Cybersecurity Directory: Purpose and Scope

The Network Audit Authority cybersecurity directory maps the professional service landscape for organizations seeking qualified network audit and cybersecurity assessment providers across the United States. It covers practitioner categories, firm types, qualification standards, and the regulatory frameworks that govern network security work — structured as an operational reference for service seekers, procurement teams, compliance officers, and independent researchers. The directory is organized around the full spectrum of network audit disciplines, from network vulnerability assessment and firewall rule audit to compliance-mapped engagements under PCI DSS, HIPAA, and FedRAMP. Understanding how the directory is structured, what standards govern inclusion, and how listings are maintained enables informed, efficient sourcing decisions.

Geographic coverage

The directory operates at national scope across all 50 US states and the District of Columbia. Coverage prioritizes firms and independent practitioners who hold active engagements or registered business presence in the United States, including those operating under federal contract vehicles such as GSA Schedule 70 (now consolidated into GSA Multiple Award Schedule, Special Item Number 54151S for IT professional services).

Listings are segmented by primary geographic service area — national, multi-state regional, and single-state local — to support sourcing by organizations with jurisdiction-specific compliance obligations. For example, firms serving California-regulated entities must navigate the California Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.100 et seq.) in addition to federal frameworks, while firms active in federal healthcare networks must demonstrate familiarity with HIPAA Security Rule requirements under 45 CFR Parts 160 and 164. Coverage does not extend to non-US firms unless they hold a US-registered operating entity and demonstrate active service delivery within US regulatory jurisdictions.

How to use this resource

The directory is structured to support three distinct use cases: direct provider sourcing, competitive landscape research, and compliance-framework matching.

For direct sourcing, browse the cybersecurity listings index filtered by service category — such as wireless network audit, cloud network audit, or network segmentation audit — and cross-reference provider credentials against the qualification standards described below.

For landscape research, the directory provides classification data on firm size, specialization depth, and framework alignment. Procurement teams evaluating whether to retain a general-purpose IT security firm versus a specialist auditor will find the network security audit vs penetration test distinction relevant to scoping decisions.

For compliance-framework matching, listings are tagged against the five primary US-applicable frameworks:

1. NIST Cybersecurity Framework (CSF) — voluntary framework published by the National Institute of Standards and Technology, applicable across critical infrastructure sectors
2. PCI DSS — mandatory for entities that store, process, or transmit cardholder data, governed by the PCI Security Standards Council
3. HIPAA Security Rule — federal mandate for covered entities and business associates under HHS enforcement
4. FedRAMP — federal authorization program managed by GSA for cloud service providers serving federal agencies
5. CIS Controls — prioritized security controls published by the Center for Internet Security, widely adopted as a baseline for SMB and mid-market organizations

Standards for inclusion

Listings in this directory must meet documented qualification thresholds. These thresholds reflect industry credentialing norms and are not substitutes for independent due diligence by procuring organizations.

Credential requirements — At least one principal or lead practitioner associated with a listed firm must hold an active, verifiable credential from a recognized body. Qualifying credentials include:

• Certified Information Systems Security Professional (CISSP), issued by (ISC)²
• Certified Information Security Manager (CISM), issued by ISACA
• Certified Ethical Hacker (CEH), issued by EC-Council
• GIAC Security Essentials (GSEC) or GIAC Certified Enterprise Defender (GCED), issued by the SANS Institute
• CompTIA Security+ or CompTIA Network+ at minimum for supporting practitioner roles

The full credential landscape is documented at network auditor certifications.

Operational distinction — firm vs. independent practitioner: The directory recognizes both categories but classifies them separately. Firms are defined as entities with two or more billable practitioners, formal engagement agreements, and documented quality assurance processes. Independent practitioners are solo professionals operating under individual contracts. This distinction matters for enterprise procurement contexts where continuity-of-service and liability requirements favor firm-based engagements, while smaller-scope work — addressed in depth at network audit for small business — may be appropriately served by a credentialed independent.

Scope documentation: Listed providers must specify whether their services include evidence collection per network audit evidence collection standards, formal reporting deliverables aligned with network audit reporting norms, and remediation support as described in network audit findings remediation.

How the directory is maintained

Listings are reviewed on a 12-month cycle for credential currency, business status, and framework alignment. Credential expiration, business dissolution, or material changes in service scope trigger immediate review outside the standard cycle.

The maintenance process follows a three-phase structure:

1. Verification — Credential status confirmed against issuing body public registries ((ISC)² member directory, ISACA certification verification portal, EC-Council credential lookup)
2. Reconciliation — Service scope and geographic coverage cross-checked against publicly available firm documentation, including state business registration records and GSA SAM.gov registrations where applicable
3. Classification update — Framework tags, practitioner counts, and specialization categories updated to reflect current service offerings

Listings flagged during review are placed in a pending status visible to directory users until verification is complete. Listings that cannot be verified within 60 days of a review cycle are removed. This policy ensures that the directory reflects an accurate, actionable picture of the active US cybersecurity audit service market rather than a historical archive of providers.