{
  "meta": {
    "slug": "csf-2.0-nist-800-53-r5",
    "frameworks": [
      "NIST_CSF_2.0",
      "NIST_800-53_r5"
    ],
    "labels": [
      "NIST CSF 2.0",
      "NIST 800-53 r5"
    ],
    "authoritative": "NIST CPRT (CSF 2.0 \u2192 800-53)",
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "NIST_CSF_2.0",
      "b": "NIST_800-53_r5"
    },
    "counts": {
      "pairs": 937,
      "rows": 1874,
      "present_a_to_b": 620,
      "present_b_to_a": 802
    },
    "reliability": {
      "reverse_presence_pct": 78.2,
      "extent_rank_correlation": -0.019,
      "completeness_a_to_b_pct": 24.7,
      "completeness_b_to_a_pct": 12.1,
      "none_rate_a_to_b_pct": 33.8,
      "none_rate_b_to_a_pct": 14.4,
      "counterpart_coverage_a": {
        "mapped": 106,
        "universe": 106,
        "pct": 100.0
      },
      "counterpart_coverage_b": {
        "mapped": 221,
        "universe": 324,
        "pct": 68.2
      }
    },
    "abstraction": {
      "breadth_a_to_b": 5.96,
      "breadth_b_to_a": 4.01,
      "depth_a_to_b": 1.26,
      "depth_b_to_a": 1.13,
      "verdict": "NIST_CSF_2.0 sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": {
        "signal": "csf_function",
        "subcats_per_function": {
          "GV": 31,
          "ID": 21,
          "RS": 13,
          "PR": 22,
          "DE": 11,
          "RC": 8
        }
      },
      "intrinsic_b": {
        "signal": "nist_level",
        "controls": 196,
        "enhancements": 25
      }
    },
    "diff": {
      "authoritative_pairs": 738,
      "agreement": 543,
      "conflict": 195,
      "addition": 394,
      "examples": {
        "conflict": [
          [
            "DE.AE-04",
            "pm-11"
          ],
          [
            "DE.AE-04",
            "pm-18"
          ],
          [
            "DE.AE-04",
            "pm-28"
          ],
          [
            "DE.AE-04",
            "pm-30"
          ],
          [
            "DE.AE-04",
            "pm-9"
          ],
          [
            "DE.AE-06",
            "pm-15"
          ],
          [
            "DE.AE-06",
            "pm-16"
          ],
          [
            "DE.AE-06",
            "ra-3"
          ]
        ],
        "addition": [
          [
            "DE.AE-02",
            "au-12"
          ],
          [
            "DE.AE-02",
            "au-2"
          ],
          [
            "DE.AE-02",
            "au-3"
          ],
          [
            "DE.AE-02",
            "ca-1"
          ],
          [
            "DE.AE-03",
            "au-12"
          ],
          [
            "DE.AE-03",
            "au-2"
          ],
          [
            "DE.AE-03",
            "au-6.9"
          ],
          [
            "DE.AE-03",
            "ir-9"
          ]
        ]
      }
    },
    "ppt": null
  },
  "diff": {
    "authoritative_pairs": 738,
    "agreement": 543,
    "conflict": 195,
    "addition": 394,
    "examples": {
      "conflict": [
        [
          "DE.AE-04",
          "pm-11"
        ],
        [
          "DE.AE-04",
          "pm-18"
        ],
        [
          "DE.AE-04",
          "pm-28"
        ],
        [
          "DE.AE-04",
          "pm-30"
        ],
        [
          "DE.AE-04",
          "pm-9"
        ],
        [
          "DE.AE-06",
          "pm-15"
        ],
        [
          "DE.AE-06",
          "pm-16"
        ],
        [
          "DE.AE-06",
          "ra-3"
        ]
      ],
      "addition": [
        [
          "DE.AE-02",
          "au-12"
        ],
        [
          "DE.AE-02",
          "au-2"
        ],
        [
          "DE.AE-02",
          "au-3"
        ],
        [
          "DE.AE-02",
          "ca-1"
        ],
        [
          "DE.AE-03",
          "au-12"
        ],
        [
          "DE.AE-03",
          "au-2"
        ],
        [
          "DE.AE-03",
          "au-6.9"
        ],
        [
          "DE.AE-03",
          "ir-9"
        ]
      ]
    }
  },
  "edges": [
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses tracking legal requirements and strategy alignment; B only enforces law-consistency for one narrow policy area (access control)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses a broad risk-management policy while B addresses a narrow access-control policy, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad governance outcome for cybersecurity risk policy; B is a narrow, domain-specific control limited to access-control policy and procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad improvement identification includes policy review (Ex2) that touches B's review requirement but not its AC-specific policy development/dissemination; B's AC-1 review satisfies only one narrow slice of A's operational improvement intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational identity-management outcome while B is the meta-level AC policy control; each satisfies only a slice (or none) of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's outcome explicitly requires access permissions to be defined in policy and managed/reviewed, satisfying most of B's policy/procedure intent while B only supplies the high-level documentation framework without the least-privilege or review outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's least-privilege/enforcement outcome can subsume concurrent-session limits as one possible mechanism (partial), while the single narrow technical control satisfies only a tiny slice of A's broad policy/review/SoD intent (partial)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's reauthentication example touches session lifetime but does not address automatic termination; B addresses only termination and has no bearing on authentication outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses attribute-based authorization only as one optional example within a broader access-policy/review/least-privilege outcome, while B supplies a narrow technical attribute-binding mechanism that can support but does not encompass A's full intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-17",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad access-management outcome subsumes remote-access authorization via attributes/least-privilege, while B addresses only one narrow slice of access controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-17",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust outcomes directly enforce remote-access restrictions and least-privilege authorization (covering B's core intent), while B addresses only the remote-access slice of A's broader network-protection outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad authorization/least-privilege outcomes that touch the auth step of wireless access but omit B's wireless-specific configuration and connection requirements; B addresses only one narrow access method and therefore satisfies none of A's general policy, review, and SoD intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad network-protection outcome and zero-trust examples encompass wireless as one access vector (partial coverage of B); B addresses only the wireless slice of A's general network-access intent (partial coverage of A)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-19",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad policy/least-privilege/authorization framework that largely encompasses mobile-device access rules, while B addresses only the narrow mobile-device slice of that framework."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-19.5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's outcome and Ex2 directly encompass B's device/container encryption intent while B addresses only one narrow slice of A's broader data-at-rest scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the monitoring slice of AC-2 while B supplies only the account-specific monitoring slice of DE.CM-03."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad identity/credential outcome that subsumes account-management practices; B is one narrow slice focused only on system accounts."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the enrollment-time identity-proofing slice of account creation while B addresses the full account lifecycle without specifying credential-proofing steps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the authentication mechanisms while B addresses the full account lifecycle and approvals; each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome statement whose intent is largely realized by the detailed account-management steps in B, while B addresses only one slice of A's policy/least-privilege/SoD scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses network segmentation/zero-trust; B only supplies account lifecycle steps that partially support the broader unauthorized-access outcome but ignore all network controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies logs usable for B's single 'monitor accounts' clause but satisfies none of B's account-lifecycle intent; B contains no logging requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-20",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's inventory supports external-service oversight but does not implement B's authorization/prohibition rules; B's policy statements contain no inventory requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-20",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's external-network segmentation example addresses one slice of external-system access control, while B's narrow policy scope satisfies none of A's broad network-protection outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad enforcement + attribute-based authorization outcomes subsume most of B's runtime decision intent, while B addresses only one narrow slice of A's policy/review/least-privilege scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome that explicitly includes enforcement plus policy definition/review/least-privilege; B narrowly realizes only the enforcement slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-in-use protection overlaps one access-control slice (preventing unauthorized process/user access) while B's general enforcement supports data-in-use confidentiality but omits removal/sanitization."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only network segmentation/zero-trust slices of logical access enforcement while B supplies generic policy enforcement that partially realizes but does not mandate A's architectural outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the baseline representations that inform flow policy, satisfying a prerequisite slice of B's enforcement intent; B performs runtime enforcement and does not produce or maintain the documented baselines required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF outcome whose realization typically requires flow-enforcement mechanisms plus additional data-in-use protections; B supplies only one technical lever for a slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust examples directly realize the bulk of AC-4's flow-enforcement intent while B supplies only one technical mechanism toward A's broader network-protection outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly incorporates separation of duties within its broader access-management outcome, while B addresses only that single narrow aspect of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly mandates least privilege (plus reviews/SoD/attributes) so fully satisfies B; B addresses only the narrow least-privilege slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements least-privilege only for network/zero-trust access while B is a general access-control principle; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses config baselines and least functionality; B is a distinct AC control on user/process authorizations with only indirect overlap via hardening."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses core authentication mechanisms but omits failure handling; B supplies only one narrow slice of the broad authentication outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad requirement tracking/alignment; B only mandates that one narrow AT policy be consistent with laws."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers operational training while B only mandates the policy/procedure framework that governs such training."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers role-specific training outcomes while B only establishes the overarching AT policy/procedure framework, satisfying none of B and only a slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of delivering awareness training; B adds prescriptive details (frequency, updates, lessons-learned incorporation) that exceed A's scope while still satisfying A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the specialized-role slice of general user literacy training while B supplies broad literacy requirements without A's role-identification or assessment focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only general awareness for all users while B requires tailored role-based training with update/incident-driven content; each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of role-based training for specialized roles; B supplies one detailed implementation slice (timing, updates, lessons learned) that partially realizes A while A encompasses B plus identification and assessment steps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "at-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires delivery of role-based training but is silent on records; B only mandates documentation and therefore satisfies only a supporting slice of A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad requirement-tracking outcome partially supports ensuring AU policy consistency with laws, while B's narrow audit-policy artifact satisfies none of A's intent to manage legal/regulatory obligations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a single overarching risk-management policy while B creates a distinct, narrower audit-specific policy; the two intents therefore intersect only marginally."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches one procedural element of B, while B's narrow AU-policy mandate satisfies none of A's broad improvement-identification outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow incident-specific logging integrity outcome while B only establishes generic AU policy governance that may reference but does not realize the investigation-recording intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-10 supplies one evidentiary input useful for event sequencing but does not address root-cause or threat analysis; RS.AN-03 performs post-facto analysis and does not implement non-repudiation mechanisms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on forensic collection/chain-of-custody for incidents while B provides irrefutable proof of actions; each satisfies only the overlapping evidence-integrity slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A ensures integrity/provenance of incident records (partially satisfying B's investigative-support goal) while B addresses only retention duration and does not address recording or immutability requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring/analysis outcome requires and therefore encompasses audit generation as a core enabler (mostly), while B supplies only the raw-record prerequisite and omits all analytic activities (partial)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's correlation outcome presupposes generated logs but does not implement AU-12's generation, selection, or content requirements; B supplies raw records only and addresses none of A's correlation intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-06 addresses dissemination/alerting of adverse-event information while AU-12 only mandates generation of raw audit records; the latter supplies a possible input but omits all outcome-level provision requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's network monitoring activity implies generation of some event records for adverse events (partial slice of B) while B supplies only raw logs and supplies none of the monitoring/detection outcome required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad DE.CM-03 monitoring outcome requires log/audit sources and therefore covers AU-12 generation requirements; narrow AU-12 supplies only the raw records and omits the behavioral detection intent of DE.CM-03."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad DE.CM-09 monitoring outcome requires audit-record generation plus analysis across multiple vectors, while AU-12 supplies only the narrow generation slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome (generate + make logs available for monitoring) subsumes AU-12's generation mechanics while also requiring additional sharing/monitoring elements that B omits."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-12 supplies raw event data that supports but does not perform the incident sequencing/root-cause analysis required by RS.AN-03."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrowly scoped to IR action recording+integrity while B is a general system audit-generation capability; thus A satisfies none of B and B only partially enables A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad network monitoring that can incidentally detect disclosures but omits B's required response actions; B addresses only one narrow disclosure scenario and therefore satisfies none of A's general adverse-event scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome (monitoring activity for any adverse events) encompasses the narrower AU-13 disclosure-specific monitoring plus response, while the reverse is only one slice of the CSF scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's IoC/persistence search can incidentally surface disclosure evidence but does not address ongoing monitoring or notification; B's disclosure monitoring does not address incident magnitude estimation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-log analysis/monitoring while B narrowly defines event selection; each supplies a prerequisite slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-collection correlation/SIEM while B only defines which events to log; logging is a prerequisite but does not address correlation intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a post-event analytic outcome; B supplies raw logs that can feed analysis but neither implements the other's core requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses delivery of adverse-event information/alerts while B only defines which events are logged; logging is a prerequisite but does not satisfy A's provision or adverse-event focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on threat/vuln context ingestion for analysis; B only supplies raw event data as one narrow input."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-08 defines incident declaration criteria while AU-2 configures supporting event logs; each addresses a distinct slice of the incident lifecycle with only loose investigative overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's network monitoring implies logging of specific adverse events (partial overlap on event selection) while B only defines logging types and provides no monitoring or detection capability."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow physical-monitoring outcome; B is a general logging-definition control whose scope only partially overlaps physical-access events."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly requires logging/monitoring only for external-provider events while B broadly defines system-wide event selection; each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's detection monitoring implies event selection/logging but omits B's audit-policy coordination/rationale; B supplies logs usable by monitoring yet addresses none of A's adverse-event detection outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the outcome of log generation/sharing/monitoring but omits B's required steps for event-type selection, rationale, and periodic review; B only implements the narrow selection slice of A's broader logging outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RS.AN-03 requires performing post-incident analysis/root-cause work while AU-2 only defines which events are logged; each supplies a distinct prerequisite or output the other does not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs post-incident analysis using existing evidence; B only defines the logging sources that may feed such analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses IR-plan execution/coordination after declaration; B supplies only the narrow logging capability that can aid post-incident investigation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-incident triage/prioritization while B only defines logging sources that may feed later analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-collection analysis/detection while B only mandates minimum record fields that enable but do not perform analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires log generation and availability but does not specify required record fields; B mandates exact content fields but does not address generation or sharing."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-3 supplies raw event data required by RS.AN-03 analysis but does not perform incident sequencing, threat attribution or root-cause determination; RS.AN-03 does not define audit-record content."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A targets incident-specific collection+preservation while B defines general audit-record fields; each satisfies only a slice of the other's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad detection-analysis outcome whose implementation examples directly realize AU-6's core review/analysis steps (plus threat intel), while B's reporting/adjustment clauses and audit-record specificity remain outside A's stated intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the multi-source correlation technique that supports B's analysis step but omits B's review, reporting and adjustment requirements; B's analysis can employ correlation yet does not mandate the specific multi-source outcome defined by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome (impact/scope understood); B is one audit-record-specific implementation lever that satisfies only a slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies event info/alerts/tickets but omits B's required review, analysis, and risk-based adjustment steps; B produces audit findings/reports that partially satisfy A's provision-of-adverse-event-info outcome but lack real-time alerting and tooling scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad CTI-integration outcome while B supplies one narrow audit-record lever that partially realizes it; neither fully contains the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the incident-declaration decision layer while B supplies the narrower audit-record review/analysis/reporting mechanism; each therefore realizes only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements only the physical-access log/records slice of B's general system-audit review intent; B's system-audit focus only partially realizes A's physical-environment monitoring outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring outcome includes log analysis for anomalies but omits B's explicit reporting/adjustment steps; B's audit-record focus realizes only one slice of A's broader activity-monitoring intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets external-provider monitoring while B is a general audit-review process; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad post-incident root-cause outcome that may draw on audit records; B is a narrow, ongoing audit-record control that supports but does not realize full incident sequencing or systemic root-cause analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses immutable capture and provenance of IR actions only; B addresses review/analysis of audit records and therefore touches only a tangential slice of A's preservation outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-incident evidence preservation/chain-of-custody while B addresses ongoing audit-record review, analysis and reporting; the two intents overlap on audit data handling but neither fully realizes the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident magnitude check via IoC searches; B is ongoing general audit-record review, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses external/incident-driven information sharing; B's audit review+reporting only touches internal reporting and does not realize A's coordination intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6.6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies physical monitoring but omits any correlation step required by B; B realizes only the correlation slice of A's broader monitoring outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6.9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general technical log/SIEM correlation while B requires a distinct nontechnical-source dimension outside A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-07 focuses on threat intel/vuln feeds into detection analysis while AU-7 narrowly mandates audit reduction/reporting; the latter supplies one possible log-derived input but neither satisfies the other's core intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's physical-monitoring outcome does not supply audit-reduction tooling, while B's record-processing capability can support only the log-review slice of A's physical-access examples."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad procedural outcome for root-cause analysis; B supplies only a narrow audit-log reduction tool that can feed part of that analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies immutable IR records/provenance that satisfies only B's non-alteration clause; B supplies general audit reduction/reporting that satisfies only A's integrity requirement for investigations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on evidence collection/preservation/chain-of-custody; B addresses only non-tampering of audit records plus reduction/reporting, satisfying a narrow slice of A's integrity intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's incident-magnitude outcome and IoC search examples do not implement any audit-reduction capability; B's audit reporting supports incident investigations but only narrowly addresses one input to magnitude estimation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a procedural triage/validation outcome; B supplies a supporting technical audit capability that aids investigations but does not address triage criteria or validation steps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a procedural IR outcome; B supplies a narrow audit-tooling capability that can only partially support incident analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integrity/provenance of incident-response logs but never mentions timestamps; B supplies only one narrow mechanism that can aid provenance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-8 supplies one narrow provenance mechanism (timestamps) that partially supports RS.AN-07's broader evidence-integrity intent, while the CSF outcome does not mandate the specific audit-record clock requirements of AU-8."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring can detect tampering with audit data (one slice of B's alerting) but supplies none of B's required protection; B's narrow protection controls address none of A's broad adverse-event detection scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad adverse-event monitoring can detect tampering of audit data but supplies none of B's required protection mechanisms and addresses none of A's other monitoring domains."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies generic data-in-use protections that can incidentally apply to audit records while in memory/CPU, but supplies none of B's audit-specific scope or alerting requirement; B addresses only a narrow slice of one data type and therefore covers none of A's broader data-in-use outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational detection outcome; B only establishes high-level CA policy scaffolding that may reference monitoring procedures but does not realize event analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses legal/regulatory tracking and alignment while B narrowly requires only that one CA-domain policy be consistent with laws and procedurally managed."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad risk-management policy outcome that subsumes the narrower CA-specific policy/procedure requirements of B, while B addresses only one slice of A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad risk-management policy maintenance while B mandates a narrow CA-specific policy; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.RR-01 supplies high-level leadership accountability and risk-culture expectations that touch only the roles/responsibilities clause of CA-1, while CA-1's narrow CA-domain policy mandate satisfies none of GV.RR-01's broader intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.SC-02 addresses only supply-chain-specific role documentation while CA-1 requires policy and roles solely for the CA domain, yielding no overlap one way and a narrow procedural slice the other way."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers evaluation outcomes without addressing policy/procedure development; B supplies the policy scaffolding that enables but does not itself produce improvement identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches B's update requirement while B's periodic review only realizes one narrow slice of A's broader improvement-identification outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow vulnerability-disclosure process outcome unrelated to CA policy development; B's broad CA policy mandate can partially encompass procedures for disclosure handling under monitoring/assessment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses tracking/alignment to legal requirements; B is a narrow assessment procedure that only indirectly supports compliance verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only policy lifecycle updates while B's assessment planning/reporting supplies one input to those updates but omits communication, enforcement, and risk-environment review."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad risk-management roles that B references only narrowly inside its assessment-plan requirement, while B supplies none of A's policy, personnel, or enforcement outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a supply-chain risk program while B performs general control assessments; assessments can verify SCRM controls but do not establish the program."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supply-chain contractual requirements while B is a general assessment process that can support verification but does not establish those requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements supplier-specific assessment/monitoring activities that realize only a narrow slice of general control assessment (B); conversely B supplies the assessment mechanism usable for third-party obligations but addresses only that slice of A's full risk understanding/prioritization/monitoring lifecycle."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome whose realization requires control assessments of the type B specifies (plus other evaluation methods); B realizes only one slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B produces assessment results that can feed improvement identification, but neither control addresses the other's core intent (A omits assessment execution; B omits explicit improvement derivation)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CA-2 assessments can surface improvement opportunities but address only one narrow slice of ID.IM-03's broader lessons-learned/metrics intent; ID.IM-03 does not address assessment planning or execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow vulnerability-ID outcome; B is a general control-assessment process that can include vuln-related checks as one slice but does not realize A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition product-integrity check while B is the full procedural machinery for control assessment planning/reporting; B can therefore touch supply-chain controls only incidentally."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's high-level risk-response strategy (incl. shared-responsibility examples) only touches one narrow slice of B's concrete interconnection-agreement requirements; B supplies a single operational control and cannot establish A's strategic direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses supply-chain-specific contractual controls including info-sharing rules, satisfying only the supplier slice of B's general system-exchange agreements; B supplies an agreement mechanism that partially realizes one implementation example within A's broader supply-chain risk requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only maintains flow baselines while B requires formal approvals, interface agreements and periodic reviews; B's interface documentation partially supports flow representations but omits internal/IaaS baselines."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of contractual vuln-info sharing while B provides general interconnection agreements that can support but do not establish vuln disclosure receipt/analysis/response processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only technical data-in-transit protections while B is a procedural agreement-and-review control; B's documentation of security requirements can capture a slice of A's outcome but does not implement it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A identifies improvement opportunities from evaluations; B creates a POA&M artifact to track remediation actions after weaknesses are already noted."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only identifies improvements from exercises; B creates remediation plans from assessment findings, satisfying a slice of improvement identification but nothing about POA&M."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly captures improvement identification from operations while B narrowly mandates a POA&M artifact driven by assessments/monitoring, yielding only partial overlap each direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the risk prioritization inputs that feed POA&M content, but does not produce or maintain the documented remediation plan itself; B only tracks already-identified items and performs no threat/vulnerability/likelihood analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad risk-response outcome that explicitly lists POA&M tracking as one realization; B is the narrow POA&M mechanism that satisfies only the planning/tracking slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-02 supplies only the analysis-of-adverse-events slice of CA-7's broader continuous-monitoring program, while CA-7's required correlation/analysis activities fully realize DE.AE-02's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the correlation slice of B's broad continuous-monitoring program, while B's explicit correlation-and-analysis requirement satisfies most of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow alert/ticketing/reporting slice of B's broad monitoring strategy, metrics, assessments and response requirements, while B's ongoing monitoring, correlation and status reporting inherently encompass provision of adverse-event information to staff and tools."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow network-focused detection outcome while B is the broad continuous-monitoring program; thus A satisfies only a slice of B, but B's monitoring strategy encompasses network adverse-event detection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is one narrow physical-monitoring slice of B's broad strategy; B's continuous-monitoring mandate encompasses physical-environment outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-03 supplies one narrow monitoring slice while CA-7 supplies the encompassing continuous-monitoring strategy and reporting apparatus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow monitoring activity that satisfies only one slice of B's broad strategy/metrics/assessment/reporting requirements, while B's overarching continuous-monitoring program encompasses the specific external-provider adverse-event detection intent of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow slice (event detection) of B's broad strategy; B's continuous-monitoring framework encompasses and largely realizes A's monitoring outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses SCRM integration into ERM/risk processes; B's continuous-monitoring activities can support risk-assessment elements but do not address supply-chain scope or integration intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation/audit activities touch only a slice of CA-7's continuous-monitoring strategy, metrics, and response loop, while CA-7's ongoing assessments and analysis directly realize most of A's improvement-identification outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets post-exercise improvement identification while B's continuous-monitoring scope (metrics, ongoing assessments, analysis, response) only partially overlaps that slice via its assessment/response elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A captures only the improvement-identification outcome while B's monitoring+analysis+response activities largely realize that outcome plus much more."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow vuln-ID slice of B's broad continuous-monitoring program, while B's generic control assessments can support but do not guarantee A's specific asset-vulnerability outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only change/exception risk assessment and tracking; B's broad ongoing control monitoring and metrics can incidentally capture change-related activity but does not implement the formal change procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad evaluation outcome that can be satisfied by many methods including but not requiring pen testing, while B is one narrow assessment technique that contributes to but does not fully realize A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a post-test improvement-identification outcome; B supplies one narrow test input but neither mandates nor realizes the other's core intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad post-execution improvement outcome; B is one narrow proactive testing activity that can feed A but is neither required by nor subsumed under it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Penetration testing is one narrow technique that contributes to vulnerability identification but A encompasses multiple other methods and does not require or imply pen testing."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ca-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies authorized-flow baselines that partially satisfy B's internal-connection authorization and documentation needs, while B addresses only the internal slice of A's broader baseline scope and adds unrelated lifecycle controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad regulatory alignment at governance level while B only enforces law-consistency inside one narrow CM policy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a broad risk-management policy outcome while B mandates a narrow, domain-specific CM policy and procedures; thus A only incidentally touches B's intent and B does not address A's intent at all."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a general risk-policy review cadence that can be applied to CM policy updates, while B addresses only the narrow CM policy artifact and supplies none of A's risk-management policy intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches one narrow procedural element of B, while B's CM-specific policy mandate has no overlap with A's broad operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses operational baseline/practice outcomes while B only mandates high-level documented policy and roles, satisfying a prerequisite slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring can detect some unauthorized software use, but B's license/copyright restrictions do not address broad adverse-event detection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring of file-sharing and adverse events can detect some B violations, but B's license/policy controls provide no monitoring capability."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad monitoring partially satisfies B's compliance-monitoring clause but ignores policy/enforcement; B's narrow software-install focus satisfies only one slice of A's adverse-event monitoring."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's config-deviation monitoring satisfies B's compliance-monitoring slice but not its policy-establish/enforce intent; B's narrow user-software focus addresses only one monitoring vector inside broad A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad inventory monitoring supports one compliance aspect of B but omits policy/enforcement; B's narrow user-install controls aid only a slice of A's full software/service inventory scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad baseline/monitoring practices largely encompass user-software controls while B addresses only one narrow slice of configuration management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad risk-based maintenance/patching/replacement while B narrowly governs only user-initiated installs, so A supplies none of B's policy/enforcement intent and B supplies only one slice of A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-type inventory/metadata focus touches location only incidentally while B's location/users/changes mandate supplies one narrow slice of an inventory but omits classification and designated-type scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A maintains static data-type inventories/classifications while B documents dynamic processing actions; each addresses a distinct slice of data governance with only incidental overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-lifecycle outcome touches data-action visibility only incidentally, while B's narrow mapping task satisfies none of A's multi-asset lifecycle scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's baseline-establishment and review examples satisfy most of B's intent while B addresses only the narrow baseline slice of A's broader CM practices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow monitoring-of-changes activity required by B; B's procedural approval and documentation steps do not address A's network-service monitoring intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring of config deviations satisfies only the monitoring/review clause of B; B's change-control process satisfies only the config-deviation slice of A's broader detection scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only hardware inventory maintenance; B's change-control process can generate records that help keep inventories current but does not itself create or maintain those inventories."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring-for-inventory-changes example overlaps one narrow slice of B's monitoring/review activities, while B's documented change records support but do not constitute the broader asset-inventory outcome of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses solely on vulnerability discovery while B's change-control process only incidentally surfaces vulnerabilities introduced by approved changes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome covering risk-assessed change/exception management; B is one detailed config-control realization that satisfies only a slice of A while A encompasses B plus exceptions and tracking."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome encompasses change-control as a core CM practice while the narrow 800-53 control realizes only one slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad risk-impact outcome that subsumes change-specific analyses; B realizes only one narrow procedural slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-assessment and change-procedure outcomes subsume B's narrow pre-implementation impact-analysis requirement while also addressing exceptions, tracking and rollback; B realizes only the analysis slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses baseline enforcement and deviation monitoring but omits explicit pre-change impact analysis; B supplies only that narrow analysis step inside the wider CM outcome of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad config-management outcomes (baselines, least functionality) touch change processes but omit explicit access-restriction requirements, while B supplies only the narrow access-control slice of those outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex3 touches only the monitoring-changes slice of B while B addresses only one narrow monitoring vector among A's many broader adverse-event detection outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only network data-flow diagrams while B addresses general component configuration baselines, so A satisfies none of B; B's settings/monitoring can partially realize flow baselines but omits the explicit data-flow focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ID.IM-01's broad evaluation/improvement outcome can touch config monitoring but does not realize CM-6's core settings-establishment and deviation-approval activities; conversely CM-6's narrow monitoring provides only one slice of the CSF improvement identification intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vuln-ID outcome touches misconfig discovery but omits CM-6's establish/implement/monitor requirements; CM-6 addresses only the config-settings slice of A's broader vuln scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses threat-intel ingestion/review while B only touches the narrow configuration aspect of one example in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome whose realization requires the specific practices in B plus related controls (e.g., CM-2/7); B therefore satisfies only one slice of A while A fully encompasses B's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the authorized-flow inventory that informs least-functionality decisions while B enforces a subset of those flows via port/protocol restrictions; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's explicit least-functionality baseline requirement fully realizes B while B addresses only one slice of A's broader configuration-management outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7.2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex1 directly implements B's exact intent while A also contains additional outcomes (install verification, DNS blocking) that B does not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7.4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex1 directly implements B's deny-by-exception prohibition but omits B's explicit review/update requirement; B realizes only one narrow slice of A's broader outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7.5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad prevention outcome whose primary implementation lever is exactly B's allow-by-exception policy, while B omits A's additional integrity verification and DNS controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the high-level hardware-inventory outcome while B adds component granularity, review cadence and accountability attributes that A does not require; conversely B\u2019s system-component inventory directly realizes A\u2019s hardware-inventory intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of maintaining inventories of systems/software/services (with change monitoring); B supplies one detailed implementation slice limited to system components."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only network/data-flow baselines while B addresses component inventory; each satisfies a distinct slice of asset management with minimal overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets external supplier services while B broadly covers internal system components, yielding only partial overlap each way."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF life-cycle outcome subsumes most CM-plan elements while the narrow control only addresses one configuration slice of asset management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vuln-ID outcome has no overlap with B's CM-plan requirements; B's config-item controls address only the misconfiguration slice of A's broader vuln scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses operational baseline/monitoring practices while B narrowly requires a documented CM plan with roles/approvals; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses legal/regulatory alignment for all cybersecurity; B narrowly requires only that CP policy be consistent with laws, satisfying none of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad risk-management policy outcome while B is a narrow contingency-planning policy control; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier coordination/roles (a narrow slice of contingency policy scope) while B's generic policy requirements do not mandate or realize supplier inclusion in incident activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-exercise improvement identification while B only mandates high-level CP policy/procedure governance with no realization of improvement activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad lessons-learned reviews touch B's update requirement but ignore CP-specific policy development; B's narrow CP policy activities address only one narrow slice of A's general improvement identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.CO-03 is a narrow recovery-communication outcome while CP-1 only mandates existence of a high-level CP policy/procedure document that may reference but does not realize the specific stakeholder-update intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow public-communications outcome unrelated to policy authorship; B's CP policy/procedure mandate can encompass recovery-communication rules but does not require the specific public-update elements of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational execution outcome while B is only the high-level CP policy document; policy partially enables but does not realize recovery execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow technical recovery step while B is a meta-level policy document requirement; implementing the check satisfies none of the policy mandate, and the policy only generically touches recovery procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A specifies operational restoration-validation steps; B only mandates existence of high-level contingency policy documents that may reference but do not realize those steps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident operational step with no policy/procedure content; B's contingency-planning policy framework can encompass recovery-termination and documentation procedures but does not itself perform them."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of executing the recovery portion of the IR plan (including awareness); B supplies one concrete technical mechanism that realizes a slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome of selecting and performing recovery actions encompasses B's reconstitution requirement but adds prioritization and scoping; B only realizes the narrow system-recovery slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow slice (backup integrity check) of B's broader recovery-to-known-state intent, while B's reconstitution process largely encompasses the need for verified restoration assets."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies post-restoration integrity/IOC checks that partially realize B's 'known state' goal, while B supplies the recovery mechanism that partially realizes A's restoration outcome but omits its security-verification specifics."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B's review/update/lessons-learned steps satisfy only a narrow slice of the broad evaluation-driven improvement outcome in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the lessons-learned/update slice of contingency-plan maintenance while B's plan requirements touch improvement identification but omit explicit exercise-driven, supplier-inclusive improvement processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad improvement-identification outcome overlaps only the lessons-learned/update clause inside B, while B's contingency-plan activities realize only one narrow slice of A's operational-improvement intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome requiring establishment/maintenance of contingency (and other) plans; B supplies one detailed implementation of the contingency-plan slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the backup/recovery slice of B's broad contingency-plan requirements while B's listed elements contain no backup creation, protection or testing provisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is preventive environmental hardening; B is a general contingency-planning document whose scope only incidentally references disruptions that could be environmental."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements technical resilience mechanisms that partially address one element of B (maintaining functions during disruption), while B is a documentation/planning control that does not realize any of A's implementation requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the sharing/recovery-status slice of the broad CP-2 requirements, while B's explicit mandate to address contingency-information sharing and distribution satisfies most of A's communication intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow public-recovery messaging only; B's contingency-plan scope includes sharing/coordination elements that touch but do not fully realize that messaging intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-incident execution of IR recovery steps while B is a broad planning/control-development requirement whose coordination clause touches but does not realize execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-02 addresses post-incident recovery execution while CP-2 defines the upstream planning artifact; the plan supplies recovery priorities but does not realize action selection/performance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow procedural check on backup integrity; B is a broad contingency-plan requirement whose restoration clause only incidentally touches that check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident restoration outcome that only touches B's restoration-priorities clause; B's broad contingency-plan requirements directly enable A's mission-function and restoration-norm intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-05 is a narrow post-restoration verification step; CP-2 is a broad planning control whose restoration clauses touch but do not mandate the specific integrity/IoC/root-cause checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the lessons-learned / documentation slice of B while B addresses coordination and lessons-learned elements of A but omits recovery-declaration criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's narrow post-incident root-cause analysis satisfies none of B's broad contingency-planning requirements, while B's coordination-with-incident-handling and lessons-learned clauses only partially touch A's analysis intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-incident stakeholder notification while B is a broad contingency-planning control whose coordination and information-sharing elements touch but do not realize that notification intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow sharing/coordination slice also listed inside CP-2; B's contingency-plan scope includes that slice plus many unrelated planning elements, so each satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-declaration IR execution with third parties while B is a broad contingency-plan development control whose single coordination clause touches but does not realize A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow IR triage; B is a broad contingency-plan control whose only link is a coordination clause, satisfying only a slice of A's validation intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow runtime incident-handling outcome; B is a broad contingency-planning control whose coordination clause only touches incident handling at the margin."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only incident tracking/escalation while B's contingency-plan scope is far broader; B's single coordination-with-incident-handling clause gives partial coverage of A's escalation intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow activation-criteria step while B's full contingency-plan requirements encompass invocation criteria plus coordination, objectives, roles, restoration and updates."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2.5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's restoration-order validation using mission impact partially overlaps B's continuity goal, while B's pre-incident planning does not address A's post-restoration verification or operational-norm outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2.6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-incident restoration validation and monitoring but never mentions alternate sites, while B supplies one narrow continuity-planning lever that only partially supports A's broader recovery-norm outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-2.8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex2 directly performs B's asset-identification step while also addressing broader external-stakeholder and resilience outcomes that B does not touch."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad specialized-role cyber training while B narrowly mandates contingency-specific timing, updates and scope, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's awareness step overlaps one narrow slice of contingency training; B's training mandate does not address recovery-plan execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome of identifying improvements from any tests/exercises; B is a narrow control whose review/corrective-action steps are subsumed by A while its test-execution mandate is not."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses execution of recovery actions while B addresses pre-/post-test validation of plans; the intents overlap only indirectly via plan usage."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-use integrity check while B is broad plan-level testing that may incidentally exercise restoration steps but does not mandate integrity verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs post-incident restoration verification while B tests contingency plans proactively; the activities share only a loose recovery-procedure overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses recovery-initiation criteria; B tests contingency-plan effectiveness with no direct realization of those criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's outcome+Ex3 directly encompasses offsite/equivalent backup storage, satisfying most of B's intent; B realizes only the protection slice of A's broader create/protect/maintain/test outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only data backup creation/testing/offsite storage while B requires a full alternate processing facility with equivalent controls; B therefore touches offsite data protection only incidentally."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ongoing capacity monitoring/scaling on primary resources; B supplies a discrete redundancy mechanism that partially supports availability but omits all monitoring/forecasting intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-01 is a broad procedural recovery-execution outcome; CP-7 supplies only one narrow contingency mechanism that can support but does not realize that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-02 is a broad outcome on selecting/performing recovery actions; CP-7 supplies one narrow technical implementation (alt-site) that partially satisfies it but is not required by it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-incident validation/monitoring of restoration order and norms; B supplies an alternate site capability that supports resumption of mission functions but does not address those validation or norm-establishment activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A covers only the protect-CIA-of-backups slice of B while B addresses only the availability-via-backups slice of A's broad data-at-rest outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome fully encompasses B's create+protect requirements (plus testing/maintenance); B addresses only a subset of A's intent and omits testing."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-restore integrity check; B requires backup creation plus CIA protection of backups (covering integrity but not the specific verification step)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cp-9.3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF outcome whose Ex3 directly addresses separate/offsite storage while also requiring creation/testing; B is one narrow storage slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad compliance-management outcome that informs policy consistency language in B, while B supplies only one narrow IA-specific instance of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A provides broad risk-policy maintenance that can incidentally touch IA policy upkeep, while B addresses only the narrow IA domain and satisfies none of A's risk-management scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review/lessons-learned example overlaps only the update clause of B while B's narrow IA-policy scope satisfies none of A's broad improvement-identification outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow technical outcome on assertion protection; B is only the high-level IA policy umbrella that enables but does not realize that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad identity/credential lifecycle management; B is one narrow authentication technique that touches only a slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad auth outcome plus explicit risk-based reauth example largely satisfies adaptive-auth intent, while B addresses only one narrow adaptive slice of A's full authentication scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A covers credential lifecycle; B is a narrow policy trigger unrelated to that lifecycle scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad authentication outcome whose Ex3 explicitly calls for risk-based re-auth; B is the narrow 800-53 control that realizes only that single slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of proofing+credential binding; B supplies the detailed evidence/verification steps that realize most but not all of that outcome (binding is outside IA-12)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of identity/credential management; B is one modern implementation mechanism that satisfies most of that outcome while A only partially addresses B's specific IdP/authz-server mandate."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow proofing/binding step while B addresses the broader IdP/auth-server infrastructure for ongoing identity management; each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses protection/verification of assertions in SSO/federation contexts while B broadly requires employing IdPs and auth servers for identity/access management, yielding only partial overlap each direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome covering policy, review, least-privilege and SoD; B is one narrow technical mechanism (IdPs/auth servers) that supports only the management/enforcement slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses identity/credential lifecycle management (incl. users) so satisfies most of B's narrower ID+auth intent for org users; B only realizes one slice of A's wider scope covering services/hardware/keys."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad authentication outcome for users/services/hardware subsumes B's narrower org-user focus (with process association implied), while B only realizes the user slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2.5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad authentication outcome that subsumes the narrow shared-account rule in B, while B addresses only one specialized slice of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity/credential outcome for hardware directly encompasses B's device ID+auth requirement (via Ex3 and credential examples), while B addresses only one narrow slice of A's users/services/hardware scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires auth for users/services/hardware (examples user-centric) while B narrowly mandates unique device ID/auth pre-connection, so each satisfies only the hardware slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity/credential management outcome includes identifier assignment (Ex3) and therefore satisfies most of B's intent, while B addresses only the narrow identifier slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad credential/identity outcome encompasses authenticator management practices while B addresses only one technical slice of A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the identity-verification/binding slice of B; B's full authenticator-management scope satisfies the core proofing intent of A plus many additional requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad authentication outcome plus examples that address strength/MFA/refresh; B enumerates detailed authenticator-lifecycle steps that realize only one slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only protection/conveyance of assertions (a narrow slice of authenticator content handling) while B addresses full lifecycle management of authenticators without covering federated assertion standards or verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's credential-hygiene training touches one narrow slice of B while B supplies none of A's awareness outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad baseline/defaults/monitoring practices encompass most authenticator-management activities while B addresses only one narrow slice of configuration management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires password policies among other auth methods while B supplies narrow password-specific rules; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome satisfied by any authenticator (examples list passwords/MFA); B is a narrow PKI-specific slice that fulfills only one authentication method."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's credential/key-management examples touch crypto-module handling but do not address module-authentication mechanisms; B is a narrow technical slice unrelated to A's broad identity scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity-management outcome encompasses non-org users while B addresses only that narrow slice and omits A's hardware/services/key elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad authentication outcome for all users/services/hardware; B is a narrow 800-53 control scoped only to non-organizational users, so A satisfies most of B while B satisfies only a slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity/credential management for services (incl. certs, tokens, unique IDs) satisfies most of B's service auth intent, while B addresses only the narrow service slice of A's full scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad authentication outcome for users/services/hardware fully encompasses B's narrow service-identification requirement, while B addresses only one slice of A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad mandate to track/align all legal requirements partially supports B's 'consistent with laws' clause, while B's narrow IR-policy scope satisfies none of A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a general risk-management policy framework whose elements can inform but do not satisfy the distinct IR-specific policy requirements of B."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supplier-specific outcome while B only creates the generic IR policy framework that may reference external coordination."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-exercise improvement identification while B only establishes IR policy/procedure governance, so A satisfies none of B and B satisfies only a slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-execution improvement identification while B only mandates periodic IR policy/procedure reviews, satisfying a narrow slice of that intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational recovery-comms activity while B only mandates existence of high-level IR policy/procedures, so each satisfies only a sliver of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.CO-04 is a narrow recovery-communications outcome that satisfies none of IR-1's policy/procedure framework intent; IR-1's high-level IR policy can partially encompass procedures for approved recovery messaging but does not mandate the specific public-update outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident recovery outcome with no policy element; B's IR policy can reference recovery but does not address mission-function prioritization or restoration validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-recovery outcome while B is a broad policy-framework control; the specific outcome satisfies none of the policy mandate, but the policy mandate partially enables the outcome via required procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow evidentiary outcome that satisfies none of the policy-authoring mandate in B; B's high-level policy requirement can encompass A but does not mandate its specific recording and integrity controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow evidence-handling activity while B only establishes generic IR policy scaffolding that may reference but does not realize that activity."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome; B is the high-level policy framework that may reference notification procedures but does not realize the outcome itself."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational sharing outcome while B only mandates existence of high-level IR policy/procedures that may reference coordination but does not require the specific sharing actions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses operational execution/coordination once an incident occurs; B only establishes the high-level policy/procedure framework that may reference coordination but does not realize execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational triage step; B only creates the high-level policy/procedure framework that may reference triage but does not realize it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is an operational outcome with no policy artifact; B's generic IR policy can reference categorization but does not realize the outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome while B only mandates the existence of high-level IR policy/procedures that may reference escalation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational recovery criterion; B is a broad policy/procedure foundation that only indirectly enables such criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A specifies an analytic outcome (intel integration) achievable by many means; B supplies one organizational mechanism that can contribute to that outcome but does not require or guarantee it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses recovery execution plus plan awareness; B supplies only role-based IR training that touches awareness but omits recovery execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-test improvement identification while B only executes IR testing and supplies no improvement step."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the analysis slice of B's full incident lifecycle; B's detection-and-analysis element satisfies most of A's outcome but omits its continuous-monitoring emphasis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the detection/analysis correlation slice of B's full IR lifecycle; B's detection/analysis phase encompasses that outcome plus the remaining IR elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the detection/alerting slice of incident handling while B's full lifecycle (prep/contain/recover/lessons) encompasses but exceeds A's narrow outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the detection/analysis intel slice of B's full IR lifecycle; B's detection/analysis clause touches A's integration goal but omits explicit threat-intel and asset/vuln feed requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-08",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow detection-criteria slice of B's broad incident-handling lifecycle, while B's detection-and-analysis requirement encompasses and operationalizes that criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only one narrow detection slice while B's full incident-handling lifecycle (incl. detection) subsumes that monitoring intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one evaluation-based improvement mechanism that touches only B's lessons-learned clause; B supplies incident-driven improvement data that addresses only one slice of A's broader evaluation outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the lessons-learned slice of B's incident-handling scope while B's explicit requirement to incorporate lessons from handling activities (incl. tests) satisfies most of A's improvement-identification outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the lessons-learned slice of B's incident-handling scope while B supplies only the incident-specific slice of A's general operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only recovery-phase stakeholder comms; B broadly mandates the full incident-handling lifecycle (prep through recovery) but does not explicitly require those comms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the recovery-execution slice of B's full incident-handling lifecycle (prep/detect/contain/eradicate/recover plus lessons-learned), while B's explicit inclusion of recovery plus coordination satisfies nearly all of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow recovery-action slice of the broad IR lifecycle in B, while B's recovery + plan-consistency requirements largely realize A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident recovery outcome while B spans the full incident lifecycle plus contingency coordination, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only one narrow slice of recovery verification while B's broad incident-handling capability encompasses recovery (and thus that slice) plus all other phases."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-recovery declaration + documentation/lessons slice of B's broad incident-handling lifecycle."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow analysis/root-cause slice of the broad incident-handling lifecycle in B, while B's required detection-and-analysis activities encompass most of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow forensic-integrity slice inside B's broad incident-handling scope; B implies documentation via analysis/lessons-learned but omits A's immutable/provenance requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow evidence-preservation slice of incident handling, while B's broad phases (esp. detection/analysis) encompass that slice plus much more."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow magnitude-estimation slice of analysis while B's full incident-handling lifecycle encompasses that analysis plus preparation/containment/recovery/lessons-learned."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow external-notification outcome while B is the broad multi-phase handling process whose description contains no stakeholder-notification elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the information-sharing slice of incident response while B's broad handling capability (plan-consistent execution, coordination, lessons-learned) necessarily encompasses that sharing."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow third-party coordination slice of plan execution while B broadly implements the full handling lifecycle consistent with the plan (minus explicit third-party emphasis)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-02",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow triage/validation slice inside B's broad detection-and-analysis mandate, so A satisfies only part of B while B fully realizes A's stated intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the categorize/prioritize slice of B's detection-and-analysis phase while B's full handling capability (prep, containment, eradication, lessons-learned, consistency) realizes A's outcome plus far more."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the escalation/tracking slice of incident response while B's full lifecycle handling encompasses escalation plus additional required activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of recovery-initiation criteria while B's broad incident-handling mandate encompasses recovery (and thus that criteria) plus many additional phases."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MI-01",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the containment slice of B's full incident-handling lifecycle, while B explicitly includes containment and thereby satisfies A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MI-02",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the eradication phase while B mandates the full incident-handling lifecycle (prep/detection/containment/eradication/recovery plus coordination and lessons-learned), so B fully realizes A but A realizes only one slice of B."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4.8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's external-stakeholder coordination example touches B's intent but omits correlation/sharing for cross-org awareness; B addresses only that narrow external slice of A's broader escalation/tracking scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Event correlation supplies data that can support incident tracking but does not itself track or document incidents, while IR-5 tracking does not address multi-source correlation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs only initial triage/validation while B performs ongoing tracking/documentation; each satisfies a slice of the other's intent but neither fully contains the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's review/categorization steps entail limited incident tracking, satisfying only a slice of B's monitoring intent, while B's tracking alone provides no categorization or prioritization."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A includes incident-status tracking (satisfies part of B) while B's tracking supports escalation decisions (satisfies part of A) but neither fully addresses the other's core intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A and B share a narrow information-sharing theme (esp. Ex3) but target distinct phases (recovery progress vs. initial incident reporting), satisfying only slices of each other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the stakeholder-notification slice of incident reporting while B adds mandatory internal personnel reporting to the IR capability; each therefore satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad coordination outcome of sharing response information with stakeholders; B is one narrow incident-reporting mechanism that realizes only a slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome of executing the IR plan with third parties subsumes most of IR-6's reporting requirements, while the narrow control only realizes one slice of the CSF coordination intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad escalation outcome whose realization subsumes the narrower reporting steps in B, while B only partially addresses escalation coordination."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on designated stakeholder information sharing; B provides internal user assistance for incident handling/reporting with only tangential overlap on internal reporting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex2 directly realizes B's support-resource intent while A's broader third-party coordination outcome requires additional actions beyond B."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses escalation tracking/coordination while B supplies a user-facing advice resource; the two intents intersect only loosely on incident handling."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a narrow detection technique unrelated to plan documentation; B's plan may optionally reference correlation methods but does not require them."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of defining/applying incident criteria inside B's broader plan requirements, while B's high-level plan definition touches criteria but omits A's operational false-positive handling."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation/audit activities can surface IR-plan gaps (partial slice of B) while B's plan content and update clauses do not themselves constitute the evaluations required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-exercise improvement identification while B is the full IR-plan artifact whose maintenance clause touches a slice of that activity."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the metrics/lessons-learned slice of B; B supplies only the IR-specific slice of the general improvement outcome in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome for IR (and other) plans; B supplies one detailed implementation slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow recovery-comms outcome while B's IR-plan requirement only touches incident-information sharing as one of many elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only one narrow post-incident public-messaging outcome while B is a broad plan-development control whose 'sharing of incident information' clause touches but does not fully realize that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-initiation recovery execution while B defines the comprehensive IR plan itself; B therefore supplies the necessary recovery procedures but does not itself ensure their execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes recovery actions using an existing plan as input; B only supplies the plan's structure and criteria without addressing action selection or performance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-incident restoration/validation slice of an IR plan while B's plan encompasses recovery procedures yet omits explicit mission-function restoration norms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-recovery procedural outcome; B's IR plan can define incident end-criteria and documentation but does not address recovery declaration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes post-incident analysis while B only defines a high-level IR program plan that does not enumerate analysis activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow forensic-integrity procedure that satisfies none of the broad IR-plan requirements in B; B's plan can embed investigation-recording rules but does not mandate them, yielding only partial coverage of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the sharing/notification slice explicitly called out in B; B's plan addresses sharing but does not itself execute the stakeholder notifications required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A satisfies only the single 'sharing of incident information' clause inside the multi-element IR-8 plan; B's explicit requirement to address sharing satisfies most of the RS.CO-03 outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-declaration execution/coordination while B defines the plan artifact itself; B therefore supplies one prerequisite element of A but nothing of the execution outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow procedural triage step while B is a broad governance document; the plan partially enables triage via its reportable-incident and capability-roadmap clauses but does not realize the plan itself."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome on incident categorization/prioritization while B is a broad planning document whose scope only touches categorization via 'defines reportable incidents'."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational escalation activity that satisfies none of the plan-document requirements in B; B's IR plan scope includes sharing/reporting elements that partially address escalation coordination but omits status tracking and execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow recovery-initiation criteria while B enumerates a broad IR-plan; each therefore realizes only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MI-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome (containment) that satisfies none of the plan-documentation requirements in B; B's IR plan defines response structure/approach that includes containment procedures, satisfying only a slice of A's outcome intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MI-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RS.MI-02 executes one narrow eradication outcome; IR-8 only produces a governance document that may reference but does not realize eradication actions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8.1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the notification outcome for any incident while B requires specific PII-breach planning elements (notice determination + harm assessment); each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Correlation of logs/events can aid spill-response steps such as identifying contaminated systems, but IR-9's procedural response actions do not implement or require multi-source event correlation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only post-incident root-cause analysis while B enumerates concrete spill-response actions; B therefore satisfies only the identification/analysis slice of A and only for the narrow spill scenario."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad IR execution outcome (incl. third-party coordination) that only incidentally touches spill handling, while B is a narrow procedural control for one incident subtype with no third-party element."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MI-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the containment/isolation slice of B's multi-step spillage procedure while B realizes that slice for only one incident type."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MI-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the eradication step while B adds distinct spill-specific steps (alerting, isolation, assignment); B realizes eradication for one incident type but leaves the broader RS.MI-02 outcome incomplete."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ma-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad requirements governance; B only enforces consistency of one narrow maintenance policy with laws."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ma-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies an enterprise risk-management policy umbrella that may indirectly encompass maintenance but does not satisfy MA-1's explicit maintenance-specific policy and procedure requirements; B addresses only one narrow operational domain and therefore supplies none of A's risk-strategy intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ma-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general cyber-risk policy review while B narrowly mandates only a maintenance-specific policy, so A partially overlaps B's procedural elements but B satisfies none of A's broader governance intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ma-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review and lessons-learned activities satisfy only the periodic-update clause of MA-1; B's maintenance-specific policy mandate does not address operational improvement identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ma-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad life-cycle outcome A includes maintenance as one phase while narrow procedural control B realizes only that slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ma-3.6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires software patching/maintenance; B narrowly addresses inspection of maintenance tools only, so A satisfies a slice of B while B satisfies none of A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ma-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Lifecycle asset management (A) encompasses a maintenance phase and therefore partially satisfies timely-maintenance intent, while the narrow MA-6 control addresses none of the broader ID.AM-08 outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad governance of legal/regulatory requirements; B only mandates that one narrow media-protection policy be consistent with laws."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 supplies a single overarching risk-management policy umbrella that only incidentally touches the media-protection policy demanded by MP-1; MP-1 itself addresses only one narrow control area and supplies none of the broader risk-policy outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches B's update requirement but does not address MP-specific policy creation; B's narrow media-protection scope satisfies none of A's general improvement-identification intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's crypto-focused data-at-rest protections do not address B's physical media handling requirements; B supplies only one narrow physical slice of A's broad outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses secure offline storage only for backup media while B addresses physical control/sanitization for all system media; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's encryption/integrity controls for data-at-rest can partially satisfy confidentiality during media transport, but B's procedural transport/accountability requirements address none of A's broader at-rest protection scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad hardware disposal outcome touches media sanitization only as one narrow slice, while B addresses none of A's maintenance/replacement/end-of-life scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad crypto protections for data-at-rest but contains no media-downgrading process; B is a narrow procedural control that only touches the confidentiality slice of A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad legal-alignment outcome that B's consistency clause relies on, while B supplies only one narrow physical-policy instance of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A provides a general cybersecurity-risk policy review process that only incidentally touches the narrow physical/environmental domain of B."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad env-threat outcome partially encompasses emergency power shutoff for fire/flood scenarios, while the narrow shutoff control addresses only one slice of asset protection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad environmental-threat outcome partially encompasses power-loss protection, while B's narrow UPS requirement addresses only one narrow slice unrelated to A's listed threats."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires protection from multiple environmental threats including fire, satisfying most of B's intent; B addresses only the fire slice of A's wider scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad environmental-threat outcome includes heat/humidity protection (hence mostly covers the narrower PE-14 intent) while B addresses only one slice of the threats listed in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-15",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses flooding/water threats without mandating valves; B supplies one narrow technical slice of A's multi-threat scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses physical access enforcement/monitoring while B narrowly targets component placement for damage/access reduction, yielding only partial overlap each direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad environmental-protection outcome while B is a narrow positioning control that also adds an unrelated access-minimization objective absent from A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome of risk-based physical-access management (including monitoring/enforcement); B is one narrow procedural slice (authorization lists/credentials) that contributes to but does not realize the full outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-20",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on access logs/tampering detection while B targets asset location tracking; each satisfies only a narrow slice of the other's monitoring intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-20",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad physical-access outcome that subsumes asset tracking/monitoring as one risk-based implementation method; B supplies only one narrow technical lever for the monitoring slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-23",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad outcome A (protect assets from env threats) subsumes facility-location planning as one key lever, while narrow control B realizes only a slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the monitoring/logs slice of B's broader enforcement+logging mandate; B supplies the logs and controls that enable part but not all of A's active adverse-event detection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome A encompasses the specific PE-3 requirements (and more), while narrow control B realizes only one slice of A's risk-commensurate physical-access intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad physical-access outcome that subsumes transmission-media controls; B addresses only one narrow slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad physical-access outcome that can incidentally touch output-device controls, while B is a narrow slice that satisfies none of A's overall intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses B's core monitoring/review of physical access but omits coordination with incident response; B realizes only the access-log slice of A's broader physical-environment outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome covering management/monitoring/enforcement of physical access; B is a narrow monitoring+logging slice that satisfies only part of A while A satisfies most of B's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow slice (visitor logging/review/reporting) of A's broad physical-access monitoring outcome, so B covers only part of A while A encompasses B's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pe-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates environmental protection for all technology assets/equipment (including power infrastructure), while B addresses only one narrow slice of physical protection for power cabling."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad requirements management while B only enforces policy consistency with laws; each satisfies a narrow slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires a specific risk-management policy while B requires documented policy/procedures only for the Planning control family, so each satisfies a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the outcome of agreeing risk objectives while B supplies the generic planning-policy scaffolding that can reference but does not realize that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses leadership accountability and roles for cyber-risk strategy but only incidentally touches policy documentation; B's narrow planning-policy scope satisfies none of A's governance/culture intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies domain-specific policies/procedures for supply-chain RM while B requires a broader planning-family policy framework; conversely B supplies only generic policy scaffolding that partially enables but does not address A\u2019s strategy, objectives, and stakeholder-agreed program."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the supply-chain-specific roles/responsibilities slice of B's broad planning-policy requirement, while B supplies only a generic roles framework that does not mandate A's supplier/partner focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only a narrow slice of supplier/incident roles and reporting that could appear inside a planning policy, while B's generic policy mandate can encompass but does not require the specific third-party incident activities in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches one procedural slice of B while B's periodic review requirement only partially realizes A's broader improvement-identification outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the mission/business-process context element inside B's broad plan requirements, while B's documentation mandate satisfies only one slice of A's risk-management outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses org-level stakeholder expectations; B's system-plan elements touch roles/context but omit expectations and do not produce the plans themselves."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OC-03 addresses org-level tracking of legal/regulatory obligations; PL-2 produces system plans that may reference privacy requirements and risk assessments but does not manage or track those external obligations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies high-level mission/resilience inputs that inform only slices of B's detailed plans, while B's system-level operational context and categorization address only a slice of A's external-stakeholder criticality focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the external-dependency slice of B's broad planning requirements while B's system-centric plans capture only a subset of A's org-level external-dependency outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's procedural strategy-review outcome has no realization in B's detailed system-plan development; B supplies risk and control artifacts that can partially feed A's reviews."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ongoing org-level performance review via KPIs/KRIs while B produces static system plans that may supply some risk inputs but omit evaluation activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 establishes a high-level risk-management policy while PL-2 produces detailed system-level plans; the policy supplies only directional context for the plans and the plans do not create or substitute for the policy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-02 addresses high-level policy review cycles; PL-2 produces detailed system plans that may reference but do not satisfy policy-update intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the high-level risk-appetite inputs that appear in one clause of B's risk determinations, while B's system-plan details do not produce or maintain organizational risk-appetite statements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses enterprise-level risk aggregation only; B produces system-level plans that include risk assessments and determinations but do not integrate cyber risk into broader ERM processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a purely procedural cross-org communication outcome while B is a system-level documentation control that touches only a narrow slice (roles, threats) of that intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-method elements inside B's broader plan; B supplies per-system risk determinations but does not establish the enterprise-wide standardized method required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only high-level leadership accountability and culture; B's role-identification element satisfies a narrow slice of A's examples while the remainder of B's plan content is unrelated."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the single roles-identification bullet inside B's broad plan; B's plan requirement touches role identification but omits A's organizational establishment, communication, and enforcement of risk-management authorities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses resource allocation while B's plans enumerate roles/controls but do not allocate resources."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses HR processes only; B's plan documentation touches roles/responsibilities (one narrow slice of A) but satisfies none of A's operational HR intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities element of system plans but is limited to supply-chain parties; B's broad plan includes general system roles yet does not cover external supply-chain coordination."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain integration into ERM processes while B's system plans touch risk assessment and controls only incidentally and lack enterprise-level supply-chain scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-contract supplier due diligence while B broadly documents system-level security/privacy plans that may incidentally reference external dependencies."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supplier risk monitoring while B broadly documents system risks/threats/dependencies (including possible third-party elements) but omits ongoing supplier lifecycle activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inclusion in incident activities while B's broad system-plan requirements touch roles/dependencies but omit incident-specific third-party obligations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain provenance/risk reporting while B broadly documents system plans/controls; plans may reference supply-chain items but do not realize A\u2019s lifecycle integration mandate."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's narrow post-partnership supply-chain steps satisfy none of B's broad system-planning mandate; B's control-description requirement can incidentally touch supply-chain content but does not address A's specific intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational baseline practice unrelated to B's broad planning/documentation requirements; B's environment/dependency descriptions touch flow representations only incidentally."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's life-cycle integration outcome supplies none of PL-2's required planning artifacts; PL-2's documented components, context and controls touch only a slice of life-cycle management intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses solely on post-implementation evaluations to surface improvements, satisfying none of B's broad planning/documentation mandate; B's required risk assessments and threat descriptions partially realize the evaluation step in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses IR/contingency/vuln plans while B defines a broad system security plan document; minimal topical overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OC-02 only identifies stakeholder expectations; PL-8 develops architectures that reference external dependencies but never identify or elicit those stakeholders."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies criticality/BIA/resilience inputs that inform architectures while B addresses external dependencies and criticality analysis but omits stakeholder communication of mission objectives."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad policy review/update while B narrowly requires architecture development plus its own review cycle; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inventory/prioritization while B's external-dependencies clause touches supplier considerations without requiring criticality ranking or records."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the external-supplier due-diligence slice of B's procurements/external-dependencies requirement; B's architecture documentation touches supplier assumptions yet omits the explicit risk-assessment and diligence process A requires."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain provenance/authenticity within risk programs while B broadly covers enterprise security/privacy architectures including external dependencies and acquisitions, yielding only slice overlap each way."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational baseline activity on network flows; B's broad architecture descriptions can encompass data-flow elements but do not mandate maintaining such baselines."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only mission-risk linkage; B's program-plan elements touch mission in approval language but omit explicit mission-driven risk management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only stakeholder identification/expectations while B's program-plan mandate covers internal coordination/roles but omits external stakeholders and explicit expectation gathering."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the legal/reg/contractual requirements slice of the program plan while B documents requirements/compliance at a high level but omits explicit ongoing tracking and alignment processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses stakeholder criticality and resilience objectives while B's program-plan mandate only incidentally touches mission considerations without requiring external-stakeholder focus or communication."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow external-dependency inventory outcome while B is a broad internal program-plan document; B's coordination and overview elements only incidentally touch the dependency intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's narrow outcome review touches only the update/review clause of B's broad program-plan control, while B's plan maintenance only partially realizes A's strategic-outcome evaluation intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's periodic strategy review satisfies only the update clause of B while B's program-plan artifact and role assignment satisfy only a slice of A's risk-coverage intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies ongoing performance review that touches B's update clause but omits the plan's scope, roles, and approval elements; B supplies a documented program with periodic review that touches A's evaluation intent but omits KPI/KRI-driven risk-performance measurement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses risk-management policy creation/review/approval while B's program plan encompasses that policy plus roles, coordination, compliance, and protection, so each satisfies only part of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the review/update/communication of risk policy while B requires a broader program plan with roles, approval, and protection; B's periodic update partially overlaps A's policy maintenance but omits enforcement and risk-specific scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the ERM-integration slice of program governance while B supplies the overarching plan and roles that partially enable but do not mandate enterprise risk aggregation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-response-strategy slice of the broad program-plan mandate in B, while B's required plan, roles, senior approval and risk accountability largely realize A's strategic-direction outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.RM-05 is a narrow communication outcome while PM-1's coordination and role-assignment elements largely realize that outcome but also encompass many unrelated program-plan requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses leadership accountability/roles and strategy maintenance but omits B's formal program-plan document, coordination, approval, and protection requirements; B directly satisfies A's accountability and roles elements via senior-official approval and management commitment while only indirectly touching culture."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities slice of B's broader program-plan requirements; B's mandated role assignment, coordination, and senior accountability largely realize A's outcome but omit explicit enforcement language."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the resource-allocation slice of B\u2019s broader program-plan requirements; B defines roles/responsibilities and management commitment inside the plan but does not explicitly require commensurate resource allocation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only a narrow HR/personnel slice while B is a meta-level program-plan document whose scope can encompass HR controls among many others."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets C-SCRM program elements while B broadly defines the overall security program plan, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain-specific roles/responsibilities slice while B requires a full program plan; B's general roles/coordination language partially encompasses supply-chain needs but lacks the external/SCRM focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain integration while B supplies only a generic program-plan framework that can accommodate but does not mandate that integration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supply-chain outcome while B is a broad program-plan document; implementing A satisfies none of B, and B's high-level control description only incidentally touches supplier prioritization."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain contract requirements while B is a broad program-plan control that only incidentally touches governance outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only operational third-party risk activities while B defines the overarching program-plan artifact that may reference but does not execute those activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only a narrow supplier-incident coordination slice while B's broad program-plan mandate touches roles/coordination generically but omits third-party incident specifics."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supply-chain outcome that does not address program-plan development; B's broad plan framework can encompass supply-chain integration as one management control but does not mandate it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-agreement supply-chain procedure while B is the broad overarching security program plan that may subsume supply-chain elements but does not specifically require them."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow asset-prioritization practice that satisfies none of B's program-plan requirements; B's high-level plan may reference asset management but does not specifically mandate the outcomes in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation-focused outcome does not address the program-plan document, roles, approval, or protection elements of B; B's compliance/coordination clauses touch only a slice of the evaluation intent in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's improvement identification (reviews/lessons) overlaps only the update clause of B's program-plan control while B's plan governance touches only one slice of A's operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only specific operational contingency/IR plans while B defines the single overarching program-plan artifact and governance elements; thus A satisfies none of B, and B supplies only a high-level vehicle that can reference but does not itself create or maintain the plans required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of risk-response planning/tracking while B defines the broad program-plan document and governance structure, so each satisfies a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses vuln-disclosure handling while B only broadly mandates roles/responsibilities within a program plan."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supplier-assessment activity whose implementation satisfies none of B's program-plan documentation and governance intent; B's broad plan can partially encompass risk-assessment activities including suppliers via roles and requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the mission context that should shape any risk program while B supplies one concrete risk-management mechanism (authorization); each therefore realizes only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only stakeholder identification while B focuses on authorization/risk roles with incidental stakeholder overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies risk-appetite inputs that inform the org-wide risk program B integrates authorization into, while B's authorization and role-designation steps touch only one slice of the appetite/tolerance outcome A defines."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of embedding all cyber risk activities into ERM; B supplies one concrete mechanism (authorization) plus role designation that partially realizes that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities designation sentence inside B while B's core intent (authorization processes integrated into org risk mgmt) remains untouched; B directly satisfies the designation of roles that is the central outcome of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only HR/personnel practices while B centers on system authorization and org risk integration; B's role-designation element touches a narrow slice of A's risk-aware personnel intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both address designation of risk-management roles/responsibilities, yet A is narrowly scoped to supply-chain parties while B centers on authorization and org-wide risk integration, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow risk-identification recording; B is authorization/role integration into org RM program, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome encompasses the narrower control's mission-definition activities plus additional risk-informing steps, while the control realizes only one slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies stakeholder expectations as one input to mission/process definition (B) but does not address defining or revising those processes; B never mentions stakeholder identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses external legal/privacy obligations while B focuses on internal mission/process definition; each satisfies only the overlapping privacy-needs slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a narrow external-stakeholder + resilience slice of B's broader mission-process definition; B's risk-aware process definition largely realizes A's criticality/impact intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly inventories external dependencies; B broadly defines mission/processes with risk consideration, so only B touches a slice of A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cross-org risk communication while B addresses broader mission/process definition that may incidentally include risk communication mechanisms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inventory/prioritization while B broadly defines mission and business processes; the two intents intersect only tangentially via mission importance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow asset-prioritization activity that does not address mission/process definition; B's mission definition and protection-need analysis partially informs asset criticality but does not require the prioritization steps in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow data-inventory outcome unrelated to mission-process definition, while B's protection-needs step only indirectly touches data identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses establishment of IR/contingency/vulnerability plans while B addresses foundational mission/process definition incorporating security risk; the two intents overlap only indirectly."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs targeted risk recording of impacts/likelihoods but never defines mission/business processes; B embeds risk consideration into process definition and thereby touches but does not fully realize the identification step in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A uses pre-existing mission/business impact records only as inputs for recovery ordering and does not address their definition or maintenance, while B produces those foundational records but does not cover incident-driven restoration or post-incident norms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches only the identification of internal actors (one example) while B requires a full cross-functional program/team; conversely B addresses only the internal slice of A's broader threat-identification outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches training/retention elements of workforce development but omits the program construct; B addresses only the development slice of broader HR practices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome review of risk-management effectiveness overlaps only the narrow 'review plans vs. strategy' clause inside B, while B's TTM-plan process satisfies only one slice of A's strategy-outcome adjustment intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad performance/KRI review overlaps only the monitoring-plan review slice of B, while B's narrow testing/training/monitoring focus supplies only one input to A's overall risk-management evaluation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-management policy supplies directional context that B's alignment review can reference, but B's narrow testing/training/monitoring process does not establish or maintain the policy required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the high-level risk-response strategy that B references for plan reviews, while B only enforces alignment for the narrow testing/training/monitoring domain and does not establish or communicate the broader strategic direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the general resourcing needed to execute B's plans but does not establish the required testing/training/monitoring processes or reviews; B addresses only a narrow slice of activities and never touches resource allocation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-exercise improvement-identification step while B mandates the full testing/training/monitoring planning and execution lifecycle, so A covers a slice of B; B's process largely enables the improvement identification in A but does not explicitly require supplier coordination or improvement capture."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires establishment/maintenance/improvement of IR and other cybersecurity plans (including testing/training elements), while B narrowly addresses only testing/training/monitoring plan processes and risk alignment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses risk assessment and prioritization; B only ensures testing/training/monitoring plans stay aligned with an existing risk strategy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-14",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk-response selection/tracking with no mention of testing/training/monitoring plans; B only aligns one narrow class of activities to risk-response priorities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-15",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers only the inbound threat-intel slice of B's multi-purpose contact mandate, while B's institutionalized groups directly enable the intel-reception outcome in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-15",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on operational threat identification/hunting while B is a narrow external liaison activity that only partially supports one example in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-15",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on internal risk analysis/prioritization while B is an external information-sharing mechanism that supplies only one input to risk activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches threat-intel usage for correlation but omits any awareness program or cross-org sharing; B supplies no event-log correlation capability."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's intel-feed examples touch B's sharing intent while B's program supplies raw material for A's integration outcome, yet each leaves the other's core focus (program vs. detection integration) unaddressed."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the inbound receipt slice of B's broader program+sharing requirement; B's mandated cross-org capability directly enables and largely satisfies A's receipt/monitoring intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome (threat ID/recording via CTI and hunting) encompasses most of the narrower PM-16 program intent, while the control only realizes the external intel-sharing slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-assessment outcome can be met without any cross-org sharing program, while B supplies only threat-intel input that partially supports one element of A's broader RA activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-17",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's supplier identification/prioritization touches CUI sensitivity but does not address B's policy/procedure mandate; B's narrow CUI-protection focus does not realize A's broader supplier inventory outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-17",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad improvement-identification outcome (incl. policy review) touches only the update clause of B's narrow CUI-external policy requirement, while B supplies no coverage of A's general operational lessons-learned intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses mission-driven cybersecurity risk outcomes while B is a privacy-specific program plan whose mission references are incidental and domain-mismatched."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses stakeholder expectations (one narrow element of program planning) but only for cybersecurity; B is a privacy-specific plan whose contents do not address cybersecurity stakeholder needs."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses tracking of privacy-related requirements but omits B's mandated program-plan artifacts, roles, and governance structure; B operationalizes privacy compliance yet addresses only one slice of A's broader legal/regulatory/contractual scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad cybersecurity-risk policy outcome that can subsume some privacy-program elements, while B is narrowly scoped to privacy officials, federal privacy statutes, and a dedicated privacy plan."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cybersecurity risk objectives while B's privacy program plan includes strategic objectives and risk elements but remains privacy-specific and broader in scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both address senior-leadership roles, accountability and program commitment, yet one is cyber-risk-specific while the other is privacy-program-specific, so each satisfies only the overlapping slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the resource-allocation slice of B's broader privacy program plan; B addresses only the privacy-specific slice of A's cybersecurity resource outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-19",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the broad outcome of managing privacy obligations via processes/alignment while B only creates a privacy leadership role, so each satisfies a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-19",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cybersecurity leadership/accountability while B is a narrow privacy-specific appointment; each satisfies only a disjoint slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's leadership accountability outcome and CISO-direction example largely subsume the appointment of a senior security officer, while B realizes only the narrow role-establishment slice of A's broader culture and risk-ownership intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates all cyber-risk roles/responsibilities (including leadership), while B only realizes one specific senior-officer appointment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-23",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad cyber-risk role documentation can encompass data-governance roles as one slice, while B's narrow data-body mandate satisfies none of A's full scope of cyber-risk responsibilities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-23",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad lifecycle management outcomes while B narrowly mandates a data governance body; the body supplies one data-specific lever but does not realize the full scope of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Stakeholder expectations inform risk tolerance/priorities within framing, yet A omits assumptions/constraints/review steps while B omits explicit stakeholder identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses compliance tracking/alignment while B only captures regulatory items as one possible constraint within broader risk-framing activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets risk-response criteria/communication while B supplies the broader framing (tolerance, priorities, constraints) that underpins those responses."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies standardized calculation/prioritization templates that address only the documentation/prioritization slice of B's framing elements, while B supplies assumptions/constraints/tolerance context that addresses only part of A's risk-method outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets inclusion of positive risks while B addresses broader risk-framing elements (assumptions, constraints, tolerance) that only incidentally touch priorities/trade-offs."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain provenance and authenticity reporting inside risk programs; B supplies only the generic risk-framing foundation that can accommodate supply-chain considerations but does not require or detail them."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs risk assessment and prioritization while B establishes the framing context/tolerance that guides assessments; each addresses a distinct slice of the overall risk-management process."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-29",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses outcome evaluation via KPIs/KRIs/metrics while B only creates the leadership roles that could perform such evaluation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-29",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a policy document while B mandates specific senior risk roles; each addresses a distinct slice of governance with minimal overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-29",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses objective-setting outcomes only; B's role appointments enable but do not directly produce agreed objectives."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-29",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cross-org risk communication channels while B appoints risk leadership roles; the latter enables but does not realize the former."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-29",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses leadership accountability and roles (with culture) while B narrowly mandates specific risk-executive appointments and alignment; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-29",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of establishing all cyber-risk roles/responsibilities while B supplies one concrete implementation (senior risk leadership appointments)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-29",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier-specific due diligence while B establishes org-wide risk leadership roles that can encompass but do not realize supplier activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of risk-aligned resource allocation (including investment), which B's capital-planning steps directly support but do not fully encompass (e.g., authority reviews)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only runtime monitoring/forecasting for availability; B addresses upstream budget allocation and documentation, satisfying part of the capacity intent but not the operational controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad stakeholder-expectation outcome touches supply-chain partners but does not produce the required strategy artifact; B's narrow supply-chain strategy only addresses one slice of the stakeholder set."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one foundational activity (dependency inventory) inside the broader SCRM strategy B requires; B's org-wide strategy and review cycle inherently produces the dependency understanding and communication A describes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk-strategy outcome review while B is narrowly scoped to supply-chain strategy development/implementation/review."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad review of the overall cyber-risk strategy touches the review/update element of B but omits B's supply-chain-specific development and implementation; B addresses only the supply-chain slice of A's general strategy review."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad cybersecurity-risk policy can encompass supply-chain elements at a high level (partial), while B's narrow supply-chain strategy satisfies none of A's general policy intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-02's broad policy-review outcome touches supply-chain elements only incidentally, while PM-30's narrow SCRM-strategy requirement satisfies none of the general policy governance intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad risk-objective outcome can encompass supply-chain elements but does not address the specific strategy development, implementation, or review required by B; B's narrow supply-chain focus satisfies none of A's general objective-setting intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly integrates all cyber risks into ERM while B narrowly mandates a supply-chain-specific strategy, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A sets broad risk-response direction that touches outsourcing/cloud examples; B narrowly mandates only the supply-chain slice of that direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the communication slice of risk governance (incl. suppliers) while B narrowly mandates a full SCRM strategy; each therefore satisfies a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a general cyber-risk method that can be applied to supply-chain risks but does not address the supply-chain-specific strategy, consistency, or review requirements of B; B realizes only one narrow slice of the broad risk-method outcome in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates the full program/strategy/policies/processes and stakeholder agreement, covering most of B's strategy+implementation intent but not its explicit periodic review; B narrowly addresses only the strategy element and therefore covers only a slice of A's program scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integration of SCRM into ERM/improvement while B mandates a standalone org-wide SCRM strategy; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad integration+monitoring outcome subsumes B's strategy development/implementation/review as a core lever, while B realizes only the strategy slice of A's lifecycle intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-termination/disposal slice while B's org-wide strategy explicitly spans development through disposal and therefore subsumes A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a general risk-assessment outcome while B is a narrow supply-chain-specific strategy; the two share only a thin risk-assessment overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk-response selection/tracking while B narrowly implements that only inside supply-chain strategy, so coverage is one-way and limited."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is one tactical activity (pre-acquisition assessments) inside the broader strategy lifecycle defined by B, while B's org-wide strategy necessarily encompasses and drives such assessments."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30.1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad criticality/BIA/resilience outcomes with no supplier focus; B narrowly identifies critical suppliers and therefore satisfies only a thin slice of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-30.1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of knowing and prioritizing all suppliers by criticality; B realizes the identify/prioritize/assess slice for critical suppliers only."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-31",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a high-level governance review of risk-strategy outcomes; B supplies ongoing control-monitoring data that can feed such a review but does not itself perform strategy adjustment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-31",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad periodic review of risk-management strategy; B is a specific continuous-monitoring implementation that supplies inputs to reviews but neither fully contains the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-31",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses narrowly on SCRM integration into risk/improvement processes while B defines a broad continuous-monitoring program; monitoring can support improvement but does not address supply-chain integration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-31",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's supply-chain provenance/reporting examples touch only the monitoring/reporting slice of B's org-wide continuous-monitoring mandate while B's control-effectiveness monitoring can support A's performance-monitoring requirement but omits provenance, authenticity, and supplier policies."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-31",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-test improvement identification while B defines an ongoing monitoring program whose analysis/response elements touch improvement identification only incidentally."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-31",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's improvement-identification outcome (incl. metrics) touches only the analysis/response slice of B's full monitoring program, while B's ongoing metrics/analysis directly realizes most of A's operational-improvement intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses understanding requirements; B supplies one downstream remediation-tracking mechanism that only partially supports compliance-risk closure."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a dependency-identification outcome; B's POA&M process touches supply-chain risk tracking but does not realize the inventory/communication intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a high-level strategy-outcome review; B is an operational POA&M process whose sole strategy touchpoint (consistency review) only partially overlaps A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses high-level strategy review/adjustment while B only mandates POA&M consistency checks against an existing strategy and does not implement strategy review."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad KPI/KRI performance review overlaps only the POA&M consistency-review step while B's narrow remedial-tracking process addresses only one slice of A's metrics-driven evaluation intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-management policy can direct existence of a POA&M process but does not implement or satisfy B's specific operational requirements; B addresses only one downstream tracking activity and does not address policy establishment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies high-level risk-response strategy; B assumes that strategy exists and only enforces POA&M alignment to it without establishing or communicating the strategic direction itself."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses org-wide risk communication; B's POA&M process touches reporting and supply-chain risk tracking but does not establish the described communication lines."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the upstream risk-calculation and prioritization method while B\u2019s POA&M process neither creates that method nor fully documents/categorizes risks; B\u2019s consistency review touches only a narrow slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A assigns broad risk-management roles that can encompass POA&M ownership, satisfying a slice of B; B's POA&M process never addresses role establishment or communication."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses resource allocation and authority reviews; B's POA&M process only touches risk-strategy consistency for remediation tracking, satisfying a narrow slice of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's program/plan-with-milestones language touches POA&M elements but omits B's remedial-action documentation, reporting, and risk-strategy review steps; B addresses only one narrow process and does not establish A's strategy, objectives, or stakeholder-agreed policies."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad integration mandate encompasses POA&M-style remediation tracking and risk-strategy alignment for supply-chain risk, while B realizes only the narrow improvement/remediation slice of that integration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-relationship supplier due diligence while B's POA&M process covers ongoing remediation tracking that can include supply-chain items but does not realize the specific planning/due-diligence intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the full supplier-risk lifecycle while B supplies only the POA&M tracking mechanism for the supply-chain slice; each therefore satisfies only a portion of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inclusion in incident response activities while B's POA&M process for supply-chain risk can track related remedial actions but does not implement the incident-specific coordination."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad supply-chain integration/monitoring outcomes while B narrowly mandates a POA&M tracking process that only partially realizes one monitoring element of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-termination supply-chain plan provision while B is a broad POA&M process covering many risk areas; thus A satisfies none of B, and B only partially touches A's specific post-agreement intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only identifies post-exercise improvements while B tracks remedial actions in POA&Ms; neither fully realizes the other's process or scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad improvement-identification outcome while B is a narrow POA&M tracking process; B partially realizes one remedial-action slice of A but A does not address B's process, documentation, or reporting requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vulnerability/contingency plans touch remedial tracking but do not mandate a formal POA&M process; B's narrow tracking mechanism does not establish or maintain the plans required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the risk prioritization input that B reviews for POA&M consistency, but B contains no risk identification or threat/vulnerability analysis activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad risk-response outcome explicitly includes POA&M-style tracking/planning as an implementation example and therefore satisfies most of B's narrower process requirements, while B realizes only the tracking/planning slice of A's wider intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of risk documentation tied to changes/exceptions; B addresses the broader POA&M tracking process for all risks, so each satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition supplier assessment activity while B is a broad POA&M process covering multiple risk programs; neither fully realizes the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only hardware/device inventories (a slice of system inventory), while B's system-level inventory encompasses hardware assets and therefore satisfies most of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome explicitly includes system inventories (plus software/services/monitoring) so fully satisfies B's narrow intent; B addresses only the systems slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies risk-specific KPI/KRI review that fulfills only a slice of B's broader develop/monitor/report mandate across security+privacy; B's performance-measure apparatus directly enables A's risk-evaluation outcome and therefore covers most of it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow network-flows baseline practice while B is a broad enterprise-architecture outcome; B therefore only partially encompasses the specific flows representations required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the criticality identification and resilience outcomes that feed a CIKR plan, while B supplies one narrow procedural vehicle (the protection plan) that partially realizes A's stakeholder-understanding intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the stakeholder-input slice of a full risk strategy while B's risk scope implicitly touches stakeholder concerns without mandating their explicit identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the legal/privacy-compliance slice of B's broader risk strategy; B's org-wide risk management inherently drives identification and alignment to legal/reg/contractual obligations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies criticality/BIA inputs that feed risk strategy but omits privacy, consistent org-wide implementation and updates; B's broad strategy includes asset criticality yet does not address external-stakeholder communication or resilience-objective setting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the review-and-adjust slice of B's full develop/implement/review mandate; B's required review-and-update step satisfies most of A's outcome-review intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the narrow review/adjust slice of B's broader develop+implement+review mandate; B therefore realizes most of A's outcome while A realizes only one element of B."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the policy-establishment slice of risk management while B addresses strategy development/implementation/review; each therefore satisfies only a portion of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the objectives-setting slice of a risk-management strategy while B's full strategy lifecycle (develop/implement/review) encompasses that objective-setting outcome plus additional elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow slice (appetite/tolerance statements) of B's broader risk-management strategy; B's comprehensive strategy inherently includes and largely satisfies A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the ERM-integration slice of B's broader strategy-development, privacy, implementation and review requirements, while B produces a security/privacy strategy that may or may not be embedded in enterprise risk processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-response-options slice of B's broader strategy+implement+review mandate, while B's comprehensive strategy directly realizes A's outcome and more."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the communication slice of risk management while B's comprehensive strategy includes (but is not limited to) establishing cross-org risk communication."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-calculation/prioritization slice of the broader strategy that B requires to be developed, implemented, and maintained."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow inclusion of positive risks in discussions while B defines a broad org-wide risk strategy covering security/privacy risks, implementation and updates."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the SCRM-integration slice of a risk strategy while B provides the general strategy without requiring SCRM integration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the supply-chain slice of risk management while B's broad strategy framework encompasses and enables that integration plus far more."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow asset-prioritization activity that only partially instantiates B's broad risk-management strategy; B's comprehensive strategy necessarily encompasses asset classification/criticality prioritization and therefore covers most of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies concrete contingency/vuln plans that form one slice of a risk strategy, while B supplies the overarching risk framework that can drive but does not enumerate those specific plans."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ID.RA-04 is one narrow risk-assessment activity inside the much broader PM-9 strategy; the strategy in turn normally mandates that activity plus more."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes narrow risk-response steps that form one slice of B's broad strategy mandate, while B's org-wide strategy encompasses and drives the outcomes in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pm-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-04 narrowly addresses post-incident restoration sequencing using existing risk data, while PM-9 supplies the upstream enterprise risk strategy that partially informs but does not realize recovery procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ps-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad legal-understanding outcome that informs policy consistency but omits B's specific personnel-security policy development and review steps; B enforces statutory alignment for only one narrow policy area and therefore satisfies only a slice of A's enterprise-wide requirement management intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ps-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad cybersecurity risk-management policy outcome while B narrowly mandates only a personnel-security policy; the scopes intersect on generic policy practices but otherwise have no overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ps-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies concrete HR practices but omits any policy/procedure documentation; B supplies only the meta policy framework that partially enables but does not realize those practices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ps-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general cybersecurity improvement identification while B narrowly mandates personnel-security policy/procedure development and review, yielding no overlap one way and only a thin procedural slice the other way."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ps-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only activity monitoring for adverse events and supplies none of B's personnel-security requirements, documentation, or transfer notifications; B's single compliance-monitoring clause partially overlaps A's external-provider monitoring intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ps-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses HR cyber practices for personnel while B narrowly mandates external-provider controls, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ps-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad HR integration (screening/background checks/knowledge factors) while B narrowly targets role/responsibility language in position descriptions; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pt-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses managing privacy obligations while B narrowly mandates one PII-specific policy artifact, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pt-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad cybersecurity risk policy outcome while B is a narrow PII-specific transparency policy; implementing A therefore touches only part of B's intent and B satisfies none of A's broader risk-management scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pt-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad cybersecurity risk policy updates while B narrowly mandates PII-specific transparency policy/procedures, so each satisfies only a slice of the other's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pt-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example overlaps B's update requirement but addresses neither PII-specific scope nor initial development/dissemination; B's PT policy maintenance satisfies only one narrow slice of A's operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad mandate to track/manage legal requirements can encompass RA policy alignment as one element, while B only enforces consistency for risk-assessment procedures and does not address the wider outcome of understanding contractual/regulatory obligations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's strategy-level reviews touch policy oversight but omit RA-1's specific development/dissemination/review cadence; B's RA policy maintenance satisfies only the procedural slice of A's broader risk-management strategy adjustment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OV-03's performance reviews and metrics may indirectly drive RA policy adjustments but do not satisfy RA-1's requirements to develop/disseminate designated policy and procedures; RA-1 supplies none of the KPI/KRI evaluation outcomes in GV.OV-03."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 is the broad risk-management policy outcome whose scope includes the narrower RA-specific policy and procedures defined by RA-1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF outcome for cyber-risk policy lifecycle while B is the narrow RA-specific policy control, so A subsumes most of B but B only realizes one slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ERM integration outcomes while B only mandates RA-specific policy/procedure artifacts, satisfying none of B and only a narrow foundational slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one concrete risk-method outcome while B supplies only the meta policy/procedure scaffolding for the RA family; each therefore satisfies a slice but not the full intent of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses high-level leadership accountability and risk strategy oversight that touches policy maintenance; B codifies roles/responsibilities and review cycles for one narrow RA policy but omits broader governance and culture outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses resource allocation for risk roles/strategy (touching B's management commitment and roles) while B only mandates RA policy existence without any resource provisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies policy/procedure elements only for supply-chain risk management while B supplies the generic RA policy framework; each therefore satisfies a slice but not the core scope of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain-specific roles/policy documentation while B requires a broad risk-assessment policy covering purpose/scope/compliance; each satisfies only the overlapping roles element of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integration of supply-chain risk into existing assessment processes but supplies no policy/procedure artefacts; B supplies the RA policy framework that can accommodate supply-chain content yet does not mandate the integration outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's annual policy review overlaps only the update clause of B while B's RA-specific policy mandate does not address operational improvement identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only narrow change-exception procedures while B is the overarching RA policy; B's policy framework can partially enable but does not realize A's specific outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a narrow operational process for vuln disclosures while B only mandates generic RA policy/procedure scaffolding, satisfying none of B and only a slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies passive alert/log dissemination while B is a distinct proactive search activity; B's findings can feed adverse-event reporting but do not implement A's alerting/ticketing mechanisms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies CTI/context feeds to generic detection analysis; B is a dedicated proactive hunting process that consumes such feeds but does not require or replace the broader integration outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Threat hunting is one listed implementation example for the broad ID.RA-03 outcome but not required, while RA-10 supplies only one narrow method toward that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's asset prioritization uses classification/criticality as inputs but omits B's formal system-level categorization, documentation, and AO approval steps; B supplies the classification element but does not address A's broader prioritization criteria, tracking, or mission-impact scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses impact/likelihood identification across risk scenarios while B narrowly performs formal system-level impact categorization; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad risk assessment using threats/impacts partially encompasses categorization as one input to inherent-risk understanding, while B's narrow categorization produces none of A's threat/likelihood/prioritization outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies threat/vuln feeds usable as inputs to risk assessment but targets detection analysis, satisfying only a narrow slice of RA-3; RA-3 produces periodic assessments without mandating integration into detection processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the high-level mission-understanding prerequisite that partially grounds B's required mission integration step, while B's explicit mission-perspective integration largely realizes A's intent without addressing A's broader organizational-sharing aspects."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies stakeholder expectations as one input to risk assessment while B performs concrete assessment steps that only incidentally touch a subset of stakeholder privacy impacts."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OC-03 tracks external obligations while RA-3 performs one privacy-inclusive assessment activity; each satisfies only a narrow slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on stakeholder criticality and resilience objectives; B's risk assessment process touches impact analysis but does not address external stakeholder expectations or communication of critical capabilities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is high-level strategic oversight/review of risk-management outcomes; B is operational execution of system-level risk assessments\u2014each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is high-level strategy oversight that may reference risk results; B performs detailed assessments that can feed strategy reviews but neither implements the other's core intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is high-level oversight of risk-management performance via KPIs/KRIs; B is the operational execution of assessments, so each satisfies only a tangential slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 establishes the overarching risk-management policy whose intent is satisfied by performing the detailed RA-3 activities, while RA-3 execution alone does not create or enforce any policy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only policy review/update using risk results while B performs the actual assessments that feed policy; neither fully realizes the other's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A sets high-level risk objectives while B executes detailed assessment steps; objectives do not perform assessments, but assessments can partially inform objective-setting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines appetite/tolerance statements only; B performs assessments whose results may feed appetite decisions but neither activity realizes the other's core intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines high-level risk-response strategy; B performs the distinct assessment step that informs but does not realize that strategy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the dissemination/communication slice of B's risk-assessment process while B's dissemination step touches but does not establish the broader ongoing cross-org risk-communication lines required by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines the overarching standardized risk method whose use directly satisfies most RA-3 steps; B executes assessments and thereby realizes only a slice of the governance outcome in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain slice of risk assessment while B performs general risk assessment without mandating SCRM integration into enterprise processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inventory/prioritization; B's broad RA steps can surface supplier risks but do not require or realize A's specific record-keeping and criticality criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only contractual supply-chain requirements while B performs general system risk assessment; the two intents intersect only indirectly via risk identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs only supplier-specific risk assessments (narrow slice of general RA-3); RA-3 itself contains no supplier due-diligence or pre-engagement requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supplier/third-party slice of risk assessment while B provides the general RA process that partially encompasses supplier risks but lacks A\u2019s lifecycle monitoring and evidence-evaluation specifics."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain slice of general risk assessment while B's broad RA process can subsume supply-chain risks without mandating A's provenance or lifecycle-monitoring specifics."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-termination SCM procedural requirement while B is a broad general risk-assessment process; B can surface relevant supply-chain risks but does not mandate A's specific provisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow input (mission-impact prioritization) usable inside B's impact analysis, while B performs threat/vuln/likelihood work with no requirement to define or maintain asset prioritization criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation/assessment outcome directly encompasses the risk-assessment activities in B (with matching threat/vulnerability examples), while B realizes only one narrow slice of A's broader improvement-identification intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-execution improvement identification (lessons, metrics, policy reviews) unrelated to RA-3's specific risk-assessment steps; B's risk assessments can surface improvement needs but address only a narrow slice of A's broader operational-improvement intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vulnerability-management-plan example overlaps only the threat/vuln identification slice of RA-3; RA-3 itself contains no requirement to establish, communicate or maintain IR/BC/DR plans."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the vulnerability-identification slice of B's broader risk-assessment process, while B's explicit requirement to identify vulnerabilities satisfies nearly all of A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the threat-intel input slice of B's broader risk-identification process; performing B's full assessment normally encompasses receiving such intelligence."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the threat-identification slice of B's broader risk-assessment process, while B directly satisfies A's outcome via its required threat identification, documentation, and organizational integration steps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A captures only the identify/record likelihood+impact slice while B adds integration, review, dissemination, update, and PII steps; B's full procedure therefore realizes A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the high-level outcome of using threat/vuln/likelihood/impact data for inherent-risk understanding and response prioritization; B supplies the concrete assessment steps that realize most of that outcome while adding procedural requirements (document, review, disseminate, update) that A does not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly scopes risk assessment to changes/exceptions and their change-control procedures, while B broadly mandates system-level risk assessment activities that only partially overlap the change-specific slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow input (external vuln disclosures) to B's broader vulnerability-identification step, while B contains no requirement to establish disclosure intake/response processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow pre-acquisition supply-chain slice while B requires comprehensive system-level threat/vulnerability/impact analysis, documentation, review and update; each therefore satisfies only a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow post-incident magnitude validation via IoCs; B's risk-assessment process touches magnitude/impact language but does not address incident-specific analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-3.3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad threat-identification outcome and ongoing-intel examples subsume B's dynamic-awareness slice, while B addresses only one narrow, external-facing aspect of A's wider scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Hardware inventory maintenance supplies no vulnerability scanning capability, while vuln scans can incidentally aid asset discovery but do not satisfy inventory intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Inventory (A) supplies the asset scope needed for scanning but does not perform monitoring, analysis or remediation (B); B's enumeration is incidental and does not satisfy ongoing inventory maintenance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad lifecycle outcome partially encompasses vuln scanning as one activity; B's narrow scanning requirements address only a slice of asset lifecycle management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad evaluation-driven improvement outcome encompasses vuln scanning as one key method plus more; B's narrow technical scanning process realizes only a slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-exercise improvement identification while B performs operational vulnerability scanning; the latter supplies only one narrow input to the former."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad post-execution improvement identification outcome unrelated to the specific vuln scanning mechanics required by B; B's analysis and remediation steps can feed improvement identification but address only one narrow slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires a vulnerability-management plan (one of several contingency plans) while B is a detailed operational scanning control; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a high-level outcome limited to identification/validation/recording while B adds scanning automation, remediation and sharing; B realizes scanning-based ID but omits A's architecture and code-review examples."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies external vuln intel that can feed B's monitoring process but implements none of B's scanning, analysis or remediation requirements; B performs internal scanning and shares results but does not ingest threat-intel feeds or advisories."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a risk-analysis outcome on impacts/likelihoods; B supplies vuln data that can feed it but neither fully contains the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF risk-response outcome whose vuln-mgmt examples subsume B's remediation and tracking steps, while B supplies only the narrow scanning/monitoring slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only external disclosure intake processes while B focuses on internal scanning/monitoring plus analysis and sharing, yielding no coverage one way and partial overlap the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's high-level strategy-outcome review can touch on risk-response effectiveness but does not mandate or realize the specific assessment-finding response actions required by B."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad strategy-review outcome includes audit-finding response as one lever, while B's narrow response action satisfies only a slice of that strategic adjustment intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's performance review/KRI process can surface and drive responses to findings, satisfying part of B's intent; B's narrow response action does not address A's metrics-based evaluation or leadership reporting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad ERM integration encompasses risk-tolerance-driven responses as one outcome; B's narrow finding-response action satisfies none of A's governance-integration intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A embeds SCRM into assessment/improvement processes (touching response activities) while B addresses only generic finding response and omits all supply-chain integration scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supply-chain-specific integration and monitoring; B's general response to assessment findings touches a narrow slice of that risk-management outcome but omits provenance, authenticity, and lifecycle practices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only addresses evaluation and improvement identification; B addresses post-finding response actions, satisfying only the downstream slice of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of identifying improvements from tests/exercises while B addresses broader risk-tolerant response to any assessment/audit/monitoring findings; each therefore satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses identification of improvements via lessons/metrics while B addresses response actions to assessment findings; only narrow source overlap exists from B to A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the risk data and prioritization that informs response decisions, satisfying only the upstream slice of B's execution-focused intent; B performs downstream response actions and does not address assessment or inherent-risk analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines the full risk-response lifecycle (choose/prioritize/plan/track/communicate) that subsumes B's narrower mandate to respond to assessment findings; B only realizes one slice of A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-inventory outcome supplies no assessment or risk-analysis steps required by B; B's PIA process identifies PII flows and can feed classification but does not deliver ongoing discovery, metadata maintenance, or coverage of non-PII data types demanded by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad threat/vuln impact identification can incidentally touch privacy risks, while B's narrow PIA mandate addresses none of A's general likelihood/threat scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome and BIA/resilience examples encompass the core intent of performing criticality analysis, while B's narrow system-component focus realizes only a slice of A's stakeholder, communication, and resilience scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad supplier-risk outcome that explicitly requires criticality evaluation of third-party products/services as one activity; B is the narrow RA-9 lever that supplies only that single analytic technique."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad prioritization outcome includes criticality as one factor while B's narrow analysis produces only the criticality inputs needed for that prioritization."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ra-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses impact/likelihood identification while B narrowly requires component criticality analysis; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates management of legal/regulatory requirements while B only requires one narrow acquisition policy to be consistent with them."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a single high-level risk-management policy that may touch acquisition topics; B supplies only a narrow SA-domain policy and procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-02 addresses only the general cybersecurity risk policy while SA-1 addresses a distinct acquisition-specific policy, so each satisfies only a narrow slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses a narrow integration outcome for supply-chain risk; B's SA policy requirement touches acquisition-related supply-chain elements but does not encompass enterprise-risk integration or improvement processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example overlaps one narrow slice of B, while B's SA-specific policy mandate satisfies none of A's broad operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad SDLC outcome encompasses developer CM intent (tamper protection, flaw tracking) while B addresses only one narrow slice of secure-development practices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome on program-level evaluation-driven improvements while B is a narrow SDLC/developer-specific assessment+remediation control; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-test improvement identification across operational exercises; B mandates developer SDLC assessments and flaw remediation, satisfying only a narrow slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad operational lessons-learned while B narrowly mandates developer SDLC testing/flaw-remediation, satisfying only a thin slice of A's improvement intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-acquisition authenticity/integrity checks while B mandates developer-driven SDLC testing, assessments and flaw remediation; each satisfies only a narrow slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad SDLC outcome whose realization includes developer testing/eval and flaw remediation; B supplies only one concrete implementation slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11.2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad vuln-ID outcome encompasses developer threat modeling/vuln analysis as one realization path, while B only addresses a development-phase slice of A's asset-wide scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses buyer-side pre-acquisition authenticity checks while B mandates developer-side process/tool integrity controls; the two touch only tangentially on software integrity."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad SDLC outcome while B supplies one detailed process-level implementation lever inside it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15.7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome that can be met without B's developer-specific automated analysis+exploitation steps; B is one narrow automated slice that only partially advances A's general asset-vuln identification goal."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15.8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad operational outcome achieved via scanning/testing; B is a narrow SDLC reuse mandate that satisfies only one slice of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-acquisition authenticity/integrity checks while B mandates developer-produced architecture/design artifacts; the two intents intersect only narrowly on security-function description."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses the full SDLC while B narrowly requires only developer-produced security architecture/design artifacts, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-22",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad life-cycle outcome (A) encompasses end-of-support replacement as one phase, while the narrow control (B) addresses only that single slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-24",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only broad ERM inclusion of cyber risks while B's core intent is system-level resiliency design plus RM implementation; B therefore satisfies only the RM-process slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-24",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies concrete resiliency mechanisms that address only a slice of B's broader design-definition-process mandate, while B's required implementation of resiliency techniques and approaches satisfies most of A's outcome intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-24",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses secure-SDLC outcomes that indirectly support resiliency goals while B mandates explicit resiliency constructs that only incidentally touch SDLC security practices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle outcome directly encompasses SDLC security integration (mostly satisfying B) while B addresses only the development phase slice of A's wider scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the secure-practices slice of SDLC while B supplies the broader SDLC scaffolding (roles, risk integration) that largely realizes A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is post-acquisition operational monitoring; B specifies contract language that can require monitoring controls but does not itself perform detection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain-risk slice of the broader acquisition/contract requirements in B, while B directly mandates inclusion of supply-chain risk management and related security requirements in contracts."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-contract supplier assessments while B mandates a broad set of contractual security and supply-chain clauses; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ongoing supplier risk monitoring/evaluation of contractual compliance but omits contract content specification; B mandates SCRM responsibilities and requirements in acquisition contracts but covers only the initial phase, not lifecycle monitoring."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow incident-response slice of supply-chain responsibility allocation inside B, while B's broad acquisition/contract vehicle can embed all of A's incident-planning, role, and exercise requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supply-chain outcome while B is a broad acquisition control that touches supply-chain risk only as one clause among many unrelated requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-agreement SCRM plan elements while B broadly mandates contract inclusions for acquisition; B therefore partially realizes termination/end-of-life/access provisions but A realizes none of B's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle outcome fully encompasses acquisition as one phase while B supplies only the contract-specific slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow authenticity/integrity check that satisfies only the supply-chain slice of B's broad contract requirements; B's inclusion of supply-chain risk, assurance, and acceptance criteria satisfies most of A's assessment outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle management outcome subsumes the engineering-principles application called for by B, while B addresses only one technical slice of A's wider scope (incl. shadow IT, hardware/services, data)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow runtime data-protection outcome; B is a broad development-process control whose principles may indirectly support data-in-use protection but do not realize it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements one resilience-focused engineering principle while B broadly mandates applying many such principles during design; thus A satisfies only a slice of B but B encompasses A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses secure SDLC practices/outcomes while B requires application of specific engineering principles (incl. privacy) across the system lifecycle; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the monitoring-for-adverse-events slice of B's broader compliance-and-oversight mandate; B's ongoing compliance-monitoring requirement directly realizes most of A's detection intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only inventories external dependencies while B enforces contractual controls/monitoring; B's oversight partially informs dependency understanding but omits A's full scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only catalogs and prioritizes suppliers by criticality; B requires compliance, documented oversight, and ongoing monitoring of external providers (implying awareness but not prioritization)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's contract-based requirements and verification language satisfy most of B's compliance and oversight intent, while B addresses only one slice of A's broader supply-chain scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-engagement due diligence/risk assessment while B centers on contractual requirements plus ongoing monitoring/roles, so each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring and compliance-evaluation examples satisfy most of B's requirements while B addresses only the ongoing-monitoring slice of A's broader third-party risk lifecycle."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the incident-specific slice of roles/reporting while B broadly mandates compliance, oversight roles, and monitoring for all external services."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad SCRM outcome that subsumes external-service oversight; B realizes only one narrow slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow termination/deactivation slice of B while B's ongoing compliance/monitoring requirements touch but do not fully realize A's post-agreement SCRM provisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-9",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only creates an inventory while B requires compliance mandates, role definition and ongoing monitoring; B's oversight activities implicitly require service awareness but do not mandate formal inventory maintenance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses managing legal/regulatory requirements while B narrowly mandates one SC-domain policy that must be consistent with those requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a single broad risk-management policy that may drive creation of domain-specific policies, while B supplies only the narrow SC-family policy and procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the overarching cyber-risk policy lifecycle while B mandates a narrowly scoped SC-domain policy; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example satisfies the update/review slice of B while B's narrow SC-specific policy mandate addresses none of A's broader operational-improvement intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome on data-in-transit protection while B is a narrow mechanism limited to an isolated path for authentication; each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A protects general data-in-use confidentiality but does not address or imply an isolated trusted communications path; B supplies one narrow mechanism that can protect a slice of authentication data-in-use."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's ZT/segmentation outcomes can partially enable isolated auth paths, while B's narrow user-to-system trusted channel supplies none of A's network protection scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad credential-management outcome explicitly includes key management as one implementation slice while B addresses only that narrow cryptographic-key requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of protecting data-at-rest via encryption and therefore implies proper key management as a necessary supporting activity, while B addresses only the narrow key-management slice and does not itself deliver data protection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome requiring crypto for transit protection (hence key mgmt); B is one narrow supporting control that only partially enables the outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A applies crypto narrowly to data-at-rest while B requires crypto for all specified uses; conversely B supplies the mechanism but does not mandate its application to data-at-rest CIA outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses crypto only for data-in-transit (plus non-crypto measures), while B requires crypto for all specified uses; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-in-use outcome is achieved via minimization and isolation (no crypto requirement), while B supplies only one technical method that partially addresses A's CIA goal."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's encryption/signature examples protect transit CIA without requiring attribute binding, while B's narrow attribute mechanism only partially supports A's broader transit-protection outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-20",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches DNS blocking of malicious domains via one narrow example while B addresses only authoritative DNSSEC integrity/auth, satisfying none of A's software-execution intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-24",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad resilience outcome (A) encompasses controlled failure behavior as one key mechanism, while the narrow fail-state control (B) realizes only one slice of redundancy/HA requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-28",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad CIA outcome fully encompasses B's narrower CI-at-rest intent while B realizes only the CI slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-32",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "PR.DS-10 outcome can be met via non-partitioning techniques (e.g., in-use encryption, access controls); SC-32 partitioning supplies one isolation mechanism that partially addresses data-in-use confidentiality from other processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-34",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses allow-listing and integrity checks while B enforces a narrow hardware read-only mechanism that only partially supports the broader unauthorized-software outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-35",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-09's broad monitoring of web/email vectors for malware directly satisfies most of SC-35's narrow proactive external-code intent, while SC-35 addresses only one slice of DE.CM-09's multi-vector outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-36",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad resilience outcome whose examples encompass distribution; B is one narrow technical lever that only partially realizes that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-38",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad secure-SDLC outcome encompasses ops-security controls for information protection (mostly), while B's narrow ops-sec control realizes only one slice of A's practices and monitoring intent (partial)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-39",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-in-use protection outcome directly encompasses process isolation as one core mechanism (Ex2), while B supplies only one narrow technical slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-39",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A targets broad redundancy/HA outcomes unrelated to execution-domain separation, while B's narrow isolation mechanism only incidentally aids one slice of fault containment within resilience."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-39.1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-based hardware replacement can indirectly ensure support for isolation capabilities, but B's narrow technical mechanism addresses none of A's lifecycle/maintenance scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow technical mechanism (shared-resource isolation) that directly supports only the 'protect data-in-use from other processes' slice of the broader CIA outcome in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-40",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-in-transit crypto controls partially address wireless confidentiality but omit signal-parameter attacks; B's narrow wireless scope satisfies none of A's general transit protection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-43",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's blocking example overlaps one narrow slice of usage restriction; B supplies no data-in-transit protection mechanisms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-43",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses technical data-in-use protections while B addresses component usage policy/monitoring; the two intents intersect only indirectly."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-43",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's resource-usage monitoring overlaps only the monitor/control slice of B's restrictions intent, while B's authorization/restriction focus supplies none of A's capacity-forecasting or availability-scaling outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-49",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad hardware-lifecycle outcome can indirectly require capabilities such as separation mechanisms, while B addresses only one narrow technical mechanism and none of A's maintenance/replacement/disposal intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's network monitoring detects DoS as one class of adverse event but supplies no protection or mitigation; B's DoS controls neither require nor realize general network monitoring."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust controls can limit DoS blast radius but do not address SC-5's core availability objective; SC-5 supplies no coverage of A's unauthorized-access intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad resilience via redundancy/HA while B narrowly targets resource allocation (priority/quota); each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad capacity monitoring/scaling outcomes while B specifies a narrow allocation mechanism; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-01 states the broad monitoring outcome whose achievement requires boundary protection (and more); SC-7 supplies only the boundary-monitoring slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses data-in-transit protection via encryption/DLP while B addresses interface monitoring and segmentation; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust examples directly realize most of B's boundary-control intent while B addresses only the external/key-interface slice of A's broader network-protection outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7.4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies encryption/CI mechanisms that address one slice of B's interface+policy requirements while B's boundary controls realize only a subset of A's broader data-in-transit CI/A outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's transit encryption and DLP examples fully realize SC-8's conf/intent while B omits A's availability requirement and ancillary controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both reference consistency with laws/regulations, but A broadly governs requirement tracking while B narrowly mandates one policy document and its maintenance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad risk-management policy outcome whose scope may incidentally touch integrity topics, while B mandates a distinct, narrowly-scoped SI policy and procedures that do not satisfy A's risk-governance intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example satisfies only the update clause of B while B's SI-specific policy reviews address only one narrow slice of A's operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Input validation is one narrow integrity technique unrelated to the data-in-use access, residency, and memory-protection intent of PR.DS-10."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only data discovery/classification inventory while B addresses policy-driven retention management; retention may incidentally require classification but does not produce or mandate inventories."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data lifecycle management includes retention as one phase but omits B's explicit regulatory/policy requirements; B addresses only a narrow slice of information handling and nothing else in A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-13",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses redundancy/HA mechanisms that partially realize B's substitution intent but omits MTTF analysis; B's narrow failure-prediction focus realizes only one slice of A's broader resilience outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-16",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-in-use outcome overlaps B's memory code-execution controls only on integrity aspects while B addresses only one narrow slice of A's CIA scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-18",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data life-cycle outcome touches the information-life-cycle aspect of B but omits PII-quality operations; B addresses only one narrow privacy slice and satisfies none of A's cybersecurity asset-management scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring of configs and adverse events touches flaw identification but supplies none of B's remediation, testing, or update-installation requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only produces evaluation findings while B executes a concrete flaw-remediation lifecycle; B satisfies one narrow slice of the improvement identification outcome but supplies none of the required assessment activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome on identifying operational improvements; B is one narrow realization (flaw remediation) that partially satisfies A while A encompasses B plus additional activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-based maintenance/patching outcome directly satisfies the core update-installation intent of B but omits B's explicit flaw identification, testing, and CM steps; B's narrower flaw focus only partially realizes A's broader replacement/removal scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2.7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A covers only the root-cause identification slice of B while omitting action development/monitoring; B covers only the root-cause slice of A while omitting incident-specific sequencing, asset, and threat-actor analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad adverse-event monitoring overlaps only with B's detection/alerting slice while B's malware-specific mechanisms address only one narrow class of events within A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses cryptographic protection of data-at-rest; B addresses anti-malware scanning and eradication, satisfying only a narrow slice of A's integrity/availability intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements crypto/DLP for transit C/I/A; B's malware scanning at entry/exit points only partially supports integrity/availability without addressing encryption or data classification controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses data-in-use minimization/isolation while B narrowly implements anti-malware scanning; each satisfies only a tangential slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the analysis slice of adverse events while B's broader monitoring mandate fully includes that analysis plus deployment, detection, and adjustment requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow correlation slice while B's broad monitoring+analysis requirements encompass multi-source correlation as one component."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow 'provide adverse-event information' clause inside the much broader SI-4 monitoring, analysis, deployment and legal requirements; implementing the full SI-4 control satisfies the outcome stated by A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the intel-integration slice of B's broad monitoring/analysis mandate while B's generic analysis requirement addresses only part of A's explicit CTI and context feeds."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses only incident-declaration criteria while B broadly implements detection/analysis/monitoring; B's event analysis partially supports A's outcome but omits explicit incident criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the network-monitoring slice of B's broader system-wide monitoring, analysis, risk-adjustment and reporting requirements, while B fully realizes A's narrower network-adverse-event outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow outcome focused on personnel/tech activity; B's detailed system monitoring fully realizes that outcome plus additional attack/connection requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the external-provider slice of monitoring while B's broad system-monitoring requirements encompass external-provider activity detection plus additional scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome statement whose intent is satisfied by the detailed monitoring activities in B plus additional procedural steps; B therefore realizes only one slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is an assessment/improvement-identification outcome whose examples do not enact ongoing attack/usage monitoring; B supplies event data that can feed evaluations but does not itself perform the required self-assessments or audits."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a post-execution improvement-identification outcome while B is a specific detection/analysis activity; B supplies one input to A but satisfies none of B's monitoring requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on static vuln discovery while B centers on dynamic attack/anomaly monitoring; each supplies only a narrow slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only baseline-deviation monitoring (one slice of B) while B supplies only event monitoring (one slice of A's CM practices)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4.15",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad network-monitoring outcome includes wireless traffic but does not mandate the specific wireless-to-wireline IDS boundary; B supplies only one narrow implementation slice of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the receipt-and-use slice of threat intel/advisories while B supplies the feed mechanism but omits explicit integration into detection analysis."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses solely on asset vulnerability discovery/validation; B's alert/advisory handling can feed vulnerability data but does not address identification or recording."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the inbound threat-intel slice of B while B\u2019s receive mandate fully encompasses A\u2019s intent (plus extra generate/disseminate/implement steps)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's threat-identification outcomes overlap only with B's external-alert receipt and internal generation, while B supplies only a slice of external threat data and omits A's internal/threat-hunting scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-03's activity/access monitoring can incidentally surface some change events but does not implement integrity-verification tools; SI-7's narrow integrity checks address none of the personnel-activity intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad monitoring outcome includes config-deviation detection (covering B's integrity checks) but omits B's required response actions; B addresses only one narrow slice of A's multi-vector monitoring scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-at-rest integrity outcome (via hashes/signatures) satisfies most of B's verification intent while B only realizes one narrow integrity slice of A's CIA scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only crypto-based transit protections while B addresses integrity verification tooling for software/firmware/information; the scopes intersect on integrity but neither fully realizes the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A targets runtime data-in-use CIA via minimization/access controls; B's static integrity-verification mechanism addresses only a narrow slice of information integrity and does not realize A's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-7",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad prevention outcome whose Ex2 directly realizes B's integrity-verification core while B supplies only one technical lever toward A's full allow-list/execution-control intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses tracking legal/contractual obligations (incl. suppliers) while B narrowly mandates an SR-specific policy that is merely consistent with laws, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad cybersecurity-risk policy outcome that subsumes supply-chain risk as one domain; B supplies only the narrow supply-chain slice plus detailed procedural mandates."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad cybersecurity-risk policy outcome while B is a narrow, supply-chain-specific policy/procedure control; each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies general risk documentation/prioritization methods usable inside an SCRM policy while B mandates an SCRM-specific policy that can embed such methods, yet each addresses only a slice of the other's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RR-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad leadership accountability for cybersecurity risk while B narrowly mandates SCRM policy/procedure artifacts and roles only."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates the full SCRM program including policies/procedures; B narrowly supplies only the policy/procedures slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities coordination slice of a full policy lifecycle, while B's required policy explicitly calls for roles, responsibilities and coordination that realize A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integration outcomes while B narrowly mandates only policy/procedure artifacts; policy is a prerequisite slice but does not realize integration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the contract-integration slice of SCRM while B only mandates existence of a high-level policy/procedures document, so each satisfies a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome that explicitly includes policy/procedure elements plus monitoring and lifecycle integration, while B narrowly addresses only the policy document itself."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow content requirement for post-agreement plan provisions while B only mandates generic policy/procedure scaffolding without dictating those provisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review/lessons-learned activity overlaps one procedural element of B but is neither supply-chain-specific nor policy-creation-focused; B's narrow SR policy mandate has no bearing on A's broader operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-1",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes one narrow assessment action; B only creates the policy/procedure scaffolding that may reference but does not perform assessments."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-10",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's pre-acquisition authenticity/integrity assessment can incorporate tampering inspection as one verification activity, while B's general post-deployment inspection does not address acquisition timing or broader authenticity."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-11",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition assessment activity while B requires broader policy, detection, prevention and reporting procedures that would normally encompass such assessments."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad life-cycle outcome A fully contains disposal as one phase, while narrow control B realizes only that single slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A provides broad cybersecurity policy review/update while B narrowly mandates one specific supply-chain plan and its protection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-01",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad outcome on risk-management objectives while B is a narrow, supply-chain-specific procedural control; objectives may inform the plan but the plan does not establish or obtain agreement on objectives."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly integrates all cyber risks into ERM while B narrowly prescribes only a supply-chain plan, so each satisfies a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's strategic risk-response direction explicitly includes shared-responsibility/outsourcing decisions that subsume most of a supply-chain risk plan, while B addresses only one narrow slice of A's broader risk-response outcomes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only org-wide risk communication (incl. suppliers) while B requires a full documented, reviewed, and protected SCRM plan; thus A satisfies none of B, and B satisfies only the supplier-risk slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly calls for developing the SCRM program including its plan/policies/procedures, satisfying most of B's narrower plan-focused intent, while B addresses only one slice of A's broader program/strategy/stakeholder-agreement scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the roles/responsibility slice of a SCRM plan while B's plan development, update and protection requirements inherently encompass and operationalize those roles."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's integration mandate and control-set examples encompass the core of a SCRM plan plus its embedding in ERM/improvement processes, while B supplies only the narrow plan artifact itself."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome of ongoing supplier-risk understanding/assessment/monitoring inherently requires and therefore mostly satisfies the narrower SRM-plan artifact+maintenance in B, while B's plan document alone only partially addresses A's full lifecycle execution."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inclusion in incident response activities while B requires a broad lifecycle SCRM plan; the plan may encompass incident elements but does not mandate them."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of integrating supply-chain practices into risk management; B is one concrete artifact (the SCRM plan) that realizes part of that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-agreement/disposal slice of B's full-lifecycle SCRM plan, while B's required plan (incl. disposal + review) satisfies most of A's post-conclusion intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow inventory outcome that supplies one input to supplier risk visibility; B requires a broad, multi-phase SCRM plan whose existence and maintenance are not satisfied by inventory alone."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-04",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires broad cybersecurity/contingency plans while B is a narrow supply-chain-specific plan; neither fully contains the other's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk identification/recording while B is a narrow supply-chain-specific planning control whose execution only incidentally touches a slice of risk assessment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad RA-05 risk understanding can inform supply-chain inputs but does not produce or protect the required SR-2 plan; the narrow plan satisfies none of the general risk-assessment outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is one narrow execution activity (pre-acquisition assessments) while B is the overarching documented plan covering the full lifecycle plus maintenance/protection, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad stakeholder-expectation outcome touches supply-chain partners/regulators only incidentally, while B's narrow supply-chain process requirements do not address general stakeholder identification or expectation gathering."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes the overarching SCRM program/policies/processes; B is one concrete operational control that realizes part of those processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities slice of B's broader supply-chain process and control requirements, while B's coordination and documentation clauses touch but do not satisfy A's explicit internal/external role-establishment outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-03",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broader integration outcome that subsumes B's narrower process-and-control establishment as one realization lever."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly mandates contractual integration of supply-chain requirements while B broadly requires identifying weaknesses, selecting controls, and documenting processes, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad supplier-risk lifecycle outcome subsumes B's process/control/documentation steps while B realizes only the response/monitoring slice of A."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow incident-response slice of supplier interactions while B provides a broad supply-chain risk process that may encompass but does not explicitly require incident-planning inclusion."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome of integrating/monitored supply-chain practices subsumes B's process-and-control requirements, while B addresses only a slice of A's provenance, authenticity, and risk-program integration intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses only post-termination SCRM provisions while B is a broad general supply-chain process/control requirement that can encompass but does not explicitly mandate those provisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's dependency inventory partially supports supply-chain risk identification but does not address acquisition strategies or procurement methods required by B; B's narrow acquisition focus realizes none of A's broad outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad contractual outcome; B supplies one concrete acquisition/control lever that partially realizes it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the due-diligence slice of acquisition activities while B\u2019s broader mandate for supply-chain acquisition strategies necessarily encompasses that due-diligence planning."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome integrating supply-chain practices into risk programs (with acquisition examples); B is one narrow acquisition-focused lever inside that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-termination SCRM plan provisions while B targets acquisition-phase strategies/tools; contract language in B can partially realize A's termination/end-of-life examples."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle outcome includes acquisition as one phase, so it partially satisfies B's supply-chain acquisition intent; B's narrow procurement focus realizes none of A's full life-cycle scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's supplier lessons-learned example touches supply-chain improvement identification but does not address employing acquisition strategies; B is too narrow to realize A's broad operational-improvement outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the authenticity/integrity assessment slice of supply-chain acquisition, while B's broader set of strategies, tools and methods directly enables that assessment plus additional mitigations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-5",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow assessment activity that partially satisfies B's broader acquisition-strategy intent, while B's strategies encompass supplier assessments and therefore mostly realize A's outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly identifies external stakeholders (incl. suppliers/partners) and expectations but does not address risk assessment/review; B narrowly executes supplier risk reviews and therefore only realizes one slice of A's stakeholder outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad strategy-review outcome (A) touches supply-chain risk only incidentally, while narrow supplier assessment (B) addresses none of the strategy-level review intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OV-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad GV.OV-03 outcome encompasses supply-chain risk indicators as one input among many, while narrow SR-6 addresses only supplier reviews and therefore satisfies none of the organizational performance-evaluation intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs risk-informed prioritization of known suppliers but omits ongoing assessment/review; B performs risk assessment/review but does not mandate an explicit prioritized inventory by criticality criteria."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A centers on establishing/integrating requirements into contracts; B is the distinct activity of performing supplier risk assessments, sharing only indirect overlap via criticality evaluation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's pre-relationship due diligence explicitly includes supplier risk assessments (Ex3), satisfying most of B's assessment intent, while B implements only the narrow assessment/review slice of A's broader planning outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome that explicitly includes assessment/review plus prioritization/response/monitoring; B is the narrow 800-53 control realizing only the assess/review slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.SC-09 is the broad outcome integrating supply-chain practices into risk programs (covering SR-6 assessments plus more); SR-6 is one narrow assessment activity inside that outcome."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the authenticity/integrity slice of supplier risk assessment while B's broader supply-chain reviews encompass that slice plus additional risks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-6",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition assessment outcome while B is the broader ongoing SCRM control, so A satisfies only a slice of B and B satisfies most of A's intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad stakeholder-understanding outcome touches supply-chain expectations but does not establish notification agreements, while B's narrow procedural control realizes none of A's multi-stakeholder intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-08",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's incident-reporting protocols and role definitions directly realize SR-8's notification agreements while also addressing wider planning/exercise activities that B does not reach."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses supplier information-sharing during recovery (via Ex3) but assumes rather than establishes agreements, while B narrowly requires only the creation of supply-chain notification agreements and does not address recovery communications."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-02",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the broad notification outcome (including business partners) while B narrowly requires only supply-chain agreement establishment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.CO-03",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A references information-sharing agreements and external stakeholders (partially touching B's agreements) while B is narrowly scoped to supply-chain notifications and therefore satisfies none of A's broader coordination intent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-8",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-01",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses execution-time coordination with any third parties; B addresses pre-established supply-chain notification agreements\u2014each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring/analysis outcome requires and therefore encompasses audit generation as a core enabler (mostly), while B supplies only the raw-record prerequisite and omits all analytic activities (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-log analysis/monitoring while B narrowly defines event selection; each supplies a prerequisite slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-collection analysis/detection while B only mandates minimum record fields that enable but do not perform analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad detection-analysis outcome whose implementation examples directly realize AU-6's core review/analysis steps (plus threat intel), while B's reporting/adjustment clauses and audit-record specificity remain outside A's stated intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational detection outcome; B only establishes high-level CA policy scaffolding that may reference monitoring procedures but does not realize event analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-02 supplies only the analysis-of-adverse-events slice of CA-7's broader continuous-monitoring program, while CA-7's required correlation/analysis activities fully realize DE.AE-02's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the analysis slice of B's full incident lifecycle; B's detection-and-analysis element satisfies most of A's outcome but omits its continuous-monitoring emphasis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the analysis slice of adverse events while B's broader monitoring mandate fully includes that analysis plus deployment, detection, and adjustment requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's correlation outcome presupposes generated logs but does not implement AU-12's generation, selection, or content requirements; B supplies raw records only and addresses none of A's correlation intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-collection correlation/SIEM while B only defines which events to log; logging is a prerequisite but does not address correlation intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the multi-source correlation technique that supports B's analysis step but omits B's review, reporting and adjustment requirements; B's analysis can employ correlation yet does not mandate the specific multi-source outcome defined by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6.9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general technical log/SIEM correlation while B requires a distinct nontechnical-source dimension outside A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the correlation slice of B's broad continuous-monitoring program, while B's explicit correlation-and-analysis requirement satisfies most of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the detection/analysis correlation slice of B's full IR lifecycle; B's detection/analysis phase encompasses that outcome plus the remaining IR elements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Event correlation supplies data that can support incident tracking but does not itself track or document incidents, while IR-5 tracking does not address multi-source correlation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a narrow detection technique unrelated to plan documentation; B's plan may optionally reference correlation methods but does not require them."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Correlation of logs/events can aid spill-response steps such as identifying contaminated systems, but IR-9's procedural response actions do not implement or require multi-source event correlation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches threat-intel usage for correlation but omits any awareness program or cross-org sharing; B supplies no event-log correlation capability."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow correlation slice while B's broad monitoring+analysis requirements encompass multi-source correlation as one component."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a post-event analytic outcome; B supplies raw logs that can feed analysis but neither implements the other's core requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome (impact/scope understood); B is one audit-record-specific implementation lever that satisfies only a slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-06 addresses dissemination/alerting of adverse-event information while AU-12 only mandates generation of raw audit records; the latter supplies a possible input but omits all outcome-level provision requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses delivery of adverse-event information/alerts while B only defines which events are logged; logging is a prerequisite but does not satisfy A's provision or adverse-event focus."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies event info/alerts/tickets but omits B's required review, analysis, and risk-based adjustment steps; B produces audit findings/reports that partially satisfy A's provision-of-adverse-event-info outcome but lack real-time alerting and tooling scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow alert/ticketing/reporting slice of B's broad monitoring strategy, metrics, assessments and response requirements, while B's ongoing monitoring, correlation and status reporting inherently encompass provision of adverse-event information to staff and tools."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the detection/alerting slice of incident handling while B's full lifecycle (prep/contain/recover/lessons) encompasses but exceeds A's narrow outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies passive alert/log dissemination while B is a distinct proactive search activity; B's findings can feed adverse-event reporting but do not implement A's alerting/ticketing mechanisms."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow 'provide adverse-event information' clause inside the much broader SI-4 monitoring, analysis, deployment and legal requirements; implementing the full SI-4 control satisfies the outcome stated by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on threat/vuln context ingestion for analysis; B only supplies raw event data as one narrow input."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad CTI-integration outcome while B supplies one narrow audit-record lever that partially realizes it; neither fully contains the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-07 focuses on threat intel/vuln feeds into detection analysis while AU-7 narrowly mandates audit reduction/reporting; the latter supplies one possible log-derived input but neither satisfies the other's core intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A specifies an analytic outcome (intel integration) achievable by many means; B supplies one organizational mechanism that can contribute to that outcome but does not require or guarantee it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the detection/analysis intel slice of B's full IR lifecycle; B's detection/analysis clause touches A's integration goal but omits explicit threat-intel and asset/vuln feed requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's intel-feed examples touch B's sharing intent while B's program supplies raw material for A's integration outcome, yet each leaves the other's core focus (program vs. detection integration) unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies CTI/context feeds to generic detection analysis; B is a dedicated proactive hunting process that consumes such feeds but does not require or replace the broader integration outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies threat/vuln feeds usable as inputs to risk assessment but targets detection analysis, satisfying only a narrow slice of RA-3; RA-3 produces periodic assessments without mandating integration into detection processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the intel-integration slice of B's broad monitoring/analysis mandate while B's generic analysis requirement addresses only part of A's explicit CTI and context feeds."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the receipt-and-use slice of threat intel/advisories while B supplies the feed mechanism but omits explicit integration into detection analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.AE-08 defines incident declaration criteria while AU-2 configures supporting event logs; each addresses a distinct slice of the incident lifecycle with only loose investigative overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the incident-declaration decision layer while B supplies the narrower audit-record review/analysis/reporting mechanism; each therefore realizes only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow detection-criteria slice of B's broad incident-handling lifecycle, while B's detection-and-analysis requirement encompasses and operationalizes that criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of defining/applying incident criteria inside B's broader plan requirements, while B's high-level plan definition touches criteria but omits A's operational false-positive handling."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses only incident-declaration criteria while B broadly implements detection/analysis/monitoring; B's event analysis partially supports A's outcome but omits explicit incident criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's network monitoring activity implies generation of some event records for adverse events (partial slice of B) while B supplies only raw logs and supplies none of the monitoring/detection outcome required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad network monitoring that can incidentally detect disclosures but omits B's required response actions; B addresses only one narrow disclosure scenario and therefore satisfies none of A's general adverse-event scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's network monitoring implies logging of specific adverse events (partial overlap on event selection) while B only defines logging types and provides no monitoring or detection capability."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow network-focused detection outcome while B is the broad continuous-monitoring program; thus A satisfies only a slice of B, but B's monitoring strategy encompasses network adverse-event detection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow monitoring-of-changes activity required by B; B's procedural approval and documentation steps do not address A's network-service monitoring intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's network monitoring detects DoS as one class of adverse event but supplies no protection or mitigation; B's DoS controls neither require nor realize general network monitoring."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-01 states the broad monitoring outcome whose achievement requires boundary protection (and more); SC-7 supplies only the boundary-monitoring slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the network-monitoring slice of B's broader system-wide monitoring, analysis, risk-adjustment and reporting requirements, while B fully realizes A's narrower network-adverse-event outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4.15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad network-monitoring outcome includes wireless traffic but does not mandate the specific wireless-to-wireline IDS boundary; B supplies only one narrow implementation slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow physical-monitoring outcome; B is a general logging-definition control whose scope only partially overlaps physical-access events."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements only the physical-access log/records slice of B's general system-audit review intent; B's system-audit focus only partially realizes A's physical-environment monitoring outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies physical monitoring but omits any correlation step required by B; B realizes only the correlation slice of A's broader monitoring outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's physical-monitoring outcome does not supply audit-reduction tooling, while B's record-processing capability can support only the log-review slice of A's physical-access examples."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is one narrow physical-monitoring slice of B's broad strategy; B's continuous-monitoring mandate encompasses physical-environment outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-20",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on access logs/tampering detection while B targets asset location tracking; each satisfies only a narrow slice of the other's monitoring intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the monitoring/logs slice of B's broader enforcement+logging mandate; B supplies the logs and controls that enable part but not all of A's active adverse-event detection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses B's core monitoring/review of physical access but omits coordination with incident response; B realizes only the access-log slice of A's broader physical-environment outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the monitoring slice of AC-2 while B supplies only the account-specific monitoring slice of DE.CM-03."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad DE.CM-03 monitoring outcome requires log/audit sources and therefore covers AU-12 generation requirements; narrow AU-12 supplies only the raw records and omits the behavioral detection intent of DE.CM-03."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-13",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome (monitoring activity for any adverse events) encompasses the narrower AU-13 disclosure-specific monitoring plus response, while the reverse is only one slice of the CSF scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring outcome includes log analysis for anomalies but omits B's explicit reporting/adjustment steps; B's audit-record focus realizes only one slice of A's broader activity-monitoring intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring can detect tampering with audit data (one slice of B's alerting) but supplies none of B's required protection; B's narrow protection controls address none of A's broad adverse-event detection scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-03 supplies one narrow monitoring slice while CA-7 supplies the encompassing continuous-monitoring strategy and reporting apparatus."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring can detect some unauthorized software use, but B's license/copyright restrictions do not address broad adverse-event detection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad monitoring partially satisfies B's compliance-monitoring clause but ignores policy/enforcement; B's narrow software-install focus satisfies only one slice of A's adverse-event monitoring."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad adverse-event monitoring overlaps only with B's detection/alerting slice while B's malware-specific mechanisms address only one narrow class of events within A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow outcome focused on personnel/tech activity; B's detailed system monitoring fully realizes that outcome plus additional attack/connection requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-03's activity/access monitoring can incidentally surface some change events but does not implement integrity-verification tools; SI-7's narrow integrity checks address none of the personnel-activity intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly requires logging/monitoring only for external-provider events while B broadly defines system-wide event selection; each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets external-provider monitoring while B is a general audit-review process; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow monitoring activity that satisfies only one slice of B's broad strategy/metrics/assessment/reporting requirements, while B's overarching continuous-monitoring program encompasses the specific external-provider adverse-event detection intent of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only one narrow detection slice while B's full incident-handling lifecycle (incl. detection) subsumes that monitoring intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ps-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only activity monitoring for adverse events and supplies none of B's personnel-security requirements, documentation, or transfer notifications; B's single compliance-monitoring clause partially overlaps A's external-provider monitoring intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is post-acquisition operational monitoring; B specifies contract language that can require monitoring controls but does not itself perform detection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the monitoring-for-adverse-events slice of B's broader compliance-and-oversight mandate; B's ongoing compliance-monitoring requirement directly realizes most of A's detection intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the external-provider slice of monitoring while B's broad system-monitoring requirements encompass external-provider activity detection plus additional scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad DE.CM-09 monitoring outcome requires audit-record generation plus analysis across multiple vectors, while AU-12 supplies only the narrow generation slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's detection monitoring implies event selection/logging but omits B's audit-policy coordination/rationale; B supplies logs usable by monitoring yet addresses none of A's adverse-event detection outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad adverse-event monitoring can detect tampering of audit data but supplies none of B's required protection mechanisms and addresses none of A's other monitoring domains."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow slice (event detection) of B's broad strategy; B's continuous-monitoring framework encompasses and largely realizes A's monitoring outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring of file-sharing and adverse events can detect some B violations, but B's license/policy controls provide no monitoring capability."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's config-deviation monitoring satisfies B's compliance-monitoring slice but not its policy-establish/enforce intent; B's narrow user-software focus addresses only one monitoring vector inside broad A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring of config deviations satisfies only the monitoring/review clause of B; B's change-control process satisfies only the config-deviation slice of A's broader detection scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex3 touches only the monitoring-changes slice of B while B addresses only one narrow monitoring vector among A's many broader adverse-event detection outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-35",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "DE.CM-09's broad monitoring of web/email vectors for malware directly satisfies most of SC-35's narrow proactive external-code intent, while SC-35 addresses only one slice of DE.CM-09's multi-vector outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring of configs and adverse events touches flaw identification but supplies none of B's remediation, testing, or update-installation requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome statement whose intent is satisfied by the detailed monitoring activities in B plus additional procedural steps; B therefore realizes only one slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad monitoring outcome includes config-deviation detection (covering B's integrity checks) but omits B's required response actions; B addresses only one narrow slice of A's multi-vector monitoring scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the mission/business-process context element inside B's broad plan requirements, while B's documentation mandate satisfies only one slice of A's risk-management outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only mission-risk linkage; B's program-plan elements touch mission in approval language but omit explicit mission-driven risk management."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the mission context that should shape any risk program while B supplies one concrete risk-management mechanism (authorization); each therefore realizes only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome encompasses the narrower control's mission-definition activities plus additional risk-informing steps, while the control realizes only one slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-18",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses mission-driven cybersecurity risk outcomes while B is a privacy-specific program plan whose mission references are incidental and domain-mismatched."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the high-level mission-understanding prerequisite that partially grounds B's required mission integration step, while B's explicit mission-perspective integration largely realizes A's intent without addressing A's broader organizational-sharing aspects."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses org-level stakeholder expectations; B's system-plan elements touch roles/context but omit expectations and do not produce the plans themselves."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OC-02 only identifies stakeholder expectations; PL-8 develops architectures that reference external dependencies but never identify or elicit those stakeholders."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only stakeholder identification/expectations while B's program-plan mandate covers internal coordination/roles but omits external stakeholders and explicit expectation gathering."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only stakeholder identification while B focuses on authorization/risk roles with incidental stakeholder overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies stakeholder expectations as one input to mission/process definition (B) but does not address defining or revising those processes; B never mentions stakeholder identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses stakeholder expectations (one narrow element of program planning) but only for cybersecurity; B is a privacy-specific plan whose contents do not address cybersecurity stakeholder needs."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-28",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Stakeholder expectations inform risk tolerance/priorities within framing, yet A omits assumptions/constraints/review steps while B omits explicit stakeholder identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad stakeholder-expectation outcome touches supply-chain partners but does not produce the required strategy artifact; B's narrow supply-chain strategy only addresses one slice of the stakeholder set."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the stakeholder-input slice of a full risk strategy while B's risk scope implicitly touches stakeholder concerns without mandating their explicit identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies stakeholder expectations as one input to risk assessment while B performs concrete assessment steps that only incidentally touch a subset of stakeholder privacy impacts."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad stakeholder-expectation outcome touches supply-chain partners/regulators only incidentally, while B's narrow supply-chain process requirements do not address general stakeholder identification or expectation gathering."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly identifies external stakeholders (incl. suppliers/partners) and expectations but does not address risk assessment/review; B narrowly executes supplier risk reviews and therefore only realizes one slice of A's stakeholder outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad stakeholder-understanding outcome touches supply-chain expectations but does not establish notification agreements, while B's narrow procedural control realizes none of A's multi-stakeholder intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses tracking legal requirements and strategy alignment; B only enforces law-consistency for one narrow policy area (access control)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad requirement tracking/alignment; B only mandates that one narrow AT policy be consistent with laws."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad requirement-tracking outcome partially supports ensuring AU policy consistency with laws, while B's narrow audit-policy artifact satisfies none of A's intent to manage legal/regulatory obligations."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses legal/regulatory tracking and alignment while B narrowly requires only that one CA-domain policy be consistent with laws and procedurally managed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses tracking/alignment to legal requirements; B is a narrow assessment procedure that only indirectly supports compliance verification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad regulatory alignment at governance level while B only enforces law-consistency inside one narrow CM policy."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses legal/regulatory alignment for all cybersecurity; B narrowly requires only that CP policy be consistent with laws, satisfying none of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad compliance-management outcome that informs policy consistency language in B, while B supplies only one narrow IA-specific instance of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad mandate to track/align all legal requirements partially supports B's 'consistent with laws' clause, while B's narrow IR-policy scope satisfies none of A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ma-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad requirements governance; B only enforces consistency of one narrow maintenance policy with laws."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad governance of legal/regulatory requirements; B only mandates that one narrow media-protection policy be consistent with laws."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad legal-alignment outcome that B's consistency clause relies on, while B supplies only one narrow physical-policy instance of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad requirements management while B only enforces policy consistency with laws; each satisfies a narrow slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OC-03 addresses org-level tracking of legal/regulatory obligations; PL-2 produces system plans that may reference privacy requirements and risk assessments but does not manage or track those external obligations."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the legal/reg/contractual requirements slice of the program plan while B documents requirements/compliance at a high level but omits explicit ongoing tracking and alignment processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses external legal/privacy obligations while B focuses on internal mission/process definition; each satisfies only the overlapping privacy-needs slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses tracking of privacy-related requirements but omits B's mandated program-plan artifacts, roles, and governance structure; B operationalizes privacy compliance yet addresses only one slice of A's broader legal/regulatory/contractual scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-19",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the broad outcome of managing privacy obligations via processes/alignment while B only creates a privacy leadership role, so each satisfies a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-28",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses compliance tracking/alignment while B only captures regulatory items as one possible constraint within broader risk-framing activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses understanding requirements; B supplies one downstream remediation-tracking mechanism that only partially supports compliance-risk closure."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the legal/privacy-compliance slice of B's broader risk strategy; B's org-wide risk management inherently drives identification and alignment to legal/reg/contractual obligations."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ps-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad legal-understanding outcome that informs policy consistency but omits B's specific personnel-security policy development and review steps; B enforces statutory alignment for only one narrow policy area and therefore satisfies only a slice of A's enterprise-wide requirement management intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pt-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses managing privacy obligations while B narrowly mandates one PII-specific policy artifact, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad mandate to track/manage legal requirements can encompass RA policy alignment as one element, while B only enforces consistency for risk-assessment procedures and does not address the wider outcome of understanding contractual/regulatory obligations."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OC-03 tracks external obligations while RA-3 performs one privacy-inclusive assessment activity; each satisfies only a narrow slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates management of legal/regulatory requirements while B only requires one narrow acquisition policy to be consistent with them."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses managing legal/regulatory requirements while B narrowly mandates one SC-domain policy that must be consistent with those requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both reference consistency with laws/regulations, but A broadly governs requirement tracking while B narrowly mandates one policy document and its maintenance."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses tracking legal/contractual obligations (incl. suppliers) while B narrowly mandates an SR-specific policy that is merely consistent with laws, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2.8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex2 directly performs B's asset-identification step while also addressing broader external-stakeholder and resilience outcomes that B does not touch."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies high-level mission/resilience inputs that inform only slices of B's detailed plans, while B's system-level operational context and categorization address only a slice of A's external-stakeholder criticality focus."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies criticality/BIA/resilience inputs that inform architectures while B addresses external dependencies and criticality analysis but omits stakeholder communication of mission objectives."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses stakeholder criticality and resilience objectives while B's program-plan mandate only incidentally touches mission considerations without requiring external-stakeholder focus or communication."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a narrow external-stakeholder + resilience slice of B's broader mission-process definition; B's risk-aware process definition largely realizes A's criticality/impact intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad criticality/BIA/resilience outcomes with no supplier focus; B narrowly identifies critical suppliers and therefore satisfies only a thin slice of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the criticality identification and resilience outcomes that feed a CIKR plan, while B supplies one narrow procedural vehicle (the protection plan) that partially realizes A's stakeholder-understanding intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies criticality/BIA inputs that feed risk strategy but omits privacy, consistent org-wide implementation and updates; B's broad strategy includes asset criticality yet does not address external-stakeholder communication or resilience-objective setting."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on stakeholder criticality and resilience objectives; B's risk assessment process touches impact analysis but does not address external stakeholder expectations or communication of critical capabilities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome and BIA/resilience examples encompass the core intent of performing criticality analysis, while B's narrow system-component focus realizes only a slice of A's stakeholder, communication, and resilience scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the external-dependency slice of B's broad planning requirements while B's system-centric plans capture only a subset of A's org-level external-dependency outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow external-dependency inventory outcome while B is a broad internal program-plan document; B's coordination and overview elements only incidentally touch the dependency intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly inventories external dependencies; B broadly defines mission/processes with risk consideration, so only B touches a slice of A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one foundational activity (dependency inventory) inside the broader SCRM strategy B requires; B's org-wide strategy and review cycle inherently produces the dependency understanding and communication A describes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a dependency-identification outcome; B's POA&M process touches supply-chain risk tracking but does not realize the inventory/communication intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only inventories external dependencies while B enforces contractual controls/monitoring; B's oversight partially informs dependency understanding but omits A's full scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's dependency inventory partially supports supply-chain risk identification but does not address acquisition strategies or procurement methods required by B; B's narrow acquisition focus realizes none of A's broad outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's narrow outcome review touches only the update/review clause of B's broad program-plan control, while B's plan maintenance only partially realizes A's strategic-outcome evaluation intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome review of risk-management effectiveness overlaps only the narrow 'review plans vs. strategy' clause inside B, while B's TTM-plan process satisfies only one slice of A's strategy-outcome adjustment intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk-strategy outcome review while B is narrowly scoped to supply-chain strategy development/implementation/review."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-31",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a high-level governance review of risk-strategy outcomes; B supplies ongoing control-monitoring data that can feed such a review but does not itself perform strategy adjustment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a high-level strategy-outcome review; B is an operational POA&M process whose sole strategy touchpoint (consistency review) only partially overlaps A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the review-and-adjust slice of B's full develop/implement/review mandate; B's required review-and-update step satisfies most of A's outcome-review intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is high-level strategic oversight/review of risk-management outcomes; B is operational execution of system-level risk assessments\u2014each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's high-level strategy-outcome review can touch on risk-response effectiveness but does not mandate or realize the specific assessment-finding response actions required by B."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's procedural strategy-review outcome has no realization in B's detailed system-plan development; B supplies risk and control artifacts that can partially feed A's reviews."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's periodic strategy review satisfies only the update clause of B while B's program-plan artifact and role assignment satisfy only a slice of A's risk-coverage intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad review of the overall cyber-risk strategy touches the review/update element of B but omits B's supply-chain-specific development and implementation; B addresses only the supply-chain slice of A's general strategy review."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-31",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad periodic review of risk-management strategy; B is a specific continuous-monitoring implementation that supplies inputs to reviews but neither fully contains the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses high-level strategy review/adjustment while B only mandates POA&M consistency checks against an existing strategy and does not implement strategy review."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the narrow review/adjust slice of B's broader develop+implement+review mandate; B therefore realizes most of A's outcome while A realizes only one element of B."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's strategy-level reviews touch policy oversight but omit RA-1's specific development/dissemination/review cadence; B's RA policy maintenance satisfies only the procedural slice of A's broader risk-management strategy adjustment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is high-level strategy oversight that may reference risk results; B performs detailed assessments that can feed strategy reviews but neither implements the other's core intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad strategy-review outcome includes audit-finding response as one lever, while B's narrow response action satisfies only a slice of that strategic adjustment intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad strategy-review outcome (A) touches supply-chain risk only incidentally, while narrow supplier assessment (B) addresses none of the strategy-level review intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ongoing org-level performance review via KPIs/KRIs while B produces static system plans that may supply some risk inputs but omit evaluation activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies ongoing performance review that touches B's update clause but omits the plan's scope, roles, and approval elements; B supplies a documented program with periodic review that touches A's evaluation intent but omits KPI/KRI-driven risk-performance measurement."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad performance/KRI review overlaps only the monitoring-plan review slice of B, while B's narrow testing/training/monitoring focus supplies only one input to A's overall risk-management evaluation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-29",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses outcome evaluation via KPIs/KRIs/metrics while B only creates the leadership roles that could perform such evaluation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad KPI/KRI performance review overlaps only the POA&M consistency-review step while B's narrow remedial-tracking process addresses only one slice of A's metrics-driven evaluation intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies risk-specific KPI/KRI review that fulfills only a slice of B's broader develop/monitor/report mandate across security+privacy; B's performance-measure apparatus directly enables A's risk-evaluation outcome and therefore covers most of it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.OV-03's performance reviews and metrics may indirectly drive RA policy adjustments but do not satisfy RA-1's requirements to develop/disseminate designated policy and procedures; RA-1 supplies none of the KPI/KRI evaluation outcomes in GV.OV-03."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is high-level oversight of risk-management performance via KPIs/KRIs; B is the operational execution of assessments, so each satisfies only a tangential slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's performance review/KRI process can surface and drive responses to findings, satisfying part of B's intent; B's narrow response action does not address A's metrics-based evaluation or leadership reporting."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OV-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad GV.OV-03 outcome encompasses supply-chain risk indicators as one input among many, while narrow SR-6 addresses only supplier reviews and therefore satisfies none of the organizational performance-evaluation intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses a broad risk-management policy while B addresses a narrow access-control policy, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a single overarching risk-management policy while B creates a distinct, narrower audit-specific policy; the two intents therefore intersect only marginally."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad risk-management policy outcome that subsumes the narrower CA-specific policy/procedure requirements of B, while B addresses only one slice of A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a broad risk-management policy outcome while B mandates a narrow, domain-specific CM policy and procedures; thus A only incidentally touches B's intent and B does not address A's intent at all."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad risk-management policy outcome while B is a narrow contingency-planning policy control; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a general risk-management policy framework whose elements can inform but do not satisfy the distinct IR-specific policy requirements of B."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ma-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies an enterprise risk-management policy umbrella that may indirectly encompass maintenance but does not satisfy MA-1's explicit maintenance-specific policy and procedure requirements; B addresses only one narrow operational domain and therefore supplies none of A's risk-strategy intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 supplies a single overarching risk-management policy umbrella that only incidentally touches the media-protection policy demanded by MP-1; MP-1 itself addresses only one narrow control area and supplies none of the broader risk-policy outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires a specific risk-management policy while B requires documented policy/procedures only for the Planning control family, so each satisfies a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 establishes a high-level risk-management policy while PL-2 produces detailed system-level plans; the policy supplies only directional context for the plans and the plans do not create or substitute for the policy."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses risk-management policy creation/review/approval while B's program plan encompasses that policy plus roles, coordination, compliance, and protection, so each satisfies only part of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-management policy supplies directional context that B's alignment review can reference, but B's narrow testing/training/monitoring process does not establish or maintain the policy required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad cybersecurity-risk policy outcome that can subsume some privacy-program elements, while B is narrowly scoped to privacy officials, federal privacy statutes, and a dedicated privacy plan."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-29",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a policy document while B mandates specific senior risk roles; each addresses a distinct slice of governance with minimal overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad cybersecurity-risk policy can encompass supply-chain elements at a high level (partial), while B's narrow supply-chain strategy satisfies none of A's general policy intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-management policy can direct existence of a POA&M process but does not implement or satisfy B's specific operational requirements; B addresses only one downstream tracking activity and does not address policy establishment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the policy-establishment slice of risk management while B addresses strategy development/implementation/review; each therefore satisfies only a portion of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ps-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad cybersecurity risk-management policy outcome while B narrowly mandates only a personnel-security policy; the scopes intersect on generic policy practices but otherwise have no overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pt-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad cybersecurity risk policy outcome while B is a narrow PII-specific transparency policy; implementing A therefore touches only part of B's intent and B satisfies none of A's broader risk-management scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 is the broad risk-management policy outcome whose scope includes the narrower RA-specific policy and procedures defined by RA-1."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-01 establishes the overarching risk-management policy whose intent is satisfied by performing the detailed RA-3 activities, while RA-3 execution alone does not create or enforce any policy."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a single high-level risk-management policy that may touch acquisition topics; B supplies only a narrow SA-domain policy and procedures."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a single broad risk-management policy that may drive creation of domain-specific policies, while B supplies only the narrow SC-family policy and procedures."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad risk-management policy outcome whose scope may incidentally touch integrity topics, while B mandates a distinct, narrowly-scoped SI policy and procedures that do not satisfy A's risk-governance intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad cybersecurity-risk policy outcome that subsumes supply-chain risk as one domain; B supplies only the narrow supply-chain slice plus detailed procedural mandates."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad governance outcome for cybersecurity risk policy; B is a narrow, domain-specific control limited to access-control policy and procedures."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad risk-management policy maintenance while B mandates a narrow CA-specific policy; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only policy lifecycle updates while B's assessment planning/reporting supplies one input to those updates but omits communication, enforcement, and risk-environment review."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a general risk-policy review cadence that can be applied to CM policy updates, while B addresses only the narrow CM policy artifact and supplies none of A's risk-management policy intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A provides broad risk-policy maintenance that can incidentally touch IA policy upkeep, while B addresses only the narrow IA domain and satisfies none of A's risk-management scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ma-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general cyber-risk policy review while B narrowly mandates only a maintenance-specific policy, so A partially overlaps B's procedural elements but B satisfies none of A's broader governance intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A provides a general cybersecurity-risk policy review process that only incidentally touches the narrow physical/environmental domain of B."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-02 addresses high-level policy review cycles; PL-2 produces detailed system plans that may reference but do not satisfy policy-update intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad policy review/update while B narrowly requires architecture development plus its own review cycle; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the review/update/communication of risk policy while B requires a broader program plan with roles, approval, and protection; B's periodic update partially overlaps A's policy maintenance but omits enforcement and risk-specific scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-02's broad policy-review outcome touches supply-chain elements only incidentally, while PM-30's narrow SCRM-strategy requirement satisfies none of the general policy governance intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pt-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad cybersecurity risk policy updates while B narrowly mandates PII-specific transparency policy/procedures, so each satisfies only a slice of the other's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF outcome for cyber-risk policy lifecycle while B is the narrow RA-specific policy control, so A subsumes most of B but B only realizes one slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only policy review/update using risk results while B performs the actual assessments that feed policy; neither fully realizes the other's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.PO-02 addresses only the general cybersecurity risk policy while SA-1 addresses a distinct acquisition-specific policy, so each satisfies only a narrow slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the overarching cyber-risk policy lifecycle while B mandates a narrowly scoped SC-domain policy; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad cybersecurity-risk policy outcome while B is a narrow, supply-chain-specific policy/procedure control; each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A provides broad cybersecurity policy review/update while B narrowly mandates one specific supply-chain plan and its protection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the outcome of agreeing risk objectives while B supplies the generic planning-policy scaffolding that can reference but does not realize that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-18",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cybersecurity risk objectives while B's privacy program plan includes strategic objectives and risk elements but remains privacy-specific and broader in scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-29",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses objective-setting outcomes only; B's role appointments enable but do not directly produce agreed objectives."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad risk-objective outcome can encompass supply-chain elements but does not address the specific strategy development, implementation, or review required by B; B's narrow supply-chain focus satisfies none of A's general objective-setting intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the objectives-setting slice of a risk-management strategy while B's full strategy lifecycle (develop/implement/review) encompasses that objective-setting outcome plus additional elements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A sets high-level risk objectives while B executes detailed assessment steps; objectives do not perform assessments, but assessments can partially inform objective-setting."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad outcome on risk-management objectives while B is a narrow, supply-chain-specific procedural control; objectives may inform the plan but the plan does not establish or obtain agreement on objectives."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the high-level risk-appetite inputs that appear in one clause of B's risk determinations, while B's system-plan details do not produce or maintain organizational risk-appetite statements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies risk-appetite inputs that inform the org-wide risk program B integrates authorization into, while B's authorization and role-designation steps touch only one slice of the appetite/tolerance outcome A defines."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow slice (appetite/tolerance statements) of B's broader risk-management strategy; B's comprehensive strategy inherently includes and largely satisfies A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines appetite/tolerance statements only; B performs assessments whose results may feed appetite decisions but neither activity realizes the other's core intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses enterprise-level risk aggregation only; B produces system-level plans that include risk assessments and determinations but do not integrate cyber risk into broader ERM processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the ERM-integration slice of program governance while B supplies the overarching plan and roles that partially enable but do not mandate enterprise risk aggregation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of embedding all cyber risk activities into ERM; B supplies one concrete mechanism (authorization) plus role designation that partially realizes that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly integrates all cyber risks into ERM while B narrowly mandates a supply-chain-specific strategy, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the ERM-integration slice of B's broader strategy-development, privacy, implementation and review requirements, while B produces a security/privacy strategy that may or may not be embedded in enterprise risk processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ERM integration outcomes while B only mandates RA-specific policy/procedure artifacts, satisfying none of B and only a narrow foundational slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad ERM integration encompasses risk-tolerance-driven responses as one outcome; B's narrow finding-response action satisfies none of A's governance-integration intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-24",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only broad ERM inclusion of cyber risks while B's core intent is system-level resiliency design plus RM implementation; B therefore satisfies only the RM-process slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly integrates all cyber risks into ERM while B narrowly prescribes only a supply-chain plan, so each satisfies a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's high-level risk-response strategy (incl. shared-responsibility examples) only touches one narrow slice of B's concrete interconnection-agreement requirements; B supplies a single operational control and cannot establish A's strategic direction."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-response-strategy slice of the broad program-plan mandate in B, while B's required plan, roles, senior approval and risk accountability largely realize A's strategic-direction outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the high-level risk-response strategy that B references for plan reviews, while B only enforces alignment for the narrow testing/training/monitoring domain and does not establish or communicate the broader strategic direction."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-28",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets risk-response criteria/communication while B supplies the broader framing (tolerance, priorities, constraints) that underpins those responses."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A sets broad risk-response direction that touches outsourcing/cloud examples; B narrowly mandates only the supply-chain slice of that direction."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies high-level risk-response strategy; B assumes that strategy exists and only enforces POA&M alignment to it without establishing or communicating the strategic direction itself."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-response-options slice of B's broader strategy+implement+review mandate, while B's comprehensive strategy directly realizes A's outcome and more."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines high-level risk-response strategy; B performs the distinct assessment step that informs but does not realize that strategy."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's strategic risk-response direction explicitly includes shared-responsibility/outsourcing decisions that subsume most of a supply-chain risk plan, while B addresses only one narrow slice of A's broader risk-response outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a purely procedural cross-org communication outcome while B is a system-level documentation control that touches only a narrow slice (roles, threats) of that intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.RM-05 is a narrow communication outcome while PM-1's coordination and role-assignment elements largely realize that outcome but also encompass many unrelated program-plan requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cross-org risk communication while B addresses broader mission/process definition that may incidentally include risk communication mechanisms."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-29",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cross-org risk communication channels while B appoints risk leadership roles; the latter enables but does not realize the former."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the communication slice of risk governance (incl. suppliers) while B narrowly mandates a full SCRM strategy; each therefore satisfies a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses org-wide risk communication; B's POA&M process touches reporting and supply-chain risk tracking but does not establish the described communication lines."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the communication slice of risk management while B's comprehensive strategy includes (but is not limited to) establishing cross-org risk communication."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the dissemination/communication slice of B's risk-assessment process while B's dissemination step touches but does not establish the broader ongoing cross-org risk-communication lines required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only org-wide risk communication (incl. suppliers) while B requires a full documented, reviewed, and protected SCRM plan; thus A satisfies none of B, and B satisfies only the supplier-risk slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-method elements inside B's broader plan; B supplies per-system risk determinations but does not establish the enterprise-wide standardized method required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-28",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies standardized calculation/prioritization templates that address only the documentation/prioritization slice of B's framing elements, while B supplies assumptions/constraints/tolerance context that addresses only part of A's risk-method outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a general cyber-risk method that can be applied to supply-chain risks but does not address the supply-chain-specific strategy, consistency, or review requirements of B; B realizes only one narrow slice of the broad risk-method outcome in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the upstream risk-calculation and prioritization method while B\u2019s POA&M process neither creates that method nor fully documents/categorizes risks; B\u2019s consistency review touches only a narrow slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the risk-calculation/prioritization slice of the broader strategy that B requires to be developed, implemented, and maintained."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one concrete risk-method outcome while B supplies only the meta policy/procedure scaffolding for the RA family; each therefore satisfies a slice but not the full intent of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines the overarching standardized risk method whose use directly satisfies most RA-3 steps; B executes assessments and thereby realizes only a slice of the governance outcome in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies general risk documentation/prioritization methods usable inside an SCRM policy while B mandates an SCRM-specific policy that can embed such methods, yet each addresses only a slice of the other's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-28",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets inclusion of positive risks while B addresses broader risk-framing elements (assumptions, constraints, tolerance) that only incidentally touch priorities/trade-offs."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow inclusion of positive risks in discussions while B defines a broad org-wide risk strategy covering security/privacy risks, implementation and updates."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.RR-01 supplies high-level leadership accountability and risk-culture expectations that touch only the roles/responsibilities clause of CA-1, while CA-1's narrow CA-domain policy mandate satisfies none of GV.RR-01's broader intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses leadership accountability and roles for cyber-risk strategy but only incidentally touches policy documentation; B's narrow planning-policy scope satisfies none of A's governance/culture intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only high-level leadership accountability and culture; B's role-identification element satisfies a narrow slice of A's examples while the remainder of B's plan content is unrelated."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses leadership accountability/roles and strategy maintenance but omits B's formal program-plan document, coordination, approval, and protection requirements; B directly satisfies A's accountability and roles elements via senior-official approval and management commitment while only indirectly touching culture."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both address senior-leadership roles, accountability and program commitment, yet one is cyber-risk-specific while the other is privacy-program-specific, so each satisfies only the overlapping slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-19",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only cybersecurity leadership/accountability while B is a narrow privacy-specific appointment; each satisfies only a disjoint slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's leadership accountability outcome and CISO-direction example largely subsume the appointment of a senior security officer, while B realizes only the narrow role-establishment slice of A's broader culture and risk-ownership intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-29",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses leadership accountability and roles (with culture) while B narrowly mandates specific risk-executive appointments and alignment; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses high-level leadership accountability and risk strategy oversight that touches policy maintenance; B codifies roles/responsibilities and review cycles for one narrow RA policy but omits broader governance and culture outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad leadership accountability for cybersecurity risk while B narrowly mandates SCRM policy/procedure artifacts and roles only."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad risk-management roles that B references only narrowly inside its assessment-plan requirement, while B supplies none of A's policy, personnel, or enforcement outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the single roles-identification bullet inside B's broad plan; B's plan requirement touches role identification but omits A's organizational establishment, communication, and enforcement of risk-management authorities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities slice of B's broader program-plan requirements; B's mandated role assignment, coordination, and senior accountability largely realize A's outcome but omit explicit enforcement language."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities designation sentence inside B while B's core intent (authorization processes integrated into org risk mgmt) remains untouched; B directly satisfies the designation of roles that is the central outcome of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates all cyber-risk roles/responsibilities (including leadership), while B only realizes one specific senior-officer appointment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-23",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad cyber-risk role documentation can encompass data-governance roles as one slice, while B's narrow data-body mandate satisfies none of A's full scope of cyber-risk responsibilities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-29",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of establishing all cyber-risk roles/responsibilities while B supplies one concrete implementation (senior risk leadership appointments)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A assigns broad risk-management roles that can encompass POA&M ownership, satisfying a slice of B; B's POA&M process never addresses role establishment or communication."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses resource allocation while B's plans enumerate roles/controls but do not allocate resources."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the resource-allocation slice of B\u2019s broader program-plan requirements; B defines roles/responsibilities and management commitment inside the plan but does not explicitly require commensurate resource allocation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the general resourcing needed to execute B's plans but does not establish the required testing/training/monitoring processes or reviews; B addresses only a narrow slice of activities and never touches resource allocation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the resource-allocation slice of B's broader privacy program plan; B addresses only the privacy-specific slice of A's cybersecurity resource outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of risk-aligned resource allocation (including investment), which B's capital-planning steps directly support but do not fully encompass (e.g., authority reviews)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses resource allocation and authority reviews; B's POA&M process only touches risk-strategy consistency for remediation tracking, satisfying a narrow slice of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses resource allocation for risk roles/strategy (touching B's management commitment and roles) while B only mandates RA policy existence without any resource provisions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses HR processes only; B's plan documentation touches roles/responsibilities (one narrow slice of A) but satisfies none of A's operational HR intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only a narrow HR/personnel slice while B is a meta-level program-plan document whose scope can encompass HR controls among many others."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only HR/personnel practices while B centers on system authorization and org risk integration; B's role-designation element touches a narrow slice of A's risk-aware personnel intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches training/retention elements of workforce development but omits the program construct; B addresses only the development slice of broader HR practices."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ps-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies concrete HR practices but omits any policy/procedure documentation; B supplies only the meta policy framework that partially enables but does not realize those practices."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ps-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses HR cyber practices for personnel while B narrowly mandates external-provider controls, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ps-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad HR integration (screening/background checks/knowledge factors) while B narrowly targets role/responsibility language in position descriptions; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a supply-chain risk program while B performs general control assessments; assessments can verify SCRM controls but do not establish the program."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies domain-specific policies/procedures for supply-chain RM while B requires a broader planning-family policy framework; conversely B supplies only generic policy scaffolding that partially enables but does not address A\u2019s strategy, objectives, and stakeholder-agreed program."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets C-SCRM program elements while B broadly defines the overall security program plan, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates the full program/strategy/policies/processes and stakeholder agreement, covering most of B's strategy+implementation intent but not its explicit periodic review; B narrowly addresses only the strategy element and therefore covers only a slice of A's program scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's program/plan-with-milestones language touches POA&M elements but omits B's remedial-action documentation, reporting, and risk-strategy review steps; B addresses only one narrow process and does not establish A's strategy, objectives, or stakeholder-agreed policies."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies policy/procedure elements only for supply-chain risk management while B supplies the generic RA policy framework; each therefore satisfies a slice but not the core scope of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates the full SCRM program including policies/procedures; B narrowly supplies only the policy/procedures slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly calls for developing the SCRM program including its plan/policies/procedures, satisfying most of B's narrower plan-focused intent, while B addresses only one slice of A's broader program/strategy/stakeholder-agreement scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes the overarching SCRM program/policies/processes; B is one concrete operational control that realizes part of those processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.SC-02 addresses only supply-chain-specific role documentation while CA-1 requires policy and roles solely for the CA domain, yielding no overlap one way and a narrow procedural slice the other way."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the supply-chain-specific roles/responsibilities slice of B's broad planning-policy requirement, while B supplies only a generic roles framework that does not mandate A's supplier/partner focus."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities element of system plans but is limited to supply-chain parties; B's broad plan includes general system roles yet does not cover external supply-chain coordination."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain-specific roles/responsibilities slice while B requires a full program plan; B's general roles/coordination language partially encompasses supply-chain needs but lacks the external/SCRM focus."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both address designation of risk-management roles/responsibilities, yet A is narrowly scoped to supply-chain parties while B centers on authorization and org-wide risk integration, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain-specific roles/policy documentation while B requires a broad risk-assessment policy covering purpose/scope/compliance; each satisfies only the overlapping roles element of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities coordination slice of a full policy lifecycle, while B's required policy explicitly calls for roles, responsibilities and coordination that realize A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the roles/responsibility slice of a SCRM plan while B's plan development, update and protection requirements inherently encompass and operationalize those roles."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the roles/responsibilities slice of B's broader supply-chain process and control requirements, while B's coordination and documentation clauses touch but do not satisfy A's explicit internal/external role-establishment outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses SCRM integration into ERM/risk processes; B's continuous-monitoring activities can support risk-assessment elements but do not address supply-chain scope or integration intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain integration into ERM processes while B's system plans touch risk assessment and controls only incidentally and lack enterprise-level supply-chain scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain integration while B supplies only a generic program-plan framework that can accommodate but does not mandate that integration."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integration of SCRM into ERM/improvement while B mandates a standalone org-wide SCRM strategy; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-31",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses narrowly on SCRM integration into risk/improvement processes while B defines a broad continuous-monitoring program; monitoring can support improvement but does not address supply-chain integration."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad integration mandate encompasses POA&M-style remediation tracking and risk-strategy alignment for supply-chain risk, while B realizes only the narrow improvement/remediation slice of that integration."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the SCRM-integration slice of a risk strategy while B provides the general strategy without requiring SCRM integration."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integration of supply-chain risk into existing assessment processes but supplies no policy/procedure artefacts; B supplies the RA policy framework that can accommodate supply-chain content yet does not mandate the integration outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain slice of risk assessment while B performs general risk assessment without mandating SCRM integration into enterprise processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A embeds SCRM into assessment/improvement processes (touching response activities) while B addresses only generic finding response and omits all supply-chain integration scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses a narrow integration outcome for supply-chain risk; B's SA policy requirement touches acquisition-related supply-chain elements but does not encompass enterprise-risk integration or improvement processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integration outcomes while B narrowly mandates only policy/procedure artifacts; policy is a prerequisite slice but does not realize integration."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's integration mandate and control-set examples encompass the core of a SCRM plan plus its embedding in ERM/improvement processes, while B supplies only the narrow plan artifact itself."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broader integration outcome that subsumes B's narrower process-and-control establishment as one realization lever."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inventory/prioritization while B's external-dependencies clause touches supplier considerations without requiring criticality ranking or records."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supply-chain outcome while B is a broad program-plan document; implementing A satisfies none of B, and B's high-level control description only incidentally touches supplier prioritization."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inventory/prioritization while B broadly defines mission and business processes; the two intents intersect only tangentially via mission importance."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's supplier identification/prioritization touches CUI sensitivity but does not address B's policy/procedure mandate; B's narrow CUI-protection focus does not realize A's broader supplier inventory outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30.1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of knowing and prioritizing all suppliers by criticality; B realizes the identify/prioritize/assess slice for critical suppliers only."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inventory/prioritization; B's broad RA steps can surface supplier risks but do not require or realize A's specific record-keeping and criticality criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only catalogs and prioritizes suppliers by criticality; B requires compliance, documented oversight, and ongoing monitoring of external providers (implying awareness but not prioritization)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs risk-informed prioritization of known suppliers but omits ongoing assessment/review; B performs risk assessment/review but does not mandate an explicit prioritized inventory by criticality criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supply-chain contractual requirements while B is a general assessment process that can support verification but does not establish those requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses supply-chain-specific contractual controls including info-sharing rules, satisfying only the supplier slice of B's general system-exchange agreements; B supplies an agreement mechanism that partially realizes one implementation example within A's broader supply-chain risk requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain contract requirements while B is a broad program-plan control that only incidentally touches governance outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only contractual supply-chain requirements while B performs general system risk assessment; the two intents intersect only indirectly via risk identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain-risk slice of the broader acquisition/contract requirements in B, while B directly mandates inclusion of supply-chain risk management and related security requirements in contracts."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's contract-based requirements and verification language satisfy most of B's compliance and oversight intent, while B addresses only one slice of A's broader supply-chain scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the contract-integration slice of SCRM while B only mandates existence of a high-level policy/procedures document, so each satisfies a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly mandates contractual integration of supply-chain requirements while B broadly requires identifying weaknesses, selecting controls, and documenting processes, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad contractual outcome; B supplies one concrete acquisition/control lever that partially realizes it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A centers on establishing/integrating requirements into contracts; B is the distinct activity of performing supplier risk assessments, sharing only indirect overlap via criticality evaluation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-contract supplier due diligence while B broadly documents system-level security/privacy plans that may incidentally reference external dependencies."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the external-supplier due-diligence slice of B's procurements/external-dependencies requirement; B's architecture documentation touches supplier assumptions yet omits the explicit risk-assessment and diligence process A requires."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-29",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier-specific due diligence while B establishes org-wide risk leadership roles that can encompass but do not realize supplier activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-relationship supplier due diligence while B's POA&M process covers ongoing remediation tracking that can include supply-chain items but does not realize the specific planning/due-diligence intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs only supplier-specific risk assessments (narrow slice of general RA-3); RA-3 itself contains no supplier due-diligence or pre-engagement requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-contract supplier assessments while B mandates a broad set of contractual security and supply-chain clauses; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-engagement due diligence/risk assessment while B centers on contractual requirements plus ongoing monitoring/roles, so each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the due-diligence slice of acquisition activities while B\u2019s broader mandate for supply-chain acquisition strategies necessarily encompasses that due-diligence planning."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's pre-relationship due diligence explicitly includes supplier risk assessments (Ex3), satisfying most of B's assessment intent, while B implements only the narrow assessment/review slice of A's broader planning outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements supplier-specific assessment/monitoring activities that realize only a narrow slice of general control assessment (B); conversely B supplies the assessment mechanism usable for third-party obligations but addresses only that slice of A's full risk understanding/prioritization/monitoring lifecycle."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supplier risk monitoring while B broadly documents system risks/threats/dependencies (including possible third-party elements) but omits ongoing supplier lifecycle activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only operational third-party risk activities while B defines the overarching program-plan artifact that may reference but does not execute those activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the full supplier-risk lifecycle while B supplies only the POA&M tracking mechanism for the supply-chain slice; each therefore satisfies only a portion of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supplier/third-party slice of risk assessment while B provides the general RA process that partially encompasses supplier risks but lacks A\u2019s lifecycle monitoring and evidence-evaluation specifics."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad supplier-risk outcome that explicitly requires criticality evaluation of third-party products/services as one activity; B is the narrow RA-9 lever that supplies only that single analytic technique."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ongoing supplier risk monitoring/evaluation of contractual compliance but omits contract content specification; B mandates SCRM responsibilities and requirements in acquisition contracts but covers only the initial phase, not lifecycle monitoring."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring and compliance-evaluation examples satisfy most of B's requirements while B addresses only the ongoing-monitoring slice of A's broader third-party risk lifecycle."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome of ongoing supplier-risk understanding/assessment/monitoring inherently requires and therefore mostly satisfies the narrower SRM-plan artifact+maintenance in B, while B's plan document alone only partially addresses A's full lifecycle execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad supplier-risk lifecycle outcome subsumes B's process/control/documentation steps while B realizes only the response/monitoring slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome that explicitly includes assessment/review plus prioritization/response/monitoring; B is the narrow 800-53 control realizing only the assess/review slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier coordination/roles (a narrow slice of contingency policy scope) while B's generic policy requirements do not mandate or realize supplier inclusion in incident activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supplier-specific outcome while B only creates the generic IR policy framework that may reference external coordination."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only a narrow slice of supplier/incident roles and reporting that could appear inside a planning policy, while B's generic policy mandate can encompass but does not require the specific third-party incident activities in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inclusion in incident activities while B's broad system-plan requirements touch roles/dependencies but omit incident-specific third-party obligations."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only a narrow supplier-incident coordination slice while B's broad program-plan mandate touches roles/coordination generically but omits third-party incident specifics."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inclusion in incident response activities while B's POA&M process for supply-chain risk can track related remedial actions but does not implement the incident-specific coordination."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow incident-response slice of supply-chain responsibility allocation inside B, while B's broad acquisition/contract vehicle can embed all of A's incident-planning, role, and exercise requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the incident-specific slice of roles/reporting while B broadly mandates compliance, oversight roles, and monitoring for all external services."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supplier inclusion in incident response activities while B requires a broad lifecycle SCRM plan; the plan may encompass incident elements but does not mandate them."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow incident-response slice of supplier interactions while B provides a broad supply-chain risk process that may encompass but does not explicitly require incident-planning inclusion."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's incident-reporting protocols and role definitions directly realize SR-8's notification agreements while also addressing wider planning/exercise activities that B does not reach."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain provenance/risk reporting while B broadly documents system plans/controls; plans may reference supply-chain items but do not realize A\u2019s lifecycle integration mandate."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain provenance/authenticity within risk programs while B broadly covers enterprise security/privacy architectures including external dependencies and acquisitions, yielding only slice overlap each way."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supply-chain outcome that does not address program-plan development; B's broad plan framework can encompass supply-chain integration as one management control but does not mandate it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-28",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses supply-chain provenance and authenticity reporting inside risk programs; B supplies only the generic risk-framing foundation that can accommodate supply-chain considerations but does not require or detail them."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad integration+monitoring outcome subsumes B's strategy development/implementation/review as a core lever, while B realizes only the strategy slice of A's lifecycle intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-31",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's supply-chain provenance/reporting examples touch only the monitoring/reporting slice of B's org-wide continuous-monitoring mandate while B's control-effectiveness monitoring can support A's performance-monitoring requirement but omits provenance, authenticity, and supplier policies."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad supply-chain integration/monitoring outcomes while B narrowly mandates a POA&M tracking process that only partially realizes one monitoring element of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the supply-chain slice of risk management while B's broad strategy framework encompasses and enables that integration plus far more."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the supply-chain slice of general risk assessment while B's broad RA process can subsume supply-chain risks without mandating A's provenance or lifecycle-monitoring specifics."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only supply-chain-specific integration and monitoring; B's general response to assessment findings touches a narrow slice of that risk-management outcome but omits provenance, authenticity, and lifecycle practices."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supply-chain outcome while B is a broad acquisition control that touches supply-chain risk only as one clause among many unrelated requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad SCRM outcome that subsumes external-service oversight; B realizes only one narrow slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome that explicitly includes policy/procedure elements plus monitoring and lifecycle integration, while B narrowly addresses only the policy document itself."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of integrating supply-chain practices into risk management; B is one concrete artifact (the SCRM plan) that realizes part of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome of integrating/monitored supply-chain practices subsumes B's process-and-control requirements, while B addresses only a slice of A's provenance, authenticity, and risk-program integration intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome integrating supply-chain practices into risk programs (with acquisition examples); B is one narrow acquisition-focused lever inside that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "GV.SC-09 is the broad outcome integrating supply-chain practices into risk programs (covering SR-6 assessments plus more); SR-6 is one narrow assessment activity inside that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's narrow post-partnership supply-chain steps satisfy none of B's broad system-planning mandate; B's control-description requirement can incidentally touch supply-chain content but does not address A's specific intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-agreement supply-chain procedure while B is the broad overarching security program plan that may subsume supply-chain elements but does not specifically require them."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-termination/disposal slice while B's org-wide strategy explicitly spans development through disposal and therefore subsumes A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-termination supply-chain plan provision while B is a broad POA&M process covering many risk areas; thus A satisfies none of B, and B only partially touches A's specific post-agreement intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-termination SCM procedural requirement while B is a broad general risk-assessment process; B can surface relevant supply-chain risks but does not mandate A's specific provisions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-agreement SCRM plan elements while B broadly mandates contract inclusions for acquisition; B therefore partially realizes termination/end-of-life/access provisions but A realizes none of B's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow termination/deactivation slice of B while B's ongoing compliance/monitoring requirements touch but do not fully realize A's post-agreement SCRM provisions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow content requirement for post-agreement plan provisions while B only mandates generic policy/procedure scaffolding without dictating those provisions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-agreement/disposal slice of B's full-lifecycle SCRM plan, while B's required plan (incl. disposal + review) satisfies most of A's post-conclusion intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses only post-termination SCRM provisions while B is a broad general supply-chain process/control requirement that can encompass but does not explicitly mandate those provisions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-termination SCRM plan provisions while B targets acquisition-phase strategies/tools; contract language in B can partially realize A's termination/end-of-life examples."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only hardware inventory maintenance; B's change-control process can generate records that help keep inventories current but does not itself create or maintain those inventories."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the high-level hardware-inventory outcome while B adds component granularity, review cadence and accountability attributes that A does not require; conversely B\u2019s system-component inventory directly realizes A\u2019s hardware-inventory intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only hardware/device inventories (a slice of system inventory), while B's system-level inventory encompasses hardware assets and therefore satisfies most of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Hardware inventory maintenance supplies no vulnerability scanning capability, while vuln scans can incidentally aid asset discovery but do not satisfy inventory intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad inventory monitoring supports one compliance aspect of B but omits policy/enforcement; B's narrow user-install controls aid only a slice of A's full software/service inventory scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's monitoring-for-inventory-changes example overlaps one narrow slice of B's monitoring/review activities, while B's documented change records support but do not constitute the broader asset-inventory outcome of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of maintaining inventories of systems/software/services (with change monitoring); B supplies one detailed implementation slice limited to system components."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome explicitly includes system inventories (plus software/services/monitoring) so fully satisfies B's narrow intent; B addresses only the systems slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Inventory (A) supplies the asset scope needed for scanning but does not perform monitoring, analysis or remediation (B); B's enumeration is incidental and does not satisfy ongoing inventory maintenance."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the baseline representations that inform flow policy, satisfying a prerequisite slice of B's enforcement intent; B performs runtime enforcement and does not produce or maintain the documented baselines required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only maintains flow baselines while B requires formal approvals, interface agreements and periodic reviews; B's interface documentation partially supports flow representations but omits internal/IaaS baselines."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies authorized-flow baselines that partially satisfy B's internal-connection authorization and documentation needs, while B addresses only the internal slice of A's broader baseline scope and adds unrelated lifecycle controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only network data-flow diagrams while B addresses general component configuration baselines, so A satisfies none of B; B's settings/monitoring can partially realize flow baselines but omits the explicit data-flow focus."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the authorized-flow inventory that informs least-functionality decisions while B enforces a subset of those flows via port/protocol restrictions; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only network/data-flow baselines while B addresses component inventory; each satisfies a distinct slice of asset management with minimal overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational baseline practice unrelated to B's broad planning/documentation requirements; B's environment/dependency descriptions touch flow representations only incidentally."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational baseline activity on network flows; B's broad architecture descriptions can encompass data-flow elements but do not mandate maintaining such baselines."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow network-flows baseline practice while B is a broad enterprise-architecture outcome; B therefore only partially encompasses the specific flows representations required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-20",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's inventory supports external-service oversight but does not implement B's authorization/prohibition rules; B's policy statements contain no inventory requirement."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets external supplier services while B broadly covers internal system components, yielding only partial overlap each way."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only creates an inventory while B requires compliance mandates, role definition and ongoing monitoring; B's oversight activities implicitly require service awareness but do not mandate formal inventory maintenance."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow inventory outcome that supplies one input to supplier risk visibility; B requires a broad, multi-phase SCRM plan whose existence and maintenance are not satisfied by inventory alone."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow asset-prioritization practice that satisfies none of B's program-plan requirements; B's high-level plan may reference asset management but does not specifically mandate the outcomes in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow asset-prioritization activity that does not address mission/process definition; B's mission definition and protection-need analysis partially informs asset criticality but does not require the prioritization steps in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow asset-prioritization activity that only partially instantiates B's broad risk-management strategy; B's comprehensive strategy necessarily encompasses asset classification/criticality prioritization and therefore covers most of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's asset prioritization uses classification/criticality as inputs but omits B's formal system-level categorization, documentation, and AO approval steps; B supplies the classification element but does not address A's broader prioritization criteria, tracking, or mission-impact scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow input (mission-impact prioritization) usable inside B's impact analysis, while B performs threat/vuln/likelihood work with no requirement to define or maintain asset prioritization criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad prioritization outcome includes criticality as one factor while B's narrow analysis produces only the criticality inputs needed for that prioritization."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-type inventory/metadata focus touches location only incidentally while B's location/users/changes mandate supplies one narrow slice of an inventory but omits classification and designated-type scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-13",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A maintains static data-type inventories/classifications while B documents dynamic processing actions; each addresses a distinct slice of data governance with only incidental overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow data-inventory outcome unrelated to mission-process definition, while B's protection-needs step only indirectly touches data identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-inventory outcome supplies no assessment or risk-analysis steps required by B; B's PIA process identifies PII flows and can feed classification but does not deliver ongoing discovery, metadata maintenance, or coverage of non-PII data types demanded by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only data discovery/classification inventory while B addresses policy-driven retention management; retention may incidentally require classification but does not produce or mandate inventories."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-lifecycle outcome touches data-action visibility only incidentally, while B's narrow mapping task satisfies none of A's multi-asset lifecycle scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF life-cycle outcome subsumes most CM-plan elements while the narrow control only addresses one configuration slice of asset management."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ma-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad life-cycle outcome A includes maintenance as one phase while narrow procedural control B realizes only that slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ma-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Lifecycle asset management (A) encompasses a maintenance phase and therefore partially satisfies timely-maintenance intent, while the narrow MA-6 control addresses none of the broader ID.AM-08 outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's life-cycle integration outcome supplies none of PL-2's required planning artifacts; PL-2's documented components, context and controls touch only a slice of life-cycle management intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-23",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad lifecycle management outcomes while B narrowly mandates a data governance body; the body supplies one data-specific lever but does not realize the full scope of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad lifecycle outcome partially encompasses vuln scanning as one activity; B's narrow scanning requirements address only a slice of asset lifecycle management."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-22",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad life-cycle outcome (A) encompasses end-of-support replacement as one phase, while the narrow control (B) addresses only that single slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle outcome directly encompasses SDLC security integration (mostly satisfying B) while B addresses only the development phase slice of A's wider scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle outcome fully encompasses acquisition as one phase while B supplies only the contract-specific slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle management outcome subsumes the engineering-principles application called for by B, while B addresses only one technical slice of A's wider scope (incl. shadow IT, hardware/services, data)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data lifecycle management includes retention as one phase but omits B's explicit regulatory/policy requirements; B addresses only a narrow slice of information handling and nothing else in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data life-cycle outcome touches the information-life-cycle aspect of B but omits PII-quality operations; B addresses only one narrow privacy slice and satisfies none of A's cybersecurity asset-management scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad life-cycle outcome A fully contains disposal as one phase, while narrow control B realizes only that single slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad life-cycle outcome includes acquisition as one phase, so it partially satisfies B's supply-chain acquisition intent; B's narrow procurement focus realizes none of A's full life-cycle scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers evaluation outcomes without addressing policy/procedure development; B supplies the policy scaffolding that enables but does not itself produce improvement identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome whose realization requires control assessments of the type B specifies (plus other evaluation methods); B realizes only one slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A identifies improvement opportunities from evaluations; B creates a POA&M artifact to track remediation actions after weaknesses are already noted."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation/audit activities touch only a slice of CA-7's continuous-monitoring strategy, metrics, and response loop, while CA-7's ongoing assessments and analysis directly realize most of A's improvement-identification outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad evaluation outcome that can be satisfied by many methods including but not requiring pen testing, while B is one narrow assessment technique that contributes to but does not fully realize A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ID.IM-01's broad evaluation/improvement outcome can touch config monitoring but does not realize CM-6's core settings-establishment and deviation-approval activities; conversely CM-6's narrow monitoring provides only one slice of the CSF improvement identification intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B's review/update/lessons-learned steps satisfy only a narrow slice of the broad evaluation-driven improvement outcome in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one evaluation-based improvement mechanism that touches only B's lessons-learned clause; B supplies incident-driven improvement data that addresses only one slice of A's broader evaluation outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation/audit activities can surface IR-plan gaps (partial slice of B) while B's plan content and update clauses do not themselves constitute the evaluations required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses solely on post-implementation evaluations to surface improvements, satisfying none of B's broad planning/documentation mandate; B's required risk assessments and threat descriptions partially realize the evaluation step in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation-focused outcome does not address the program-plan document, roles, approval, or protection elements of B; B's compliance/coordination clauses touch only a slice of the evaluation intent in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's evaluation/assessment outcome directly encompasses the risk-assessment activities in B (with matching threat/vulnerability examples), while B realizes only one narrow slice of A's broader improvement-identification intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad evaluation-driven improvement outcome encompasses vuln scanning as one key method plus more; B's narrow technical scanning process realizes only a slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only addresses evaluation and improvement identification; B addresses post-finding response actions, satisfying only the downstream slice of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome on program-level evaluation-driven improvements while B is a narrow SDLC/developer-specific assessment+remediation control; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only produces evaluation findings while B executes a concrete flaw-remediation lifecycle; B satisfies one narrow slice of the improvement identification outcome but supplies none of the required assessment activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is an assessment/improvement-identification outcome whose examples do not enact ongoing attack/usage monitoring; B supplies event data that can feed evaluations but does not itself perform the required self-assessments or audits."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B produces assessment results that can feed improvement identification, but neither control addresses the other's core intent (A omits assessment execution; B omits explicit improvement derivation)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only identifies improvements from exercises; B creates remediation plans from assessment findings, satisfying a slice of improvement identification but nothing about POA&M."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly targets post-exercise improvement identification while B's continuous-monitoring scope (metrics, ongoing assessments, analysis, response) only partially overlaps that slice via its assessment/response elements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a post-test improvement-identification outcome; B supplies one narrow test input but neither mandates nor realizes the other's core intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-exercise improvement identification while B only mandates high-level CP policy/procedure governance with no realization of improvement activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the lessons-learned/update slice of contingency-plan maintenance while B's plan requirements touch improvement identification but omit explicit exercise-driven, supplier-inclusive improvement processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome of identifying improvements from any tests/exercises; B is a narrow control whose review/corrective-action steps are subsumed by A while its test-execution mandate is not."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-exercise improvement identification while B only establishes IR policy/procedure governance, so A satisfies none of B and B satisfies only a slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-test improvement identification while B only executes IR testing and supplies no improvement step."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the lessons-learned slice of B's incident-handling scope while B's explicit requirement to incorporate lessons from handling activities (incl. tests) satisfies most of A's improvement-identification outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-exercise improvement identification while B is the full IR-plan artifact whose maintenance clause touches a slice of that activity."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-exercise improvement-identification step while B mandates the full testing/training/monitoring planning and execution lifecycle, so A covers a slice of B; B's process largely enables the improvement identification in A but does not explicitly require supplier coordination or improvement capture."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-31",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-test improvement identification while B defines an ongoing monitoring program whose analysis/response elements touch improvement identification only incidentally."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A only identifies post-exercise improvements while B tracks remedial actions in POA&Ms; neither fully realizes the other's process or scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-exercise improvement identification while B performs operational vulnerability scanning; the latter supplies only one narrow input to the former."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of identifying improvements from tests/exercises while B addresses broader risk-tolerant response to any assessment/audit/monitoring findings; each therefore satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-test improvement identification across operational exercises; B mandates developer SDLC assessments and flaw remediation, satisfying only a narrow slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad improvement identification includes policy review (Ex2) that touches B's review requirement but not its AC-specific policy development/dissemination; B's AC-1 review satisfies only one narrow slice of A's operational improvement intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches one procedural element of B, while B's narrow AU-policy mandate satisfies none of A's broad improvement-identification outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches B's update requirement while B's periodic review only realizes one narrow slice of A's broader improvement-identification outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CA-2 assessments can surface improvement opportunities but address only one narrow slice of ID.IM-03's broader lessons-learned/metrics intent; ID.IM-03 does not address assessment planning or execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly captures improvement identification from operations while B narrowly mandates a POA&M artifact driven by assessments/monitoring, yielding only partial overlap each direction."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A captures only the improvement-identification outcome while B's monitoring+analysis+response activities largely realize that outcome plus much more."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad post-execution improvement outcome; B is one narrow proactive testing activity that can feed A but is neither required by nor subsumed under it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches one narrow procedural element of B, while B's CM-specific policy mandate has no overlap with A's broad operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad lessons-learned reviews touch B's update requirement but ignore CP-specific policy development; B's narrow CP policy activities address only one narrow slice of A's general improvement identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad improvement-identification outcome overlaps only the lessons-learned/update clause inside B, while B's contingency-plan activities realize only one narrow slice of A's operational-improvement intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review/lessons-learned example overlaps only the update clause of B while B's narrow IA-policy scope satisfies none of A's broad improvement-identification outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-execution improvement identification while B only mandates periodic IR policy/procedure reviews, satisfying a narrow slice of that intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the lessons-learned slice of B's incident-handling scope while B supplies only the incident-specific slice of A's general operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the metrics/lessons-learned slice of B; B supplies only the IR-specific slice of the general improvement outcome in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ma-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review and lessons-learned activities satisfy only the periodic-update clause of MA-1; B's maintenance-specific policy mandate does not address operational improvement identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches B's update requirement but does not address MP-specific policy creation; B's narrow media-protection scope satisfies none of A's general improvement-identification intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example touches one procedural slice of B while B's periodic review requirement only partially realizes A's broader improvement-identification outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's improvement identification (reviews/lessons) overlaps only the update clause of B's program-plan control while B's plan governance touches only one slice of A's operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad improvement-identification outcome (incl. policy review) touches only the update clause of B's narrow CUI-external policy requirement, while B supplies no coverage of A's general operational lessons-learned intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-31",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's improvement-identification outcome (incl. metrics) touches only the analysis/response slice of B's full monitoring program, while B's ongoing metrics/analysis directly realizes most of A's operational-improvement intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad improvement-identification outcome while B is a narrow POA&M tracking process; B partially realizes one remedial-action slice of A but A does not address B's process, documentation, or reporting requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ps-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general cybersecurity improvement identification while B narrowly mandates personnel-security policy/procedure development and review, yielding no overlap one way and only a thin procedural slice the other way."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pt-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example overlaps B's update requirement but addresses neither PII-specific scope nor initial development/dissemination; B's PT policy maintenance satisfies only one narrow slice of A's operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's annual policy review overlaps only the update clause of B while B's RA-specific policy mandate does not address operational improvement identification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-execution improvement identification (lessons, metrics, policy reviews) unrelated to RA-3's specific risk-assessment steps; B's risk assessments can surface improvement needs but address only a narrow slice of A's broader operational-improvement intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad post-execution improvement identification outcome unrelated to the specific vuln scanning mechanics required by B; B's analysis and remediation steps can feed improvement identification but address only one narrow slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses identification of improvements via lessons/metrics while B addresses response actions to assessment findings; only narrow source overlap exists from B to A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example overlaps one narrow slice of B, while B's SA-specific policy mandate satisfies none of A's broad operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad operational lessons-learned while B narrowly mandates developer SDLC testing/flaw-remediation, satisfying only a thin slice of A's improvement intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example satisfies the update/review slice of B while B's narrow SC-specific policy mandate addresses none of A's broader operational-improvement intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review example satisfies only the update clause of B while B's SI-specific policy reviews address only one narrow slice of A's operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome on identifying operational improvements; B is one narrow realization (flaw remediation) that partially satisfies A while A encompasses B plus additional activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a post-execution improvement-identification outcome while B is a specific detection/analysis activity; B supplies one input to A but satisfies none of B's monitoring requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's policy-review/lessons-learned activity overlaps one procedural element of B but is neither supply-chain-specific nor policy-creation-focused; B's narrow SR policy mandate has no bearing on A's broader operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's supplier lessons-learned example touches supply-chain improvement identification but does not address employing acquisition strategies; B is too narrow to realize A's broad operational-improvement outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome requiring establishment/maintenance of contingency (and other) plans; B supplies one detailed implementation of the contingency-plan slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome for IR (and other) plans; B supplies one detailed implementation slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses IR/contingency/vuln plans while B defines a broad system security plan document; minimal topical overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only specific operational contingency/IR plans while B defines the single overarching program-plan artifact and governance elements; thus A satisfies none of B, and B supplies only a high-level vehicle that can reference but does not itself create or maintain the plans required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses establishment of IR/contingency/vulnerability plans while B addresses foundational mission/process definition incorporating security risk; the two intents overlap only indirectly."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires establishment/maintenance/improvement of IR and other cybersecurity plans (including testing/training elements), while B narrowly addresses only testing/training/monitoring plan processes and risk alignment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vulnerability/contingency plans touch remedial tracking but do not mandate a formal POA&M process; B's narrow tracking mechanism does not establish or maintain the plans required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies concrete contingency/vuln plans that form one slice of a risk strategy, while B supplies the overarching risk framework that can drive but does not enumerate those specific plans."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vulnerability-management-plan example overlaps only the threat/vuln identification slice of RA-3; RA-3 itself contains no requirement to establish, communicate or maintain IR/BC/DR plans."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires a vulnerability-management plan (one of several contingency plans) while B is a detailed operational scanning control; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires broad cybersecurity/contingency plans while B is a narrow supply-chain-specific plan; neither fully contains the other's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow vulnerability-ID outcome; B is a general control-assessment process that can include vuln-related checks as one slice but does not realize A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the narrow vuln-ID slice of B's broad continuous-monitoring program, while B's generic control assessments can support but do not guarantee A's specific asset-vulnerability outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Penetration testing is one narrow technique that contributes to vulnerability identification but A encompasses multiple other methods and does not require or imply pen testing."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses solely on vulnerability discovery while B's change-control process only incidentally surfaces vulnerabilities introduced by approved changes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vuln-ID outcome touches misconfig discovery but omits CM-6's establish/implement/monitor requirements; CM-6 addresses only the config-settings slice of A's broader vuln scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's vuln-ID outcome has no overlap with B's CM-plan requirements; B's config-item controls address only the misconfiguration slice of A's broader vuln scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the vulnerability-identification slice of B's broader risk-assessment process, while B's explicit requirement to identify vulnerabilities satisfies nearly all of A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a high-level outcome limited to identification/validation/recording while B adds scanning automation, remediation and sharing; B realizes scanning-based ID but omits A's architecture and code-review examples."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11.2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad vuln-ID outcome encompasses developer threat modeling/vuln analysis as one realization path, while B only addresses a development-phase slice of A's asset-wide scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15.7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome that can be met without B's developer-specific automated analysis+exploitation steps; B is one narrow automated slice that only partially advances A's general asset-vuln identification goal."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15.8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad operational outcome achieved via scanning/testing; B is a narrow SDLC reuse mandate that satisfies only one slice of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on static vuln discovery while B centers on dynamic attack/anomaly monitoring; each supplies only a narrow slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses solely on asset vulnerability discovery/validation; B's alert/advisory handling can feed vulnerability data but does not address identification or recording."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses threat-intel ingestion/review while B only touches the narrow configuration aspect of one example in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers only the inbound threat-intel slice of B's multi-purpose contact mandate, while B's institutionalized groups directly enable the intel-reception outcome in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the inbound receipt slice of B's broader program+sharing requirement; B's mandated cross-org capability directly enables and largely satisfies A's receipt/monitoring intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the threat-intel input slice of B's broader risk-identification process; performing B's full assessment normally encompasses receiving such intelligence."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies external vuln intel that can feed B's monitoring process but implements none of B's scanning, analysis or remediation requirements; B performs internal scanning and shares results but does not ingest threat-intel feeds or advisories."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the inbound threat-intel slice of B while B\u2019s receive mandate fully encompasses A\u2019s intent (plus extra generate/disseminate/implement steps)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches only the identification of internal actors (one example) while B requires a full cross-functional program/team; conversely B addresses only the internal slice of A's broader threat-identification outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on operational threat identification/hunting while B is a narrow external liaison activity that only partially supports one example in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-16",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome (threat ID/recording via CTI and hunting) encompasses most of the narrower PM-16 program intent, while the control only realizes the external intel-sharing slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Threat hunting is one listed implementation example for the broad ID.RA-03 outcome but not required, while RA-10 supplies only one narrow method toward that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the threat-identification slice of B's broader risk-assessment process, while B directly satisfies A's outcome via its required threat identification, documentation, and organizational integration steps."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3.3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad threat-identification outcome and ongoing-intel examples subsume B's dynamic-awareness slice, while B addresses only one narrow, external-facing aspect of A's wider scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's threat-identification outcomes overlap only with B's external-alert receipt and internal generation, while B supplies only a slice of external threat data and omits A's internal/threat-hunting scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad risk-impact outcome that subsumes change-specific analyses; B realizes only one narrow procedural slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow risk-identification recording; B is authorization/role integration into org RM program, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs targeted risk recording of impacts/likelihoods but never defines mission/business processes; B embeds risk consideration into process definition and thereby touches but does not fully realize the identification step in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ID.RA-04 is one narrow risk-assessment activity inside the much broader PM-9 strategy; the strategy in turn normally mandates that activity plus more."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses impact/likelihood identification across risk scenarios while B narrowly performs formal system-level impact categorization; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A captures only the identify/record likelihood+impact slice while B adds integration, review, dissemination, update, and PII steps; B's full procedure therefore realizes A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a risk-analysis outcome on impacts/likelihoods; B supplies vuln data that can feed it but neither fully contains the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad threat/vuln impact identification can incidentally touch privacy risks, while B's narrow PIA mandate addresses none of A's general likelihood/threat scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses impact/likelihood identification while B narrowly requires component criticality analysis; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk identification/recording while B is a narrow supply-chain-specific planning control whose execution only incidentally touches a slice of risk assessment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the risk prioritization inputs that feed POA&M content, but does not produce or maintain the documented remediation plan itself; B only tracks already-identified items and performs no threat/vulnerability/likelihood analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses risk assessment and prioritization; B only ensures testing/training/monitoring plans stay aligned with an existing risk strategy."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on internal risk analysis/prioritization while B is an external information-sharing mechanism that supplies only one input to risk activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-16",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-assessment outcome can be met without any cross-org sharing program, while B supplies only threat-intel input that partially supports one element of A's broader RA activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-28",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs risk assessment and prioritization while B establishes the framing context/tolerance that guides assessments; each addresses a distinct slice of the overall risk-management process."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a general risk-assessment outcome while B is a narrow supply-chain-specific strategy; the two share only a thin risk-assessment overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the risk prioritization input that B reviews for POA&M consistency, but B contains no risk identification or threat/vulnerability analysis activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad risk assessment using threats/impacts partially encompasses categorization as one input to inherent-risk understanding, while B's narrow categorization produces none of A's threat/likelihood/prioritization outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the high-level outcome of using threat/vuln/likelihood/impact data for inherent-risk understanding and response prioritization; B supplies the concrete assessment steps that realize most of that outcome while adding procedural requirements (document, review, disseminate, update) that A does not address."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the risk data and prioritization that informs response decisions, satisfying only the upstream slice of B's execution-focused intent; B performs downstream response actions and does not address assessment or inherent-risk analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad RA-05 risk understanding can inform supply-chain inputs but does not produce or protect the required SR-2 plan; the narrow plan satisfies none of the general risk-assessment outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad risk-response outcome that explicitly lists POA&M tracking as one realization; B is the narrow POA&M mechanism that satisfies only the planning/tracking slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of risk-response planning/tracking while B defines the broad program-plan document and governance structure, so each satisfies a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-14",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk-response selection/tracking with no mention of testing/training/monitoring plans; B only aligns one narrow class of activities to risk-response priorities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses general risk-response selection/tracking while B narrowly implements that only inside supply-chain strategy, so coverage is one-way and limited."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad risk-response outcome explicitly includes POA&M-style tracking/planning as an implementation example and therefore satisfies most of B's narrower process requirements, while B realizes only the tracking/planning slice of A's wider intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes narrow risk-response steps that form one slice of B's broad strategy mandate, while B's org-wide strategy encompasses and drives the outcomes in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF risk-response outcome whose vuln-mgmt examples subsume B's remediation and tracking steps, while B supplies only the narrow scanning/monitoring slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-7",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A defines the full risk-response lifecycle (choose/prioritize/plan/track/communicate) that subsumes B's narrower mandate to respond to assessment findings; B only realizes one slice of A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only change/exception risk assessment and tracking; B's broad ongoing control monitoring and metrics can incidentally capture change-related activity but does not implement the formal change procedures."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome covering risk-assessed change/exception management; B is one detailed config-control realization that satisfies only a slice of A while A encompasses B plus exceptions and tracking."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-assessment and change-procedure outcomes subsume B's narrow pre-implementation impact-analysis requirement while also addressing exceptions, tracking and rollback; B realizes only the analysis slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of risk documentation tied to changes/exceptions; B addresses the broader POA&M tracking process for all risks, so each satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only narrow change-exception procedures while B is the overarching RA policy; B's policy framework can partially enable but does not realize A's specific outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly scopes risk assessment to changes/exceptions and their change-control procedures, while B broadly mandates system-level risk assessment activities that only partially overlap the change-specific slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow vulnerability-disclosure process outcome unrelated to CA policy development; B's broad CA policy mandate can partially encompass procedures for disclosure handling under monitoring/assessment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of contractual vuln-info sharing while B provides general interconnection agreements that can support but do not establish vuln disclosure receipt/analysis/response processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses vuln-disclosure handling while B only broadly mandates roles/responsibilities within a program plan."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A establishes a narrow operational process for vuln disclosures while B only mandates generic RA policy/procedure scaffolding, satisfying none of B and only a slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow input (external vuln disclosures) to B's broader vulnerability-identification step, while B contains no requirement to establish disclosure intake/response processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only external disclosure intake processes while B focuses on internal scanning/monitoring plus analysis and sharing, yielding no coverage one way and partial overlap the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition product-integrity check while B is the full procedural machinery for control assessment planning/reporting; B can therefore touch supply-chain controls only incidentally."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-acquisition authenticity/integrity checks while B mandates developer-driven SDLC testing, assessments and flaw remediation; each satisfies only a narrow slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses buyer-side pre-acquisition authenticity checks while B mandates developer-side process/tool integrity controls; the two touch only tangentially on software integrity."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only pre-acquisition authenticity/integrity checks while B mandates developer-produced architecture/design artifacts; the two intents intersect only narrowly on security-function description."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow authenticity/integrity check that satisfies only the supply-chain slice of B's broad contract requirements; B's inclusion of supply-chain risk, assurance, and acceptance criteria satisfies most of A's assessment outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's pre-acquisition authenticity/integrity assessment can incorporate tampering inspection as one verification activity, while B's general post-deployment inspection does not address acquisition timing or broader authenticity."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition assessment activity while B requires broader policy, detection, prevention and reporting procedures that would normally encompass such assessments."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the authenticity/integrity assessment slice of supply-chain acquisition, while B's broader set of strategies, tools and methods directly enables that assessment plus additional mitigations."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the authenticity/integrity slice of supplier risk assessment while B's broader supply-chain reviews encompass that slice plus additional risks."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow supplier-assessment activity whose implementation satisfies none of B's program-plan documentation and governance intent; B's broad plan can partially encompass risk-assessment activities including suppliers via roles and requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-30",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is one tactical activity (pre-acquisition assessments) inside the broader strategy lifecycle defined by B, while B's org-wide strategy necessarily encompasses and drives such assessments."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition supplier assessment activity while B is a broad POA&M process covering multiple risk programs; neither fully realizes the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow pre-acquisition supply-chain slice while B requires comprehensive system-level threat/vulnerability/impact analysis, documentation, review and update; each therefore satisfies only a limited portion of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes one narrow assessment action; B only creates the policy/procedure scaffolding that may reference but does not perform assessments."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is one narrow execution activity (pre-acquisition assessments) while B is the overarching documented plan covering the full lifecycle plus maintenance/protection, so each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies one narrow assessment activity that partially satisfies B's broader acquisition-strategy intent, while B's strategies encompass supplier assessments and therefore mostly realize A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-acquisition assessment outcome while B is the broader ongoing SCRM control, so A satisfies only a slice of B and B satisfies most of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational identity-management outcome while B is the meta-level AC policy control; each satisfies only a slice (or none) of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad identity/credential outcome that subsumes account-management practices; B is one narrow slice focused only on system accounts."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad identity/credential lifecycle management; B is one narrow authentication technique that touches only a slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A covers credential lifecycle; B is a narrow policy trigger unrelated to that lifecycle scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of identity/credential management; B is one modern implementation mechanism that satisfies most of that outcome while A only partially addresses B's specific IdP/authz-server mandate."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses identity/credential lifecycle management (incl. users) so satisfies most of B's narrower ID+auth intent for org users; B only realizes one slice of A's wider scope covering services/hardware/keys."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity/credential outcome for hardware directly encompasses B's device ID+auth requirement (via Ex3 and credential examples), while B addresses only one narrow slice of A's users/services/hardware scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity/credential management outcome includes identifier assignment (Ex3) and therefore satisfies most of B's intent, while B addresses only the narrow identifier slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad credential/identity outcome encompasses authenticator management practices while B addresses only one technical slice of A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's credential/key-management examples touch crypto-module handling but do not address module-authentication mechanisms; B is a narrow technical slice unrelated to A's broad identity scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity-management outcome encompasses non-org users while B addresses only that narrow slice and omits A's hardware/services/key elements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad identity/credential management for services (incl. certs, tokens, unique IDs) satisfies most of B's service auth intent, while B addresses only the narrow service slice of A's full scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad credential-management outcome explicitly includes key management as one implementation slice while B addresses only that narrow cryptographic-key requirement."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the enrollment-time identity-proofing slice of account creation while B addresses the full account lifecycle without specifying credential-proofing steps."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of proofing+credential binding; B supplies the detailed evidence/verification steps that realize most but not all of that outcome (binding is outside IA-12)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow proofing/binding step while B addresses the broader IdP/auth-server infrastructure for ongoing identity management; each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the identity-verification/binding slice of B; B's full authenticator-management scope satisfies the core proofing intent of A plus many additional requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's reauthentication example touches session lifetime but does not address automatic termination; B addresses only termination and has no bearing on authentication outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the authentication mechanisms while B addresses the full account lifecycle and approvals; each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses core authentication mechanisms but omits failure handling; B supplies only one narrow slice of the broad authentication outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad auth outcome plus explicit risk-based reauth example largely satisfies adaptive-auth intent, while B addresses only one narrow adaptive slice of A's full authentication scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-11",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad authentication outcome whose Ex3 explicitly calls for risk-based re-auth; B is the narrow 800-53 control that realizes only that single slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad authentication outcome for users/services/hardware subsumes B's narrower org-user focus (with process association implied), while B only realizes the user slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2.5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad authentication outcome that subsumes the narrow shared-account rule in B, while B addresses only one specialized slice of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires auth for users/services/hardware (examples user-centric) while B narrowly mandates unique device ID/auth pre-connection, so each satisfies only the hardware slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad authentication outcome plus examples that address strength/MFA/refresh; B enumerates detailed authenticator-lifecycle steps that realize only one slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires password policies among other auth methods while B supplies narrow password-specific rules; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome satisfied by any authenticator (examples list passwords/MFA); B is a narrow PKI-specific slice that fulfills only one authentication method."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad authentication outcome for all users/services/hardware; B is a narrow 800-53 control scoped only to non-organizational users, so A satisfies most of B while B satisfies only a slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad authentication outcome for users/services/hardware fully encompasses B's narrow service-identification requirement, while B addresses only one slice of A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow technical outcome on assertion protection; B is only the high-level IA policy umbrella that enables but does not realize that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses protection/verification of assertions in SSO/federation contexts while B broadly requires employing IdPs and auth servers for identity/access management, yielding only partial overlap each direction."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only protection/conveyance of assertions (a narrow slice of authenticator content handling) while B addresses full lifecycle management of authenticators without covering federated assertion standards or verification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's outcome explicitly requires access permissions to be defined in policy and managed/reviewed, satisfying most of B's policy/procedure intent while B only supplies the high-level documentation framework without the least-privilege or review outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's least-privilege/enforcement outcome can subsume concurrent-session limits as one possible mechanism (partial), while the single narrow technical control satisfies only a tiny slice of A's broad policy/review/SoD intent (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses attribute-based authorization only as one optional example within a broader access-policy/review/least-privilege outcome, while B supplies a narrow technical attribute-binding mechanism that can support but does not encompass A's full intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-17",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad access-management outcome subsumes remote-access authorization via attributes/least-privilege, while B addresses only one narrow slice of access controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad authorization/least-privilege outcomes that touch the auth step of wireless access but omit B's wireless-specific configuration and connection requirements; B addresses only one narrow access method and therefore satisfies none of A's general policy, review, and SoD intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-19",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad policy/least-privilege/authorization framework that largely encompasses mobile-device access rules, while B addresses only the narrow mobile-device slice of that framework."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome statement whose intent is largely realized by the detailed account-management steps in B, while B addresses only one slice of A's policy/least-privilege/SoD scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad enforcement + attribute-based authorization outcomes subsume most of B's runtime decision intent, while B addresses only one narrow slice of A's policy/review/least-privilege scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome that explicitly includes enforcement plus policy definition/review/least-privilege; B narrowly realizes only the enforcement slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly incorporates separation of duties within its broader access-management outcome, while B addresses only that single narrow aspect of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A explicitly mandates least privilege (plus reviews/SoD/attributes) so fully satisfies B; B addresses only the narrow least-privilege slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome covering policy, review, least-privilege and SoD; B is one narrow technical mechanism (IdPs/auth servers) that supports only the management/enforcement slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses physical access enforcement/monitoring while B narrowly targets component placement for damage/access reduction, yielding only partial overlap each direction."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome of risk-based physical-access management (including monitoring/enforcement); B is one narrow procedural slice (authorization lists/credentials) that contributes to but does not realize the full outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-20",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad physical-access outcome that subsumes asset tracking/monitoring as one risk-based implementation method; B supplies only one narrow technical lever for the monitoring slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome A encompasses the specific PE-3 requirements (and more), while narrow control B realizes only one slice of A's risk-commensurate physical-access intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad physical-access outcome that subsumes transmission-media controls; B addresses only one narrow slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad physical-access outcome that can incidentally touch output-device controls, while B is a narrow slice that satisfies none of A's overall intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome covering management/monitoring/enforcement of physical access; B is a narrow monitoring+logging slice that satisfies only part of A while A satisfies most of B's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is a narrow slice (visitor logging/review/reporting) of A's broad physical-access monitoring outcome, so B covers only part of A while A encompasses B's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers operational training while B only mandates the policy/procedure framework that governs such training."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of delivering awareness training; B adds prescriptive details (frequency, updates, lessons-learned incorporation) that exceed A's scope while still satisfying A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only general awareness for all users while B requires tailored role-based training with update/incident-driven content; each satisfies a distinct slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's credential-hygiene training touches one narrow slice of B while B supplies none of A's awareness outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A delivers role-specific training outcomes while B only establishes the overarching AT policy/procedure framework, satisfying none of B and only a slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the specialized-role slice of general user literacy training while B supplies broad literacy requirements without A's role-identification or assessment focus."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of role-based training for specialized roles; B supplies one detailed implementation slice (timing, updates, lessons learned) that partially realizes A while A encompasses B plus identification and assessment steps."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "at-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires delivery of role-based training but is silent on records; B only mandates documentation and therefore satisfies only a supporting slice of A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad specialized-role cyber training while B narrowly mandates contingency-specific timing, updates and scope, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-19.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's outcome and Ex2 directly encompass B's device/container encryption intent while B addresses only one narrow slice of A's broader data-at-rest scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A covers only the protect-CIA-of-backups slice of B while B addresses only the availability-via-backups slice of A's broad data-at-rest outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's crypto-focused data-at-rest protections do not address B's physical media handling requirements; B supplies only one narrow physical slice of A's broad outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's encryption/integrity controls for data-at-rest can partially satisfy confidentiality during media transport, but B's procedural transport/accountability requirements address none of A's broader at-rest protection scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies broad crypto protections for data-at-rest but contains no media-downgrading process; B is a narrow procedural control that only touches the confidentiality slice of A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of protecting data-at-rest via encryption and therefore implies proper key management as a necessary supporting activity, while B addresses only the narrow key-management slice and does not itself deliver data protection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A applies crypto narrowly to data-at-rest while B requires crypto for all specified uses; conversely B supplies the mechanism but does not mandate its application to data-at-rest CIA outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-28",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad CIA outcome fully encompasses B's narrower CI-at-rest intent while B realizes only the CI slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses cryptographic protection of data-at-rest; B addresses anti-malware scanning and eradication, satisfying only a narrow slice of A's integrity/availability intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-7",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-at-rest integrity outcome (via hashes/signatures) satisfies most of B's verification intent while B only realizes one narrow integrity slice of A's CIA scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ca-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only technical data-in-transit protections while B is a procedural agreement-and-review control; B's documentation of security requirements can capture a slice of A's outcome but does not implement it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad outcome on data-in-transit protection while B is a narrow mechanism limited to an isolated path for authentication; each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad outcome requiring crypto for transit protection (hence key mgmt); B is one narrow supporting control that only partially enables the outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses crypto only for data-in-transit (plus non-crypto measures), while B requires crypto for all specified uses; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-16",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's encryption/signature examples protect transit CIA without requiring attribute binding, while B's narrow attribute mechanism only partially supports A's broader transit-protection outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-40",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-in-transit crypto controls partially address wireless confidentiality but omit signal-parameter attacks; B's narrow wireless scope satisfies none of A's general transit protection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-43",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's blocking example overlaps one narrow slice of usage restriction; B supplies no data-in-transit protection mechanisms."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses data-in-transit protection via encryption/DLP while B addresses interface monitoring and segmentation; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies encryption/CI mechanisms that address one slice of B's interface+policy requirements while B's boundary controls realize only a subset of A's broader data-in-transit CI/A outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-8",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's transit encryption and DLP examples fully realize SC-8's conf/intent while B omits A's availability requirement and ancillary controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements crypto/DLP for transit C/I/A; B's malware scanning at entry/exit points only partially supports integrity/availability without addressing encryption or data classification controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only crypto-based transit protections while B addresses integrity verification tooling for software/firmware/information; the scopes intersect on integrity but neither fully realizes the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-in-use protection overlaps one access-control slice (preventing unauthorized process/user access) while B's general enforcement supports data-in-use confidentiality but omits removal/sanitization."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF outcome whose realization typically requires flow-enforcement mechanisms plus additional data-in-use protections; B supplies only one technical lever for a slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies generic data-in-use protections that can incidentally apply to audit records while in memory/CPU, but supplies none of B's audit-specific scope or alerting requirement; B addresses only a narrow slice of one data type and therefore covers none of A's broader data-in-use outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow runtime data-protection outcome; B is a broad development-process control whose principles may indirectly support data-in-use protection but do not realize it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A protects general data-in-use confidentiality but does not address or imply an isolated trusted communications path; B supplies one narrow mechanism that can protect a slice of authentication data-in-use."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's data-in-use outcome is achieved via minimization and isolation (no crypto requirement), while B supplies only one technical method that partially addresses A's CIA goal."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-32",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "PR.DS-10 outcome can be met via non-partitioning techniques (e.g., in-use encryption, access controls); SC-32 partitioning supplies one isolation mechanism that partially addresses data-in-use confidentiality from other processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-39",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-in-use protection outcome directly encompasses process isolation as one core mechanism (Ex2), while B supplies only one narrow technical slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "B is one narrow technical mechanism (shared-resource isolation) that directly supports only the 'protect data-in-use from other processes' slice of the broader CIA outcome in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-43",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses technical data-in-use protections while B addresses component usage policy/monitoring; the two intents intersect only indirectly."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Input validation is one narrow integrity technique unrelated to the data-in-use access, residency, and memory-protection intent of PR.DS-10."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad data-in-use outcome overlaps B's memory code-execution controls only on integrity aspects while B addresses only one narrow slice of A's CIA scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses data-in-use minimization/isolation while B narrowly implements anti-malware scanning; each satisfies only a tangential slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A targets runtime data-in-use CIA via minimization/access controls; B's static integrity-verification mechanism addresses only a narrow slice of information integrity and does not realize A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the backup/recovery slice of B's broad contingency-plan requirements while B's listed elements contain no backup creation, protection or testing provisions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's outcome+Ex3 directly encompasses offsite/equivalent backup storage, satisfying most of B's intent; B realizes only the protection slice of A's broader create/protect/maintain/test outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only data backup creation/testing/offsite storage while B requires a full alternate processing facility with equivalent controls; B therefore touches offsite data protection only incidentally."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome fully encompasses B's create+protect requirements (plus testing/maintenance); B addresses only a subset of A's intent and omits testing."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-9.3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is the broad CSF outcome whose Ex3 directly addresses separate/offsite storage while also requiring creation/testing; B is one narrow storage slice."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses secure offline storage only for backup media while B addresses physical control/sanitization for all system media; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-17",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust outcomes directly enforce remote-access restrictions and least-privilege authorization (covering B's core intent), while B addresses only the remote-access slice of A's broader network-protection outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad network-protection outcome and zero-trust examples encompass wireless as one access vector (partial coverage of B); B addresses only the wireless slice of A's general network-access intent (partial coverage of A)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses network segmentation/zero-trust; B only supplies account lifecycle steps that partially support the broader unauthorized-access outcome but ignore all network controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-20",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's external-network segmentation example addresses one slice of external-system access control, while B's narrow policy scope satisfies none of A's broad network-protection outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only network segmentation/zero-trust slices of logical access enforcement while B supplies generic policy enforcement that partially realizes but does not mandate A's architectural outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust examples directly realize the bulk of AC-4's flow-enforcement intent while B supplies only one technical mechanism toward A's broader network-protection outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements least-privilege only for network/zero-trust access while B is a general access-control principle; each therefore satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's ZT/segmentation outcomes can partially enable isolated auth paths, while B's narrow user-to-system trusted channel supplies none of A's network protection scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust controls can limit DoS blast radius but do not address SC-5's core availability objective; SC-5 supplies no coverage of A's unauthorized-access intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's segmentation/zero-trust examples directly realize most of B's boundary-control intent while B addresses only the external/key-interface slice of A's broader network-protection outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is preventive environmental hardening; B is a general contingency-planning document whose scope only incidentally references disruptions that could be environmental."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad env-threat outcome partially encompasses emergency power shutoff for fire/flood scenarios, while the narrow shutoff control addresses only one slice of asset protection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad environmental-threat outcome partially encompasses power-loss protection, while B's narrow UPS requirement addresses only one narrow slice unrelated to A's listed threats."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-13",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires protection from multiple environmental threats including fire, satisfying most of B's intent; B addresses only the fire slice of A's wider scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-14",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad environmental-threat outcome includes heat/humidity protection (hence mostly covers the narrower PE-14 intent) while B addresses only one slice of the threats listed in A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses flooding/water threats without mandating valves; B supplies one narrow technical slice of A's multi-threat scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies the broad environmental-protection outcome while B is a narrow positioning control that also adds an unrelated access-minimization objective absent from A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-23",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad outcome A (protect assets from env threats) subsumes facility-location planning as one key lever, while narrow control B realizes only a slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pe-9",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly mandates environmental protection for all technology assets/equipment (including power infrastructure), while B addresses only one narrow slice of physical protection for power cabling."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements technical resilience mechanisms that partially address one element of B (maintaining functions during disruption), while B is a documentation/planning control that does not realize any of A's implementation requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies concrete resiliency mechanisms that address only a slice of B's broader design-definition-process mandate, while B's required implementation of resiliency techniques and approaches satisfies most of A's outcome intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A implements one resilience-focused engineering principle while B broadly mandates applying many such principles during design; thus A satisfies only a slice of B but B encompasses A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-24",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad resilience outcome (A) encompasses controlled failure behavior as one key mechanism, while the narrow fail-state control (B) realizes only one slice of redundancy/HA requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-36",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states a broad resilience outcome whose examples encompass distribution; B is one narrow technical lever that only partially realizes that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-39",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A targets broad redundancy/HA outcomes unrelated to execution-domain separation, while B's narrow isolation mechanism only incidentally aids one slice of fault containment within resilience."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad resilience via redundancy/HA while B narrowly targets resource allocation (priority/quota); each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses redundancy/HA mechanisms that partially realize B's substitution intent but omits MTTF analysis; B's narrow failure-prediction focus realizes only one slice of A's broader resilience outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses ongoing capacity monitoring/scaling on primary resources; B supplies a discrete redundancy mechanism that partially supports availability but omits all monitoring/forecasting intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only runtime monitoring/forecasting for availability; B addresses upstream budget allocation and documentation, satisfying part of the capacity intent but not the operational controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-43",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's resource-usage monitoring overlaps only the monitor/control slice of B's restrictions intent, while B's authorization/restriction focus supplies none of A's capacity-forecasting or availability-scaling outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad capacity monitoring/scaling outcomes while B specifies a narrow allocation mechanism; each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses config baselines and least functionality; B is a distinct AC control on user/process authorizations with only indirect overlap via hardening."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses operational baseline/practice outcomes while B only mandates high-level documented policy and roles, satisfying a prerequisite slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-11",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad baseline/monitoring practices largely encompass user-software controls while B addresses only one narrow slice of configuration management."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's baseline-establishment and review examples satisfy most of B's intent while B addresses only the narrow baseline slice of A's broader CM practices."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome encompasses change-control as a core CM practice while the narrow 800-53 control realizes only one slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses baseline enforcement and deviation monitoring but omits explicit pre-change impact analysis; B supplies only that narrow analysis step inside the wider CM outcome of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad config-management outcomes (baselines, least functionality) touch change processes but omit explicit access-restriction requirements, while B supplies only the narrow access-control slice of those outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome whose realization requires the specific practices in B plus related controls (e.g., CM-2/7); B therefore satisfies only one slice of A while A fully encompasses B's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's explicit least-functionality baseline requirement fully realizes B while B addresses only one slice of A's broader configuration-management outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses operational baseline/monitoring practices while B narrowly requires a documented CM plan with roles/approvals; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad baseline/defaults/monitoring practices encompass most authenticator-management activities while B addresses only one narrow slice of configuration management."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only baseline-deviation monitoring (one slice of B) while B supplies only event monitoring (one slice of A's CM practices)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses broad risk-based maintenance/patching/replacement while B narrowly governs only user-initiated installs, so A supplies none of B's policy/enforcement intent and B supplies only one slice of A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ma-3.6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly requires software patching/maintenance; B narrowly addresses inspection of maintenance tools only, so A satisfies a slice of B while B satisfies none of A's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-based maintenance/patching outcome directly satisfies the core update-installation intent of B but omits B's explicit flaw identification, testing, and CM steps; B's narrower flaw focus only partially realizes A's broader replacement/removal scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad hardware disposal outcome touches media sanitization only as one narrow slice, while B addresses none of A's maintenance/replacement/end-of-life scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-39.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's risk-based hardware replacement can indirectly ensure support for isolation capabilities, but B's narrow technical mechanism addresses none of A's lifecycle/maintenance scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-49",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad hardware-lifecycle outcome can indirectly require capabilities such as separation mechanisms, while B addresses only one narrow technical mechanism and none of A's maintenance/replacement/disposal intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies logs usable for B's single 'monitor accounts' clause but satisfies none of B's account-lifecycle intent; B contains no logging requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome (generate + make logs available for monitoring) subsumes AU-12's generation mechanics while also requiring additional sharing/monitoring elements that B omits."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the outcome of log generation/sharing/monitoring but omits B's required steps for event-type selection, rationale, and periodic review; B only implements the narrow selection slice of A's broader logging outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A requires log generation and availability but does not specify required record fields; B mandates exact content fields but does not address generation or sharing."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex1 directly implements B's exact intent while A also contains additional outcomes (install verification, DNS blocking) that B does not address."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7.4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex1 directly implements B's deny-by-exception prohibition but omits B's explicit review/update requirement; B realizes only one narrow slice of A's broader outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7.5",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad prevention outcome whose primary implementation lever is exactly B's allow-by-exception policy, while B omits A's additional integrity verification and DNS controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-20",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A touches DNS blocking of malicious domains via one narrow example while B addresses only authoritative DNSSEC integrity/auth, satisfying none of A's software-execution intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-34",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses allow-listing and integrity checks while B enforces a narrow hardware read-only mechanism that only partially supports the broader unauthorized-software outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-7",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad prevention outcome whose Ex2 directly realizes B's integrity-verification core while B supplies only one technical lever toward A's full allow-list/execution-control intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad SDLC outcome encompasses developer CM intent (tamper protection, flaw tracking) while B addresses only one narrow slice of secure-development practices."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad SDLC outcome whose realization includes developer testing/eval and flaw remediation; B supplies only one concrete implementation slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad SDLC outcome while B supplies one detailed process-level implementation lever inside it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A broadly addresses the full SDLC while B narrowly requires only developer-produced security architecture/design artifacts, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses secure-SDLC outcomes that indirectly support resiliency goals while B mandates explicit resiliency constructs that only incidentally touch SDLC security practices."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the secure-practices slice of SDLC while B supplies the broader SDLC scaffolding (roles, risk integration) that largely realizes A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses secure SDLC practices/outcomes while B requires application of specific engineering principles (incl. privacy) across the system lifecycle; each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-38",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad secure-SDLC outcome encompasses ops-security controls for information protection (mostly), while B's narrow ops-sec control realizes only one slice of A's practices and monitoring intent (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.CO-03 is a narrow recovery-communication outcome while CP-1 only mandates existence of a high-level CP policy/procedure document that may reference but does not realize the specific stakeholder-update intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the sharing/recovery-status slice of the broad CP-2 requirements, while B's explicit mandate to address contingency-information sharing and distribution satisfies most of A's communication intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational recovery-comms activity while B only mandates existence of high-level IR policy/procedures, so each satisfies only a sliver of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only recovery-phase stakeholder comms; B broadly mandates the full incident-handling lifecycle (prep through recovery) but does not explicitly require those comms."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A and B share a narrow information-sharing theme (esp. Ex3) but target distinct phases (recovery progress vs. initial incident reporting), satisfying only slices of each other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow recovery-comms outcome while B's IR-plan requirement only touches incident-information sharing as one of many elements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses supplier information-sharing during recovery (via Ex3) but assumes rather than establishes agreements, while B narrowly requires only the creation of supply-chain notification agreements and does not address recovery communications."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow public-communications outcome unrelated to policy authorship; B's CP policy/procedure mandate can encompass recovery-communication rules but does not require the specific public-update elements of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow public-recovery messaging only; B's contingency-plan scope includes sharing/coordination elements that touch but do not fully realize that messaging intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.CO-04 is a narrow recovery-communications outcome that satisfies none of IR-1's policy/procedure framework intent; IR-1's high-level IR policy can partially encompass procedures for approved recovery messaging but does not mandate the specific public-update outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only one narrow post-incident public-messaging outcome while B is a broad plan-development control whose 'sharing of incident information' clause touches but does not fully realize that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational execution outcome while B is only the high-level CP policy document; policy partially enables but does not realize recovery execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad outcome of executing the recovery portion of the IR plan (including awareness); B supplies one concrete technical mechanism that realizes a slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-incident execution of IR recovery steps while B is a broad planning/control-development requirement whose coordination clause touches but does not realize execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's awareness step overlaps one narrow slice of contingency training; B's training mandate does not address recovery-plan execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-01 is a broad procedural recovery-execution outcome; CP-7 supplies only one narrow contingency mechanism that can support but does not realize that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses recovery execution plus plan awareness; B supplies only role-based IR training that touches awareness but omits recovery execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the recovery-execution slice of B's full incident-handling lifecycle (prep/detect/contain/eradicate/recover plus lessons-learned), while B's explicit inclusion of recovery plus coordination satisfies nearly all of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-initiation recovery execution while B defines the comprehensive IR plan itself; B therefore supplies the necessary recovery procedures but does not itself ensure their execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's broad outcome of selecting and performing recovery actions encompasses B's reconstitution requirement but adds prioritization and scoping; B only realizes the narrow system-recovery slice of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-02 addresses post-incident recovery execution while CP-2 defines the upstream planning artifact; the plan supplies recovery priorities but does not realize action selection/performance."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses execution of recovery actions while B addresses pre-/post-test validation of plans; the intents overlap only indirectly via plan usage."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-02 is a broad outcome on selecting/performing recovery actions; CP-7 supplies one narrow technical implementation (alt-site) that partially satisfies it but is not required by it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow recovery-action slice of the broad IR lifecycle in B, while B's recovery + plan-consistency requirements largely realize A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes recovery actions using an existing plan as input; B only supplies the plan's structure and criteria without addressing action selection or performance."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow technical recovery step while B is a meta-level policy document requirement; implementing the check satisfies none of the policy mandate, and the policy only generically touches recovery procedures."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow slice (backup integrity check) of B's broader recovery-to-known-state intent, while B's reconstitution process largely encompasses the need for verified restoration assets."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow procedural check on backup integrity; B is a broad contingency-plan requirement whose restoration clause only incidentally touches that check."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-use integrity check while B is broad plan-level testing that may incidentally exercise restoration steps but does not mandate integrity verification."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow pre-restore integrity check; B requires backup creation plus CIA protection of backups (covering integrity but not the specific verification step)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A specifies operational restoration-validation steps; B only mandates existence of high-level contingency policy documents that may reference but do not realize those steps."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident restoration outcome that only touches B's restoration-priorities clause; B's broad contingency-plan requirements directly enable A's mission-function and restoration-norm intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2.5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's restoration-order validation using mission impact partially overlaps B's continuity goal, while B's pre-incident planning does not address A's post-restoration verification or operational-norm outcomes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-incident restoration validation and monitoring but never mentions alternate sites, while B supplies one narrow continuity-planning lever that only partially supports A's broader recovery-norm outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on post-incident validation/monitoring of restoration order and norms; B supplies an alternate site capability that supports resumption of mission functions but does not address those validation or norm-establishment activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident recovery outcome with no policy element; B's IR policy can reference recovery but does not address mission-function prioritization or restoration validation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident recovery outcome while B spans the full incident lifecycle plus contingency coordination, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-incident restoration/validation slice of an IR plan while B's plan encompasses recovery procedures yet omits explicit mission-function restoration norms."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A uses pre-existing mission/business impact records only as inputs for recovery ordering and does not address their definition or maintenance, while B produces those foundational records but does not cover incident-driven restoration or post-incident norms."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pm-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-04 narrowly addresses post-incident restoration sequencing using existing risk data, while PM-9 supplies the upstream enterprise risk strategy that partially informs but does not realize recovery procedures."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies post-restoration integrity/IOC checks that partially realize B's 'known state' goal, while B supplies the recovery mechanism that partially realizes A's restoration outcome but omits its security-verification specifics."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RC.RP-05 is a narrow post-restoration verification step; CP-2 is a broad planning control whose restoration clauses touch but do not mandate the specific integrity/IoC/root-cause checks."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs post-incident restoration verification while B tests contingency plans proactively; the activities share only a loose recovery-procedure overlap."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only one narrow slice of recovery verification while B's broad incident-handling capability encompasses recovery (and thus that slice) plus all other phases."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident operational step with no policy/procedure content; B's contingency-planning policy framework can encompass recovery-termination and documentation procedures but does not itself perform them."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the lessons-learned / documentation slice of B while B addresses coordination and lessons-learned elements of A but omits recovery-declaration criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-recovery outcome while B is a broad policy-framework control; the specific outcome satisfies none of the policy mandate, but the policy mandate partially enables the outcome via required procedures."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow post-recovery declaration + documentation/lessons slice of B's broad incident-handling lifecycle."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-recovery procedural outcome; B's IR plan can define incident end-criteria and documentation but does not address recovery declaration."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-10 supplies one evidentiary input useful for event sequencing but does not address root-cause or threat analysis; RS.AN-03 performs post-facto analysis and does not implement non-repudiation mechanisms."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-12 supplies raw event data that supports but does not perform the incident sequencing/root-cause analysis required by RS.AN-03."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RS.AN-03 requires performing post-incident analysis/root-cause work while AU-2 only defines which events are logged; each supplies a distinct prerequisite or output the other does not address."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-3 supplies raw event data required by RS.AN-03 analysis but does not perform incident sequencing, threat attribution or root-cause determination; RS.AN-03 does not define audit-record content."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad post-incident root-cause outcome that may draw on audit records; B is a narrow, ongoing audit-record control that supports but does not realize full incident sequencing or systemic root-cause analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a broad procedural outcome for root-cause analysis; B supplies only a narrow audit-log reduction tool that can feed part of that analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's narrow post-incident root-cause analysis satisfies none of B's broad contingency-planning requirements, while B's coordination-with-incident-handling and lessons-learned clauses only partially touch A's analysis intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow analysis/root-cause slice of the broad incident-handling lifecycle in B, while B's required detection-and-analysis activities encompass most of A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A executes post-incident analysis while B only defines a high-level IR program plan that does not enumerate analysis activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only post-incident root-cause analysis while B enumerates concrete spill-response actions; B therefore satisfies only the identification/analysis slice of A and only for the narrow spill scenario."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2.7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A covers only the root-cause identification slice of B while omitting action development/monitoring; B covers only the root-cause slice of A while omitting incident-specific sequencing, asset, and threat-actor analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow incident-specific logging integrity outcome while B only establishes generic AU policy governance that may reference but does not realize the investigation-recording intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A ensures integrity/provenance of incident records (partially satisfying B's investigative-support goal) while B addresses only retention duration and does not address recording or immutability requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrowly scoped to IR action recording+integrity while B is a general system audit-generation capability; thus A satisfies none of B and B only partially enables A's outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses immutable capture and provenance of IR actions only; B addresses review/analysis of audit records and therefore touches only a tangential slice of A's preservation outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies immutable IR records/provenance that satisfies only B's non-alteration clause; B supplies general audit reduction/reporting that satisfies only A's integrity requirement for investigations."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses integrity/provenance of incident-response logs but never mentions timestamps; B supplies only one narrow mechanism that can aid provenance."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow evidentiary outcome that satisfies none of the policy-authoring mandate in B; B's high-level policy requirement can encompass A but does not mandate its specific recording and integrity controls."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow forensic-integrity slice inside B's broad incident-handling scope; B implies documentation via analysis/lessons-learned but omits A's immutable/provenance requirements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow forensic-integrity procedure that satisfies none of the broad IR-plan requirements in B; B's plan can embed investigation-recording rules but does not mandate them, yielding only partial coverage of A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on forensic collection/chain-of-custody for incidents while B provides irrefutable proof of actions; each satisfies only the overlapping evidence-integrity slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A targets incident-specific collection+preservation while B defines general audit-record fields; each satisfies only a slice of the other's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-incident evidence preservation/chain-of-custody while B addresses ongoing audit-record review, analysis and reporting; the two intents overlap on audit data handling but neither fully realizes the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on evidence collection/preservation/chain-of-custody; B addresses only non-tampering of audit records plus reduction/reporting, satisfying a narrow slice of A's integrity intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AU-8 supplies one narrow provenance mechanism (timestamps) that partially supports RS.AN-07's broader evidence-integrity intent, while the CSF outcome does not mandate the specific audit-record clock requirements of AU-8."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow evidence-handling activity while B only establishes generic IR policy scaffolding that may reference but does not realize that activity."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow evidence-preservation slice of incident handling, while B's broad phases (esp. detection/analysis) encompass that slice plus much more."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's IoC/persistence search can incidentally surface disclosure evidence but does not address ongoing monitoring or notification; B's disclosure monitoring does not address incident magnitude estimation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs post-incident analysis using existing evidence; B only defines the logging sources that may feed such analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow post-incident magnitude check via IoC searches; B is ongoing general audit-record review, so each satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's incident-magnitude outcome and IoC search examples do not implement any audit-reduction capability; B's audit reporting supports incident investigations but only narrowly addresses one input to magnitude estimation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow magnitude-estimation slice of analysis while B's full incident-handling lifecycle encompasses that analysis plus preparation/containment/recovery/lessons-learned."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ra-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow post-incident magnitude validation via IoCs; B's risk-assessment process touches magnitude/impact language but does not address incident-specific analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-incident stakeholder notification while B is a broad contingency-planning control whose coordination and information-sharing elements touch but do not realize that notification intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome; B is the high-level policy framework that may reference notification procedures but does not realize the outcome itself."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow external-notification outcome while B is the broad multi-phase handling process whose description contains no stakeholder-notification elements."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the stakeholder-notification slice of incident reporting while B adds mandatory internal personnel reporting to the IR capability; each therefore satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the sharing/notification slice explicitly called out in B; B's plan addresses sharing but does not itself execute the stakeholder notifications required by A."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the notification outcome for any incident while B requires specific PII-breach planning elements (notice determination + harm assessment); each therefore satisfies only a slice of the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses the broad notification outcome (including business partners) while B narrowly requires only supply-chain agreement establishment."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses external/incident-driven information sharing; B's audit review+reporting only touches internal reporting and does not realize A's coordination intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow sharing/coordination slice also listed inside CP-2; B's contingency-plan scope includes that slice plus many unrelated planning elements, so each satisfies only part of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational sharing outcome while B only mandates existence of high-level IR policy/procedures that may reference coordination but does not require the specific sharing actions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the information-sharing slice of incident response while B's broad handling capability (plan-consistent execution, coordination, lessons-learned) necessarily encompasses that sharing."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad coordination outcome of sharing response information with stakeholders; B is one narrow incident-reporting mechanism that realizes only a slice of that outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A focuses on designated stakeholder information sharing; B provides internal user assistance for incident handling/reporting with only tangential overlap on internal reporting."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A satisfies only the single 'sharing of incident information' clause inside the multi-element IR-8 plan; B's explicit requirement to address sharing satisfies most of the RS.CO-03 outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.CO-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A references information-sharing agreements and external stakeholders (partially touching B's agreements) while B is narrowly scoped to supply-chain notifications and therefore satisfies none of A's broader coordination intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses IR-plan execution/coordination after declaration; B supplies only the narrow logging capability that can aid post-incident investigation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-declaration IR execution with third parties while B is a broad contingency-plan development control whose single coordination clause touches but does not realize A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses operational execution/coordination once an incident occurs; B only establishes the high-level policy/procedure framework that may reference coordination but does not realize execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow third-party coordination slice of plan execution while B broadly implements the full handling lifecycle consistent with the plan (minus explicit third-party emphasis)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad CSF outcome of executing the IR plan with third parties subsumes most of IR-6's reporting requirements, while the narrow control only realizes one slice of the CSF coordination intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-7",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's Ex2 directly realizes B's support-resource intent while A's broader third-party coordination outcome requires additional actions beyond B."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only post-declaration execution/coordination while B defines the plan artifact itself; B therefore supplies one prerequisite element of A but nothing of the execution outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies a broad IR execution outcome (incl. third-party coordination) that only incidentally touches spill handling, while B is a narrow procedural control for one incident subtype with no third-party element."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses execution-time coordination with any third parties; B addresses pre-established supply-chain notification agreements\u2014each satisfies only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a procedural triage/validation outcome; B supplies a supporting technical audit capability that aids investigations but does not address triage criteria or validation steps."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is narrow IR triage; B is a broad contingency-plan control whose only link is a coordination clause, satisfying only a slice of A's validation intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational triage step; B only creates the high-level policy/procedure framework that may reference triage but does not realize it."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow triage/validation slice inside B's broad detection-and-analysis mandate, so A satisfies only part of B while B fully realizes A's stated intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A performs only initial triage/validation while B performs ongoing tracking/documentation; each satisfies a slice of the other's intent but neither fully contains the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow procedural triage step while B is a broad governance document; the plan partially enables triage via its reportable-incident and capability-roadmap clauses but does not realize the plan itself."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses post-incident triage/prioritization while B only defines logging sources that may feed later analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a procedural IR outcome; B supplies a narrow audit-tooling capability that can only partially support incident analysis."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow runtime incident-handling outcome; B is a broad contingency-planning control whose coordination clause only touches incident handling at the margin."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is an operational outcome with no policy artifact; B's generic IR policy can reference categorization but does not realize the outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the categorize/prioritize slice of B's detection-and-analysis phase while B's full handling capability (prep, containment, eradication, lessons-learned, consistency) realizes A's outcome plus far more."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's review/categorization steps entail limited incident tracking, satisfying only a slice of B's monitoring intent, while B's tracking alone provides no categorization or prioritization."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome on incident categorization/prioritization while B is a broad planning document whose scope only touches categorization via 'defines reportable incidents'."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only incident tracking/escalation while B's contingency-plan scope is far broader; B's single coordination-with-incident-handling clause gives partial coverage of A's escalation intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome while B only mandates the existence of high-level IR policy/procedures that may reference escalation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the escalation/tracking slice of incident response while B's full lifecycle handling encompasses escalation plus additional required activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4.8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A's external-stakeholder coordination example touches B's intent but omits correlation/sharing for cross-org awareness; B addresses only that narrow external slice of A's broader escalation/tracking scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A includes incident-status tracking (satisfies part of B) while B's tracking supports escalation decisions (satisfies part of A) but neither fully addresses the other's core intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-6",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A states the broad escalation outcome whose realization subsumes the narrower reporting steps in B, while B only partially addresses escalation coordination."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses escalation tracking/coordination while B supplies a user-facing advice resource; the two intents intersect only loosely on incident handling."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-04",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational escalation activity that satisfies none of the plan-document requirements in B; B's IR plan scope includes sharing/reporting elements that partially address escalation coordination but omits status tracking and execution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow activation-criteria step while B's full contingency-plan requirements encompass invocation criteria plus coordination, objectives, roles, restoration and updates."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cp-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A narrowly addresses recovery-initiation criteria; B tests contingency-plan effectiveness with no direct realization of those criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational recovery criterion; B is a broad policy/procedure foundation that only indirectly enables such criteria."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow slice of recovery-initiation criteria while B's broad incident-handling mandate encompasses recovery (and thus that criteria) plus many additional phases."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-05",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the narrow recovery-initiation criteria while B enumerates a broad IR-plan; each therefore realizes only a slice of the other's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MI-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the containment slice of B's full incident-handling lifecycle, while B explicitly includes containment and thereby satisfies A's intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MI-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A is a narrow operational outcome (containment) that satisfies none of the plan-documentation requirements in B; B's IR plan defines response structure/approach that includes containment procedures, satisfying only a slice of A's outcome intent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MI-01",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the containment/isolation slice of B's multi-step spillage procedure while B realizes that slice for only one incident type."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MI-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A addresses only the eradication phase while B mandates the full incident-handling lifecycle (prep/detection/containment/eradication/recovery plus coordination and lessons-learned), so B fully realizes A but A realizes only one slice of B."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MI-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "RS.MI-02 executes one narrow eradication outcome; IR-8 only produces a governance document that may reference but does not realize eradication actions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MI-02",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "A supplies only the eradication step while B adds distinct spill-specific steps (alerting, isolation, assignment); B realizes eradication for one incident type but leaves the broader RS.MI-02 outcome incomplete."
    }
  ]
}