Contact

Smart Security Authority serves as a national reference directory for the cybersecurity services sector, covering licensed providers, regulatory frameworks, and professional qualification standards across the United States. This page describes the scope of inquiries the directory handles, what information to include when submitting a message, and what response timelines to expect based on inquiry type.

Service area covered

Smart Security Authority covers the United States cybersecurity services sector at a national scale, with directory scope extending across all 50 states and the District of Columbia. The directory indexes and references professional service providers, certification bodies, and regulatory frameworks operating under federal and state-level authority, including standards maintained by the National Institute of Standards and Technology (NIST Cybersecurity Framework) and oversight structures established under the Cybersecurity and Infrastructure Security Agency (CISA).

Inquiries within scope fall into four primary categories:

1. Listing inquiries — Questions about existing directory entries, corrections to provider information, or requests to add a qualified cybersecurity service provider to the Smart Security Listings index.
2. Regulatory reference inquiries — Questions about how the directory classifies providers under applicable federal frameworks, including NIST SP 800-series standards or Federal Information Security Management Act (FISMA) compliance designations.
3. Research and editorial inquiries — Requests from journalists, academic researchers, or policy analysts seeking clarification on directory methodology, scope definitions, or sector classification boundaries.
4. Technical and operational inquiries — Reports of broken links, duplicate listings, outdated provider information, or other directory maintenance issues.

Inquiries outside scope include requests for legal advice, personalized security assessments, vendor referrals, and price comparisons between listed providers. The directory does not evaluate, endorse, or rank individual service providers against one another.

What to include in your message

The completeness of an initial message directly determines the speed and accuracy of any response. Incomplete submissions typically require at least one follow-up exchange before substantive processing can begin, adding 3 to 5 business days to resolution time.

Messages should include the following, matched to inquiry type:

For listing additions or corrections:
- Full legal name of the provider organization
- Primary state of licensure or registration, including the issuing authority (e.g., a state department of consumer affairs, or federal contractor registration number under SAM.gov)
- Relevant professional certifications held, such as Certified Information Systems Security Professional (CISSP) issued by (ISC)², or Certified Information Security Manager (CISM) issued by ISACA
- The specific listing or directory section the inquiry concerns — reference Smart Security Listings for current category structure

For regulatory reference inquiries:
- The specific NIST publication, CISA advisory, or statutory provision in question (e.g., NIST SP 800-53 Rev 5, 44 U.S.C. § 3551 for FISMA)
- A description of how the directory's classification appears inconsistent with the cited standard
- The URL or page title of the directory entry in question

For research and editorial inquiries:
- Organizational affiliation and publication or institutional context
- Specific methodology questions or data points requested
- Intended publication format and target audience

For technical reports:
- The full URL of the affected page
- A description of the observed error, including browser and device type where relevant
- A screenshot or screen recording where the issue is visual in nature

Messages that combine multiple inquiry types should label each section clearly. Unlabeled multi-topic messages are routed to the lowest-priority queue by default.

Response expectations

Response timelines vary by inquiry classification. The directory operates on a structured triage system aligned with inquiry complexity and regulatory sensitivity.

• Technical and operational reports — Acknowledged as processing allows; resolved or escalated as processing allows depending on the scope of the underlying issue.
• Listing additions and corrections — Initial review completed as processing allows. Listings involving regulated service sectors — such as providers operating under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR Part 164) or financial sector requirements under the Gramm-Leach-Bliley Act — require additional verification steps that extend timelines to 10 to 15 business days.
• Regulatory reference and editorial inquiries — Substantive responses issued as processing allows for clearly scoped questions. Broad methodological reviews may be deferred to scheduled editorial cycles.

The directory does not provide emergency response channels. Time-sensitive cybersecurity incidents should be directed to CISA's 24-hour reporting line or the FBI's Internet Crime Complaint Center (IC3) — both of which maintain operational capacity outside normal business hours.

Additional contact options

For matters related to the purpose, structure, and classification methodology of this directory, the reference page Smart Security Directory Purpose and Scope contains detailed documentation on how service categories are defined and how providers qualify for inclusion. Reviewing that documentation before submitting a regulatory reference inquiry eliminates the most common sources of classification questions.

Providers or researchers seeking to understand how the directory is organized as a navigation tool should consult How to Use This Smart Security Resource, which describes the directory's structural hierarchy, search and filter logic, and the distinction between listed, verified, and referenced provider categories.

Correspondence involving providers subject to the Federal Trade Commission's cybersecurity enforcement authority — including obligations under the FTC Act, 15 U.S.C. § 45, or the FTC's Safeguards Rule — should identify the relevant statutory basis in the message body to ensure routing to the appropriate editorial review process. The directory does not adjudicate compliance disputes but does update classification designations when a provider's regulatory standing changes based on publicly available enforcement records.