTIA each maintain searchable public registries to verify that credential holders are in active standing.

The how-to-use-this-cybersecurity-resource page outlines the decision logic for matching research needs to the appropriate listing category.

How listings are organized

Listings are grouped into five primary categories that reflect the structural divisions of the identity security sector:

1. Identity and access management (IAM) frameworks — Covers architectural standards for provisioning, authentication, and deprovisioning. Subcategories include privileged access management, federated identity management, and role-based access control versus attribute-based access control. The distinction between RBAC and ABAC is functionally significant: RBAC assigns permissions to predefined roles, while ABAC evaluates contextual attributes — such as device posture, time of access, or geographic location — at the moment of each access request.

2. Authentication protocols and standards — Includes listings for multi-factor authentication (MFA), single sign-on (SSO), passwordless authentication, and federated identity protocols such as OAuth and OpenID Connect and the SAML protocol.

3. Threat categories and attack vectors — Covers credential theft and account takeover, phishing and identity attacks, insider threat and identity, and identity threat detection and response.

4. Compliance and governance frameworks — References applicable regulatory obligations including NIST, HIPAA, GLBA, and FTC rules, with cross-reference to identity security compliance (US) and identity governance and administration.

5. Practitioner certifications and vendor tools — Catalogs certification bodies and their credential structures alongside the identity security vendors and tools landscape, without scoring or ranking individual providers.

What each listing covers

Each listing entry is structured to deliver five discrete elements:

1. Category definition — A precise functional description drawn from named standards bodies (NIST, CISA, ISO/IEC) rather than vendor marketing language.
2. Regulatory anchors — Identification of federal statutes, agency guidance documents, or published frameworks that establish compliance relevance for that category.
3. Service sector scope — The practitioner roles, organizational functions, or technology domains in which the category is operationally active.
4. Classification boundaries — Where one category ends and an adjacent one begins. For example, cloud identity security addresses identity controls native to cloud-hosted environments, while hybrid identity environments covers the integration layer between on-premises directory services (including Active Directory) and cloud identity providers — a distinction that directly affects which NIST SP 800-207 Zero Trust controls apply.
5. Cross-reference index — Links to related listings, primary regulatory documents, and practitioner qualification standards that expand on the category without duplicating content.

Listings do not include vendor rankings, real-time breach data, or jurisdiction-specific legal interpretations. The identity breach case studies (US) page provides documented incident references that illustrate how category-level failures manifest in organizational outcomes, grounded in publicly reported events rather than proprietary data.