How to Use This Cybersecurity Resource
The National Digital Security Authority organizes public-sector and professional cybersecurity reference material across federal regulatory frameworks, sector-specific compliance requirements, workforce standards, and threat response resources. This page describes how the directory is structured, what content falls within and outside its scope, how factual accuracy is maintained, and how practitioners and researchers should position this resource alongside authoritative primary sources such as agency publications and statutory codes.
Limitations and scope
This directory covers the United States cybersecurity landscape at the national level, with content organized across federal agencies, compliance frameworks, sector-specific mandates, and professional credential standards. It does not constitute legal counsel, compliance certification, or regulatory guidance — determinations of legal obligation require consultation with qualified legal professionals and direct reference to governing statutes and agency rules.
Content boundaries are defined by the following classification structure:
- Federal regulatory content — Statutes, agency rules, and enforcement frameworks administered by bodies including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and the Office of Civil Rights within HHS.
- Sector-specific compliance requirements — Mandates applicable to defined industries such as healthcare (HIPAA, 45 CFR Parts 160 and 164), financial services (GLBA, NYDFS Part 500), energy (NERC CIP standards), and defense contracting (CMMC, 32 CFR Part 170).
- Professional and workforce standards — Credential frameworks, workforce development programs, and certification bodies such as (ISC)², ISACA, and CompTIA as documented in published certification catalogues.
- Threat and incident resources — Publicly available intelligence sources, incident reporting channels, and response frameworks.
This resource does not track active threat alerts, publish real-time vulnerability disclosures, or maintain a ticketing or advisory function. Organizations seeking live threat intelligence should consult CISA Resources and Programs or the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Geographic scope is limited to United States jurisdictions. International frameworks — ISO/IEC 27001, the EU's NIS2 Directive, GDPR — appear only where they intersect with US compliance obligations affecting domestic organizations.
How to find specific topics
The directory is organized into discrete content categories that map to recognized regulatory and professional domains. Navigating efficiently requires understanding which category applies to the operational question at hand.
By regulatory domain: Practitioners working within a specific regulatory framework should begin with the framework's dedicated reference page. The NIST Cybersecurity Framework page covers the structure of CSF 2.0 and its predecessor, including the Govern, Identify, Protect, Detect, Respond, and Recover function tiers. The US Cybersecurity Regulatory Framework page maps the broader statutory landscape.
By sector: Organizations operating in regulated industries should use sector-specific pages rather than general compliance overviews. The Healthcare Cybersecurity Requirements page covers HIPAA Security Rule obligations and OCR enforcement data. The Financial Sector Cybersecurity Compliance page addresses GLBA Safeguards Rule updates effective 2023 and NYDFS Part 500 amendment obligations. The Government Contractor Cybersecurity Requirements page covers CMMC 2.0 phased rollout and DFARS clause requirements.
By function or topic:
- Credential and workforce questions → Cybersecurity Certifications and Credentials, Cybersecurity Workforce Development
- Incident handling → Incident Response Standards, Cybersecurity Reporting Obligations
- Small organizations → Small Business Cybersecurity Resources
- State-level law variation → State Cybersecurity Laws by State, National Data Breach Notification Laws
- Emerging technology compliance → AI Cybersecurity Guidance, IoT Security Standards, Cloud Security Compliance
For terminology clarification, the Cybersecurity Glossary provides definitions aligned to NIST SP 800-53 Rev 5 and CNSS Instruction No. 4009 terminology standards.
How content is verified
Reference content on this directory is grounded in named primary sources: federal statutes and the Code of Federal Regulations, agency-published guidance documents, official standards body publications, and publicly accessible government program documentation. No content is synthesized from unattributed secondary commentary or marketing materials.
Specific practices applied to content accuracy:
- Statutory citations reference the United States Code or CFR section directly, not third-party summaries.
- NIST framework references cite specific publication versions (e.g., NIST CSF 2.0, published February 2024; NIST SP 800-171 Rev 3).
- Penalty figures and enforcement thresholds reproduce values as stated in agency rules or statutory text, with the authoritative source named at point of use.
- Where agency guidance has been updated, content reflects the operative version with its publication identifier.
Content does not include attorney interpretations, enforcement predictions, or compliance gap assessments. Discrepancies between content on this directory and the text of a governing regulation should always be resolved by reference to the primary regulatory source — CISA (cisa.gov), NIST (csrc.nist.gov), FTC (ftc.gov), or the relevant agency's official publication channel.
How to use alongside other sources
This directory functions as a structured reference index — not a replacement for primary regulatory documents, legal analysis, or agency bulletins. The appropriate use model depends on the professional context.
Comparison: Directory reference vs. primary regulatory source
| Use case | This directory | Primary source |
|---|---|---|
| Identifying which framework applies to a sector | Appropriate starting point | Not needed for scoping |
| Confirming exact penalty ceiling or statutory threshold | Cross-reference only | Required — use agency or CFR text |
| Understanding framework structure and phases | Full coverage | Supplement with NIST publication |
| Determining current enforcement posture | Not applicable | CISA, FTC, OCR advisories |
| Professional credential requirements | Accurate as of named publication date | Verify with credential body directly |
For organizations managing active compliance programs, this directory should be used in parallel with Federal Cybersecurity Agencies as an index to agency resources, and with Cybersecurity Listings when identifying qualified service providers operating in specific regulatory domains. Researchers mapping the full national policy landscape should cross-reference the National Cybersecurity Strategy page against the Office of the National Cyber Director's published strategy documents (ONCD, 2023).
State-level obligations — which vary across 50 distinct breach notification statutes and an expanding set of consumer privacy laws — require direct review of state attorney general publications in addition to the summary content available at State Cybersecurity Laws by State.