Identity Security Listings

The identity security listings on this directory organize publicly documented service categories, practitioner credentials, regulatory frameworks, and compliance standards relevant to organizations managing identity and access functions across US enterprise and public-sector environments. Listings span the full operational scope of identity security — from authentication infrastructure and privileged access governance to breach response and federal compliance architecture. The Identity Security Directory: Purpose and Scope page defines the outer boundaries of what this directory covers and where its authority ends.

How to use listings alongside other resources

Directory listings function as structured reference points, not as procurement guides or compliance determinations. A professional using this directory to map the identity security service landscape will find listings most useful when combined with primary regulatory documents, published standards, and qualified practitioner guidance — not as a substitute for those sources.

The How to Use This Identity Security Resource page describes the verification hierarchy applied to all directory content: primary statutory and regulatory sources (such as the Federal Information Security Modernization Act, 44 U.S.C. § 3551 et seq.) carry greater authority than secondary synthesis, and no vendor-sponsored or unattributed research is used as primary sourcing. Listings reference named bodies — the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB) — to anchor each service category in its regulatory context.

Researchers cross-referencing listings with live threat data should consult the CISA Known Exploited Vulnerabilities Catalog and the NIST National Vulnerability Database directly. Those sources publish real-time indicators that fall outside this directory's static reference scope.

How listings are organized

Listings are structured across 4 primary classification categories, each corresponding to a distinct operational domain within identity security:

1. Identity and Access Management (IAM) — Service providers and frameworks governing authentication, authorization, directory services, and user lifecycle management. Standards anchors include NIST Special Publication 800-63 (Digital Identity Guidelines) and the NIST Cybersecurity Framework (CSF) 2.0, published by the National Institute of Standards and Technology.

2. Privileged Access Management (PAM) — Specialized controls governing elevated-privilege accounts, administrative credential vaulting, and just-in-time access. PAM categories are distinguished from general IAM by their focus on high-risk access paths that are primary targets in credential-based intrusions.

3. Identity Governance and Administration (IGA) — Frameworks and service categories addressing role-based access control (RBAC), access certification, separation of duties, and audit trail integrity. IGA functions are explicitly required under federal frameworks including FISMA and OMB Circular A-130.

4. Zero Trust Identity Architecture — Service categories implementing continuous verification principles as defined in NIST Special Publication 800-207 (Zero Trust Architecture). Zero Trust listings are distinguished from perimeter-based IAM listings by their reliance on identity as the primary security control plane rather than network boundary enforcement.

The distinction between PAM and IGA is operationally significant: PAM listings address real-time session control and credential isolation, while IGA listings address lifecycle governance, attestation cycles, and audit compliance functions. Both appear as separate classification nodes within the directory.

What each listing covers

Each listing in this directory contains a defined set of structured fields drawn from publicly available documentation:

1. Service category name — The recognized industry or regulatory term for the practice area, aligned with nomenclature used by NIST, CISA, or the Identity Defined Security Alliance (IDSA) where applicable.
2. Regulatory anchors — Specific statutes, federal rules, or published standards that govern or define the category (e.g., 44 U.S.C. § 3551, 13 C.F.R. Part 121, NIST SP 800-53 Rev. 5 control families).
3. Practitioner credential categories — Recognized professional certifications relevant to the service area, such as those issued by (ISC)², ISACA, or the Cloud Security Alliance (CSA).
4. Scope boundaries — Explicit statements of what the listing does and does not cover, distinguishing the reference function from legal interpretation or procurement recommendation.
5. Primary source references — Named documents, agency URLs, or statutory citations from which listing content is derived.

Listings do not include vendor product ratings, commercial endorsements, or real-time incident data. A listing describing credential theft as a threat category references CISA and NIST definitions of account takeover — it does not rank detection tools or recommend specific software platforms.

Geographic distribution

This directory operates at national scope within the United States. The regulatory architecture governing identity security is primarily federal, with 3 principal statutory frameworks shaping coverage: the Federal Information Security Modernization Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. Parts 160 and 164), and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 C.F.R. Part 314) as administered by the Federal Trade Commission.

State-level variation is acknowledged in listings where relevant — all 50 states have enacted data breach notification laws, per the National Conference of State Legislatures — but state-specific legal interpretation falls outside the directory's scope. Listings name applicable state regulatory frameworks without resolving jurisdiction-specific compliance determinations.

Federal agency-specific requirements, including those published by the Office of Personnel Management (OPM) for identity credentialing under Homeland Security Presidential Directive 12 (HSPD-12), are covered as distinct listing categories given their mandatory applicability to federal agencies and contractors. Sector-specific frameworks — including the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) and the Financial Industry Regulatory Authority (FINRA) cybersecurity guidance — appear as named regulatory anchors within relevant service category listings.

The full scope of covered categories and their geographic applicability is documented in the Identity Security Listings index, which reflects the national regulatory footprint of identity security obligations across both public and private sectors.