How to Use This Identity Security Resource

The identitysecurityauthority.com directory structures publicly available information about identity security frameworks, compliance obligations, practitioner certifications, threat categories, and service providers relevant to US-based organizations. This page describes how the directory is organized, how content is maintained, and where the boundaries of this resource end. Understanding the directory's structure allows professionals, researchers, and service seekers to locate accurate reference material without misapplying directory content to decisions that require licensed professional judgment.

How to navigate

The directory is organized around the core functional domains of identity security: authentication, authorization, identity governance, privileged access management, and identity lifecycle management. Each domain contains reference entries that connect regulatory obligations to the frameworks and practitioner categories that address them.

Navigation follows a top-down structure. The Identity Security Listings section is the primary entry point for professionals seeking service provider categories, framework references, or practice area descriptions. The Directory Purpose and Scope page defines inclusion criteria and explains which content types fall outside this resource.

For researchers entering from a regulatory framing — such as obligations under the Federal Information Security Modernization Act (44 U.S.C. § 3551 et seq.), the NIST Cybersecurity Framework, or CISA operational directives — the listings map those obligations to recognized practice categories without interpreting how any specific requirement applies to a given organization.

What to look for first

Professionals with a defined use case — such as evaluating IAM service provider categories or identifying applicable certification standards — should navigate directly to the relevant practice category within the Identity Security Listings.

Researchers without a defined starting point should use the following prioritization sequence:

  1. Identify the regulatory anchor. Determine whether the research context is governed by federal statute (e.g., FISMA, HIPAA's Security Rule under 45 C.F.R. Part 164), sector-specific guidance (e.g., FFIEC authentication guidance for financial institutions), or voluntary frameworks (e.g., NIST SP 800-63 Digital Identity Guidelines).
  2. Identify the functional domain. Identity security subdivides into at least 6 distinct functional areas: authentication assurance, authorization and access control, privileged access management (PAM), identity governance and administration (IGA), directory services, and identity threat detection and response (ITDR).
  3. Match the domain to a practitioner category. Certifications such as the Certified Identity and Access Manager (CIAM) credential and vendor-specific qualifications differ from audit-oriented designations such as the Certified Information Systems Auditor (CISA) credential administered by ISACA. These distinctions affect which type of professional or service provider is relevant to a given compliance or operational need.
  4. Check scope boundaries. Before applying any directory entry to a procurement or compliance decision, confirm that the use case does not require licensed legal counsel, a real-time threat feed, or a vendor performance rating — all three fall outside this directory's coverage.

How information is organized

Directory content is drawn from named public sources: federal agency publications, enacted statutes, recognized standards bodies such as NIST and ISO/IEC, and official regulatory guidance from agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission (FTC). No proprietary databases or vendor-sponsored research serves as primary sourcing.

Entries are classified along two axes:

Reference entries vs. service category entries. Reference entries describe frameworks, standards, regulatory bodies, and compliance requirements. Service category entries describe practitioner roles, certification pathways, and provider categories — without ranking or endorsing specific organizations.

Federal vs. sector-specific scope. Federal-scope entries apply broadly across public and private sectors (e.g., NIST frameworks, CISA directives). Sector-specific entries are bounded by industry (e.g., HIPAA applicability to covered entities and business associates, or PCI DSS applicability to entities handling payment card data under PCI DSS v4.0).

This two-axis classification prevents conflation between a broadly applicable control framework and a sector-specific compliance obligation — a distinction that matters when professionals are mapping controls to a specific regulatory environment.

The full scope of what this directory covers, and the 4 content categories explicitly excluded from it, is documented on the Directory Purpose and Scope page.

Limitations and scope

This directory operates at national scope within the United States. State-level variation — including differences across state data breach notification laws, state-enacted biometric privacy statutes such as the Illinois Biometric Information Privacy Act (740 ILCS 14), and state attorney general enforcement authority — is acknowledged in applicable entries but not resolved. Directory content names relevant statutes; it does not interpret their application to specific organizational fact patterns.

Four content types are explicitly outside this directory's scope:

  1. Real-time threat intelligence. Live indicators of compromise, active CVE advisories, and current incident data are maintained by primary sources including the CISA Known Exploited Vulnerabilities Catalog and the NIST National Vulnerability Database.
  2. Jurisdiction-specific legal opinions. The directory references statutory frameworks but does not provide compliance determinations, legal interpretations, or advice applicable to any specific organization's facts.
  3. Vendor product reviews or ratings. No commercial security platform, managed identity service provider, or software tool is scored, ranked, or recommended within these listings.
  4. Incident response retainer services. Incident response is described as a practice category with defined professional standards; the directory does not connect readers to active service engagements.

These boundaries reflect the directory's function as a structured reference resource for a professional audience navigating a complex regulatory and service landscape — not as a substitute for licensed counsel, technical procurement analysis, or real-time operational intelligence.

📜 4 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Identity Security Listings Listings span the full operational scope of identity security — from authentication infrastructure and privileged access... Identity Security Directory: Purpose and Scope This page defines the directory's scope, explains how listings are structured and classified, and establishes the boundaries... Cybersecurity Directory: Purpose and Scope This page defines what the directory covers, how its listings are structured, and where its scope ends.