National Cyber Security Authority

The US cybersecurity sector encompasses a dense matrix of federal agencies, sector-specific regulators, legislative frameworks, and voluntary standards bodies that collectively govern how organizations identify, protect against, detect, respond to, and recover from cyber threats. This reference property covers that full operational landscape — from the statutory foundations of federal cyber law to the certification standards that qualify practitioners, the regulatory mandates that bind critical infrastructure operators, and the incident response protocols activated when breaches occur. With 40 published reference pages spanning agencies, legislation, sector requirements, workforce development, and threat intelligence, this site functions as a structured navigation point for professionals, researchers, and policy-oriented service seekers who need authoritative grounding in how US cybersecurity is organized and enforced.

Where the public gets confused

The most persistent confusion in the cybersecurity service sector is the conflation of voluntary frameworks with binding regulatory requirements. The NIST Cybersecurity Framework (NIST CSF), developed by the National Institute of Standards and Technology under Executive Order 13636 (2013), is a voluntary framework for most private-sector entities — yet it carries de facto compliance weight for federal contractors, critical infrastructure operators, and any organization responding to a federal solicitation. Treating it as optional across the board is a significant operational error.

A second common confusion involves agency jurisdiction. The Cybersecurity and Infrastructure Security Agency (CISA) holds the lead coordinating role for civilian federal network defense and critical infrastructure resilience under the Cybersecurity and Infrastructure Security Agency Act of 2018 (Public Law 115-278), but it does not hold enforcement authority over private-sector entities the way the Federal Trade Commission (FTC) or the Securities and Exchange Commission (SEC) do. Conflating CISA's advisory and coordination function with the enforcement mandates of sector regulators produces misaligned compliance planning.

A third area of confusion: the term "cybersecurity compliance" is not a single standard. For a healthcare entity, compliance is anchored in the HIPAA Security Rule (45 CFR Part 164). For a financial institution, the Gramm-Leach-Bliley Act Safeguards Rule and the FFIEC Cybersecurity Assessment Tool apply. For defense contractors, CMMC (Cybersecurity Maturity Model Certification) governs. These are distinct frameworks with distinct enforcement bodies, and conflating them leads to material compliance gaps.

Boundaries and exclusions

This reference property covers the US national cybersecurity landscape — federal and state regulatory structures, sector-specific mandates, workforce standards, and threat-response architecture. It does not function as legal counsel, compliance certification, or product evaluation.

Physical security, while intersecting with cybersecurity in operational technology (OT) and industrial control system (ICS) contexts, is addressed here only where the regulatory overlap is direct and documented. Privacy law is treated as an adjacent domain — the Privacy Laws and Cybersecurity Intersection reference page addresses where security obligations and data protection law converge, but privacy law itself (state consumer privacy statutes, GDPR applicability to US entities) is not the primary subject.

International cybersecurity frameworks — the EU's NIS2 Directive, ISO/IEC 27001, or bilateral cyber agreements — are referenced only where they affect US regulatory obligations or federal procurement standards. Non-US frameworks are not independently catalogued here.

The site does not catalogue commercial cybersecurity products, managed security service providers (MSSPs), or vendor-specific solutions. The Cybersecurity Listings directory covers service providers operating in the sector, while this reference architecture addresses the regulatory and structural environment in which those providers operate.

The regulatory footprint

US cybersecurity regulation is distributed across at least 12 federal agencies with direct enforcement or standard-setting authority. The following table maps the primary regulatory actors to their jurisdiction and primary legal authority:

Agency Jurisdictional Domain Primary Authority
CISA Civilian federal networks; critical infrastructure coordination Pub. L. 115-278 (CISA Act 2018)
FTC Consumer data security practices FTC Act §5; GLBA Safeguards Rule
SEC Public company cyber disclosure and risk governance Securities Exchange Act; 2023 Cyber Disclosure Rules
HHS / OCR Healthcare entity security HIPAA Security Rule (45 CFR §164)
FFIEC Financial institution cybersecurity assessment Bank Secrecy Act; Gramm-Leach-Bliley Act
DoD / OUSD(A&S) Defense contractor security posture DFARS 252.204-7012; CMMC 2.0
FERC / NERC Electric grid and energy sector Energy Policy Act 2005; NERC CIP Standards
FCC Telecom network security Communications Act §222, §255
FinCEN Financial sector cybercrime reporting Bank Secrecy Act
FBI Cyber Division Criminal investigation and threat intelligence 18 U.S.C. §1030 (CFAA)
NSA / CISA (joint) National security system standards NSTISSP, CNSS Instructions
NIST Voluntary frameworks and federal information standards FISMA 2014; OMB Circular A-130

This multi-agency landscape is a structural feature of US regulatory architecture, not a gap. The US Cybersecurity Regulatory Framework page provides a detailed treatment of how these mandates layer and where jurisdictions overlap.

Federal spending on civilian cybersecurity exceeded $11 billion in fiscal year 2023 (Office of Management and Budget, Federal Cybersecurity Risk Determination Report), reflecting the scale at which federal regulatory enforcement and investment operate.

What qualifies and what does not

Not every IT security activity constitutes regulated cybersecurity practice under federal or state law. The distinction matters for organizations determining compliance scope and for practitioners assessing licensure or certification requirements.

Regulated activity categories:
- Handling of federal contract information (FCI) or controlled unclassified information (CUI) under 32 CFR Part 2002 and NIST SP 800-171
- Operating or managing systems that fall within 16 designated critical infrastructure sectors (as defined by Presidential Policy Directive 21)
- Providing data security for covered health information under HIPAA
- Maintaining cybersecurity programs at financial institutions subject to GLBA or state-level equivalents
- Publicly reporting material cybersecurity incidents as a Securities Act registrant under the SEC's 2023 cyber disclosure rules

Non-regulated but standard-subject activity:
- General enterprise IT security following NIST CSF or ISO/IEC 27001 on a voluntary basis
- Cybersecurity consulting and advisory services (no federal licensure required; state-level private investigator statutes may apply in limited contexts)
- Penetration testing and red team services (governed by contract and Computer Fraud and Abuse Act applicability, not sector regulation)

Qualification standards for practitioners are addressed separately in the Cybersecurity Certifications Recognized reference, which covers CISSP, CISM, CompTIA Security+, and DoD 8140 mappings.

Primary applications and contexts

The operational deployment of cybersecurity regulation and frameworks spans five primary contexts in the US:

1. Federal agency information security — governed by FISMA 2014 (44 U.S.C. §3551 et seq.), requiring agencies to implement NIST SP 800-series controls, conduct annual security reviews, and report to OMB and Congress.

2. Critical infrastructure protection — 16 sectors (energy, water, transportation, financial services, healthcare, communications, and 10 others) operate under sector-specific plans aligned with Presidential Policy Directive 21 and the Critical Infrastructure Protection framework maintained by CISA.

3. Defense industrial base — approximately 300,000 companies in the defense supply chain are subject to DFARS cybersecurity clauses and, progressively, CMMC 2.0 certification requirements administered through the DoD. The Defense Industrial Base Cybersecurity reference covers this sector's specific requirements.

4. Financial and healthcare sectors — both sectors operate under long-standing, sector-specific regulatory regimes with dedicated examination and enforcement authority. The Financial Sector Cybersecurity and Healthcare Cybersecurity and HIPAA pages address these in detail.

5. State-level programs — all 50 US states have enacted at least one data breach notification law, and a growing number have enacted standalone cybersecurity statutes applicable to state agencies or regulated industries. The State Cybersecurity Programs reference maps the variance across jurisdictions.

How this connects to the broader framework

This site sits within the professionalservicesauthority.com industry authority network, which maintains reference properties across regulated professional and technical verticals. Within the cybersecurity vertical, the reference architecture spans agencies, legislation, sector requirements, workforce, and operational frameworks — 40 published pages covering the full structural landscape from federal executive orders to grant programs to small business guidance.

The layered reference model reflects the actual structure of US cybersecurity governance: no single statute, no single agency, and no single framework constitutes the complete picture. The National Cybersecurity Strategy page addresses the executive-level policy architecture, while Key US Cybersecurity Legislation covers the statutory layer, and Presidential Executive Orders on Cybersecurity tracks the executive instrument layer that has historically driven policy faster than the legislative process.

Sector-specific requirements are addressed in dedicated reference pages covering energy, financial services, healthcare, defense, election infrastructure, and operational technology. Sector-Specific Cybersecurity Requirements provides the cross-sector index.

Scope and definition

Cybersecurity, as defined by NIST under NIST IR 7298, encompasses the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication — including the information contained therein — to ensure availability, integrity, authentication, confidentiality, and nonrepudiation (NIST Computer Security Resource Center).

CISA uses an operationally equivalent framing: cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information (CISA.gov).

The "CIA triad" — Confidentiality, Integrity, Availability — is the foundational classification used across NIST SP 800-53 Rev 5 (the federal control catalog), FISMA, and sector-specific frameworks to categorize security objectives and control families.

Classification of cybersecurity domains within this reference architecture:

Domain Regulatory Anchor Key Standards
Identity & Access Management OMB M-22-09 (Zero Trust); NIST SP 800-63 FIDO2, PIV/CAC
Network & Perimeter Security NIST SP 800-41 NIST CSF PR.AC
Incident Response NIST SP 800-61 Rev 2 Incident Response National Protocols
Supply Chain Risk Management NIST SP 800-161 Rev 1 EO 14028; Supply Chain Cybersecurity
Cloud Security FedRAMP (OMB M-11-30) NIST SP 800-145; FedRAMP
OT/ICS Security NERC CIP; NIST SP 800-82 OT/ICS Cybersecurity

Why this matters operationally

Cybersecurity is no longer a discretionary technical function. The SEC's cyber disclosure rules effective December 2023 require public companies to disclose material cybersecurity incidents as processing allows of determining materiality (SEC Final Rule: Cybersecurity Risk Management, Disclosure). The average cost of a data breach in the United States reached $9.48 million in 2023, the highest of any country (IBM Cost of a Data Breach Report 2023). CISA's Known Exploited Vulnerabilities (KEV) catalog, established under Binding Operational Directive 22-01, mandates remediation timelines for federal agencies and serves as a de facto risk prioritization signal for private-sector operators.

The operational stakes extend beyond compliance exposure. Ransomware attacks against healthcare, water, and energy infrastructure have triggered federal emergency declarations and coordinated multi-agency responses. The Ransomware National Response reference covers the federal response architecture, including StopRansomware.gov and CISA's ransomware vulnerability warning pilot.

Workforce qualification is a structural constraint: the US cybersecurity workforce gap was estimated at approximately 500,000 unfilled positions as of 2023 (CyberSeek, NICE/NIST), directly affecting organizational capacity to implement the controls that regulation requires. The Cybersecurity Workforce Development reference addresses the federal and state programs designed to close that gap.

The structural complexity of US cybersecurity governance — distributed enforcement, layered frameworks, sector-specific carve-outs, and a rapidly expanding legislative record — makes structured reference navigation a functional necessity for any organization operating in a regulated sector or serving federal clients.

References

Read Next

Cybersecurity Listings Each entry is drawn from the broader directory structure described in the Cybersecurity Directory Purpose and Scope and... Cybersecurity Directory: Purpose and Scope This reference covers the organizational structure of the directory, the standards applied to listings, and the boundaries of... How to Use This Cybersecurity Resource This page describes how content on this directory is structured, how listings and reference material are verified, and how...