Back to the NAICS recommender

NAICS Code for Cybersecurity

Cybersecurity doesn't have its own dedicated NAICS code, which means cybersecurity contractors have to pick from adjacent IT codes that happen to capture security work. The choice affects which contract opportunities you see and which set-asides apply to your bids.

Primary NAICS codes for cybersecurity

541512: Computer Systems Design Services ($34M size standard) Use this for security architecture, systems design, integration of security tools into client environments, and security engineering. This is the most common primary for cybersecurity firms.

541519: Other Computer Related Services ($34M size standard) Use this for security operations, monitoring, incident response, and services that don't fit more specific codes. Some MSSPs primary here.

541511: Custom Computer Programming Services ($34M size standard) Use this if your core work is developing security software, building custom security tools, or writing secure code.

541690: Other Scientific and Technical Consulting Services ($19M size standard) Use this for cybersecurity advisory, GRC consulting, compliance assessment, and policy development. Lower size standard than the computer-specific codes but a better fit for pure consulting work.

Secondary NAICS codes to consider

541611: Administrative Management and General Management Consulting ($24.5M) For CISO-level consulting, cybersecurity strategy, and program management.

541618: Other Management Consulting Services ($19.5M) For specialized cyber risk consulting that doesn't fit 541611.

518210: Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services ($44M) For managed security services, SOC operations, and security infrastructure hosting.

541715: Research and Development in Physical, Engineering, and Life Sciences (varies) For cybersecurity R&D work, especially under DoD, DHS, and NSF.

Which code should be your primary

Cybersecurity firms tend to sit on one of three lanes:

Product/engineering firms (building security tools, custom code) primary under 541511 or 541512 depending on whether the work is more about writing code or designing systems.

Services/operations firms (MSSP, SOC, monitoring, incident response) primary under 541519 or 541512. The choice matters because 541519 has less competition but also sometimes fewer awarded contracts.

Consulting/advisory firms (compliance, GRC, strategy) primary under 541690 or 541611. Accepting the lower size standard ($19M for 541690) is worth it because your work lives under those codes and contracting officers search them specifically.

CMMC and federal cybersecurity context

The Cybersecurity Maturity Model Certification (CMMC) is reshaping federal cybersecurity contracting. Contractors working with DoD, DHS, and increasingly civilian agencies need CMMC Level 2 certification to handle CUI.

Your NAICS codes don't change based on CMMC status, but contracting officers increasingly filter by certification level when searching. Make sure your SAM.gov profile reflects your current CMMC level alongside your NAICS codes.

Federal demand snapshot

DoD (especially DISA and the service branches), DHS (CISA), Treasury, and DoE are the largest federal cybersecurity buyers. CIO-SP3, GSA IT Schedule 70, and the DHS EAGLE II vehicles drive significant task order volume.

SDVOSB set-asides are common in cybersecurity services, particularly at DoD and VA.

Next steps

Use the NAICS recommender to validate codes against your specific cybersecurity service mix. For deeper context on primary vs secondary code selection, see the NAICS code finder guide.