Contact

Smart Security Authority serves as a national reference provider network for the cybersecurity services sector, covering licensed providers, regulatory frameworks, and professional qualification standards across the United States. This page describes the scope of inquiries the provider network handles, what information to include when submitting a message, and what response timelines to expect based on inquiry type.

Service area covered

Smart Security Authority covers the United States cybersecurity services sector at a national scale, with provider network scope extending across all 50 states and the District of Columbia. The provider network indexes and references professional service providers, certification bodies, and regulatory frameworks operating under federal and state-level authority, including standards maintained by the National Institute of Standards and Technology (NIST Cybersecurity Framework) and oversight structures established under the Cybersecurity and Infrastructure Security Agency (CISA).

Inquiries within scope fall into four primary categories:

1. Provider inquiries — Questions about existing provider network entries, corrections to provider information, or requests to add a qualified cybersecurity service provider to the Smart Security Providers index.
2. Regulatory reference inquiries — Questions about how the provider network classifies providers under applicable federal frameworks, including NIST SP 800-series standards or Federal Information Security Management Act (FISMA) compliance designations.
3. Research and editorial inquiries — Requests from journalists, academic researchers, or policy analysts seeking clarification on provider network methodology, scope definitions, or sector classification boundaries.
4. Technical and operational inquiries — Reports of broken links, duplicate providers, outdated provider information, or other provider network maintenance issues.

Inquiries outside scope include requests for legal advice, personalized security assessments, vendor referrals, and price comparisons between verified providers. The provider network does not evaluate, endorse, or rank individual service providers against one another.

What to include in your message

The completeness of an initial message directly determines the speed and accuracy of any response. Incomplete submissions typically require at least one follow-up exchange before substantive processing can begin, adding 3 to 5 business days to resolution time.

Messages should include the following, matched to inquiry type:

For provider additions or corrections:
- Full legal name of the provider organization
- Primary state of licensure or registration, including the issuing authority (e.g., a state department of consumer affairs, or federal contractor registration number under SAM.gov)
- Relevant professional certifications held, such as Certified Information Systems Security Professional (CISSP) issued by (ISC)², or Certified Information Security Manager (CISM) issued by ISACA
- The specific provider or provider network section the inquiry concerns — reference Smart Security Providers for current category structure

For regulatory reference inquiries:
- The specific NIST publication, CISA advisory, or statutory provision in question (e.g., NIST SP 800-53 Rev 5, 44 U.S.C. § 3551 for FISMA)
- A description of how the provider network's classification appears inconsistent with the cited standard
- The URL or page title of the provider network entry in question

For research and editorial inquiries:
- Organizational affiliation and publication or institutional context
- Specific methodology questions or data points requested
- Intended publication format and target audience

For technical reports:
- The full URL of the affected page
- A description of the observed error, including browser and device type where relevant
- A screenshot or screen recording where the issue is visual in nature

Messages that combine multiple inquiry types should label each section clearly. Unlabeled multi-topic messages are routed to the lowest-priority queue by default.

Response expectations

Response timelines vary by inquiry classification. The provider network operates on a structured triage system aligned with inquiry complexity and regulatory sensitivity.

• Technical and operational reports — Acknowledged as processing allows; resolved or escalated as processing allows depending on the scope of the underlying issue.
• Provider additions and corrections — Initial review completed as processing allows. Providers involving regulated service sectors — such as providers operating under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR Part 164) or financial sector requirements under the Gramm-Leach-Bliley Act — require additional verification steps that extend timelines to 10 to 15 business days.
• Regulatory reference and editorial inquiries — Substantive responses issued as processing allows for clearly scoped questions. Broad methodological reviews may be deferred to scheduled editorial cycles.

The provider network does not provide emergency response channels. Time-sensitive cybersecurity incidents should be directed to CISA's 24-hour reporting line or the FBI's Internet Crime Complaint Center (IC3) — both of which maintain operational capacity outside normal business hours.

Additional contact options

For matters related to the purpose, structure, and classification methodology of this provider network, the reference page Smart Security Provider Network Purpose and Scope contains detailed documentation on how service categories are defined and how providers qualify for inclusion. Reviewing that documentation before submitting a regulatory reference inquiry eliminates the most common sources of classification questions.

Providers or researchers seeking to understand how the provider network is organized as a navigation tool should consult How to Use This Smart Security Resource, which describes the provider network's structural hierarchy, search and filter logic, and the distinction between verified, verified, and referenced provider categories.

Correspondence involving providers subject to the Federal Trade Commission's cybersecurity enforcement authority — including obligations under the FTC Act, 15 U.S.C. § 45, or the FTC's Safeguards Rule — should identify the relevant statutory basis in the message body to ensure routing to the appropriate editorial review process. The provider network does not adjudicate compliance disputes but does update classification designations when a provider's regulatory standing changes based on publicly available enforcement records.

References

• 45 CFR Part 164
• CISA
• IC3
• NIST Cybersecurity Framework
• Safeguards Rule