{
  "meta": {
    "slug": "cwe-nist-csf-2.0",
    "frameworks": [
      "CWE",
      "NIST_CSF_2.0"
    ],
    "labels": [
      "CWE",
      "NIST CSF 2.0"
    ],
    "authoritative": null,
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "CWE",
      "b": "NIST_CSF_2.0"
    },
    "counts": {
      "pairs": 145,
      "rows": 290,
      "present_a_to_b": 91,
      "present_b_to_a": 129
    },
    "reliability": {
      "reverse_presence_pct": 96.7,
      "extent_rank_correlation": 0.711,
      "completeness_a_to_b_pct": 29.7,
      "completeness_b_to_a_pct": 46.5,
      "none_rate_a_to_b_pct": 37.2,
      "none_rate_b_to_a_pct": 11.0,
      "counterpart_coverage_a": {
        "mapped": 44,
        "universe": null,
        "pct": null
      },
      "counterpart_coverage_b": {
        "mapped": 57,
        "universe": 106,
        "pct": 53.8
      }
    },
    "abstraction": {
      "breadth_a_to_b": 3.5,
      "breadth_b_to_a": 2.3,
      "depth_a_to_b": 1.31,
      "depth_b_to_a": 1.47,
      "verdict": "CWE sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": {
        "signal": "cwe_abstraction",
        "distribution": {
          "Variant": 3,
          "Base": 28,
          "Class": 12,
          "Pillar": 1
        }
      },
      "intrinsic_b": {
        "signal": "csf_function",
        "subcats_per_function": {
          "GV": 10,
          "PR": 17,
          "RS": 6,
          "ID": 11,
          "DE": 11,
          "RC": 2
        }
      }
    },
    "diff": null,
    "ppt": null
  },
  "diff": null,
  "edges": [
    {
      "source_framework": "CWE",
      "source_id": "CWE-1004",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Role-based training can reduce the chance developers introduce missing HttpOnly flags but supplies no enforcement or detection, leaving essentially all of the implementation flaw's risk intact."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1004",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Broad SDLC practices catch cookie-handling defects via standards/testing (mostly forward) yet remain too general to guarantee this narrow flag setting is always enforced (partial reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1051",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-01's code/architecture reviews can surface hard-coded network data after the fact (partial forward) but do nothing to stop developers from embedding it during initial design or coding (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1059",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Life-cycle management can indirectly encourage documentation as part of cybersecurity integration, but addresses only one narrow facet of the broad documentation weakness and removes essentially none of its total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1104",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04's high-level risk-response criteria can indirectly discourage unmaintained third-party use via policy, but alone removes none of the concrete supply-chain or maintenance decisions that produce CWE-1104."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1177",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04 can set high-level risk policies that include prohibiting certain third-party components, thereby partially blocking introduction of CWE-1177, yet the weakness's concrete code-selection risk is untouched by this single strategic outcome."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-12",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-06",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-06's risk-response planning can indirectly trigger selection of controls that later fix the misconfiguration, but the CWE itself is a narrow ASP.NET config error that this high-level process alone does not address or remove."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1209",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Supplier assessments are a high-level procurement control that cannot detect or enforce the specific hardware-design practice of disabling reserved bits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "none",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220 permits unauthorized access to sensitive assets but neither prevents nor impairs the delivery of adverse-event information to authorized recipients."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.IR-01's segmentation + zero-trust rules directly enforce minimum-necessary access at network boundaries, removing most instances of overly broad policy; CWE-1220 can still exist in application-layer or intra-segment controls that this single outcome does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-06's general SDLC practices can surface granularity issues during design/review (partial prevention) but do not specifically target access-control policy breadth, so they remove only part of CWE-1220's risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1224",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Pre-acquisition integrity checks may spot some flawed hardware (partial forward) but do not constrain register design or eliminate the root coding defect (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1256",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ID.AM-08's generic lifecycle-management guidance has no direct bearing on hardware-interface restriction defects, so neither direction removes or mitigates CWE-1256."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1256",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-01 can surface the hardware-interface flaw during architecture review or testing (partial forward) but supplies no design or implementation restrictions that actually eliminate the root weakness (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1256",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-01's least-functionality baselines can partially limit exposure to risky hardware interfaces when they are configurable, but CWE-1256 is a design-level failure to implement proper restrictions that config management alone does not prevent."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1268",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 policy/least-privilege practices can surface inconsistent privilege definitions (partial prevention) but do not address hardware-specific control-vs-data agent discrepancies at all (none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1273",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Audits/evaluations can surface credential-sharing issues after the fact (partial forward) but ID.IM-01 itself neither implements credential controls nor removes any meaningful portion of this specific weakness's risk (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1274",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 directly requires protecting data-in-use (including VM) from unauthorized access, eliminating most of this specific boot-code exposure, yet the weakness also spans secure-boot process design and NVM-to-VM transfer that one general data-protection outcome does not fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1277",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-05 can embed firmware-update requirements in supplier contracts (partial prevention for third-party components) but addresses none of the weakness for internally developed firmware and is too narrow to remove meaningful risk on its own."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1277",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Vulnerability identification and recording detects design flaws but neither implements firmware update capability nor removes the risk of that omission."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1299",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "partial",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-1299 can impair DE.CM-09 by letting adverse events on unguarded alternate interfaces evade monitoring that assumes primary paths, yet the weakness only affects one narrow slice of the broad monitoring outcome."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.OC-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.OC-05's dependency inventory can surface some external component risks (partial prevention), yet the control alone never enforces trustworthiness evaluation or selection inside a product (none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04's risk-acceptance criteria can indirectly discourage use of untrusted components (partial forward) but supplies no technical verification or component-hardening steps that would actually prevent CWE-1357 (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-05's supplier-risk communication channels can surface component-trust issues (partial forward) but address only one narrow facet and do not evaluate or restrict component selection (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-01's program-level policies and processes directly target supply-chain component trustworthiness (mostly), yet only lay the governance foundation and do not by themselves perform the concrete evaluations or selections that fully close CWE-1357 (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-04",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-04 enables focused scrutiny of critical suppliers, partially lowering the chance of selecting untrustworthy components, yet alone removes none of CWE-1357's broader risk around trust verification and component evaluation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-05 contractual requirements can reduce supply-chain component risk but do not verify or guarantee trustworthiness, while CWE-1357 also covers non-contractual components and broader design choices beyond any single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-06's supplier due diligence directly targets trustworthiness assessment before selection (mostly preventing introduction) yet leaves runtime verification, updates, and non-supplier components unaddressed (only partial prevention of the full weakness)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-07",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-07's supplier assessment/monitoring directly targets component trustworthiness risks (mostly preventing introduction), yet leaves gaps in verification depth and non-supplier facets so only partially prevents the full weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-09",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-09 supply-chain controls directly verify component provenance/authenticity and therefore mostly block introduction of untrusted components, yet the weakness spans design-time trust decisions and non-supply-chain facets that one risk-management outcome cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.AM-08",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Lifecycle management with cybersecurity integration directly vets and maintains component trustworthiness (mostly forward) but leaves supply-chain, initial selection, and assurance gaps unaddressed (partial reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.IM-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Supplier-coordinated exercises can reveal trustworthiness gaps and prompt improvements, yet the weakness spans initial component selection and supply-chain decisions that one post-test improvement process does not close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-01 can surface some vulnerabilities inside an already-chosen component (partial forward) but does nothing to ensure only sufficiently trustworthy components are selected in the first place (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-04",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Risk assessment identifies and records impacts of using untrustworthy components (partial prevention via awareness) but alone removes none of the actual selection, supply-chain, or integration decisions that create the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Risk assessment can surface component-trust issues and inform avoidance, yielding only partial prevention, while the single broad outcome removes essentially none of the architectural reliance risk itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-07",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Risk assessments during changes can surface trustworthiness issues for new or updated components (partial forward) but leave initial selection, procurement, and supply-chain decisions unaddressed (partial reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-08",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Disclosure/response processes can surface issues in an already-chosen component (partial forward) but do nothing to avoid selecting or relying on an insufficiently trustworthy one in the first place (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-09",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-09 directly blocks introduction of untrustworthy components via pre-acquisition checks (mostly), yet leaves post-acquisition, undetected-supply-chain, and design-level facets of CWE-1357 unaddressed (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1357",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "ID.RA-10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Pre-acquisition supplier assessment directly blocks introduction of untrusted components (mostly) yet leaves post-integration, non-critical, and ongoing-trust aspects of CWE-1357 unaddressed (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01's credential issuance and key-management processes directly block most weak/default credential usage, yet leave hard-coded or product-design instances of CWE-1391 only partially addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Password-strength policies in PR.AA-03 directly block weak authenticators, but the control leaves hard-coded/default credentials largely unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 governs post-authentication authorization/least-privilege reviews and does not constrain credential selection or strength, so it neither prevents CWE-1391 nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Training raises password-hygiene awareness and can therefore reduce some weak-credential mistakes, yet supplies no enforcement mechanism and leaves the dominant technical sources of CWE-1391 untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Role-based awareness training can reduce the chance developers or admins introduce weak credentials but supplies no enforcement or verification, leaving the bulk of CWE-1391 risk untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Hardened baselines and default-setting reviews directly block default/hard-coded creds (mostly), yet leave algorithmic guessing, reuse, and non-config sources of weak credentials untouched (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1391",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Maintenance/patching can incidentally remove known weak-default creds in updated versions (partial forward) but does nothing to ensure credentials are strong at design, deployment or config time (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1395",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.RM-04",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04 supplies high-level risk-acceptance criteria that can discourage risky third-party choices (partial forward) yet addresses only one narrow facet of a broad technical weakness and cannot remove most of its risk surface (partial reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1395",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.SC-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Contractual supply-chain requirements can eliminate most introduction of known vulnerable dependencies, yet leave residual risk from incomplete verification, discovery of new vulns, and non-contractual lifecycle factors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1426",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "GV.PO-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "GV.PO-01 can indirectly require AI-output validation rules inside a risk policy (partial prevention of the weakness), yet a high-level policy alone removes none of the concrete validation gap described by CWE-1426."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "none",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-179 is a coding flaw enabling input-validation bypasses; it neither impairs post-incident forensic/root-cause processes (RS.AN-03) nor is itself mitigated or exposed by those processes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies proper credential lifecycle controls that reduce unauthorized access paths, yet leaves many other exposure vectors (error messages, logging, side channels, etc.) unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Authentication verifies actor identity and is a prerequisite for access decisions, yet addresses only one facet of the broad set of exposure vectors in CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-04",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-04 directly protects one narrow class of sensitive data (identity assertions) via signing/encryption, eliminating exposure only in SSO/federation contexts while leaving the broad CWE-200 surface untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 directly enforces least-privilege authorization that blocks most unauthorized disclosures, yet CWE-200 also arises from logging, error messages, and side-channel paths that access controls alone do not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Training (PR.AT-02) reduces likelihood of introducing exposure flaws via awareness but does not directly eliminate coding or design causes; CWE-200's broad technical roots mean one awareness control removes only a fraction of total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 directly eliminates exposure for data-at-rest via encryption but addresses only one facet of CWE-200's many vectors, so each direction rates partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-02 directly blocks exposure only for data-in-transit and selected outbound channels, so it prevents one facet of CWE-200 (partial) while the broad weakness spans many other vectors that this single control leaves open (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 mostly prevents CWE-200 by directly eliminating unauthorized access to sensitive data-in-use, yet only partially addresses the weakness because CWE-200 spans many other exposure vectors outside runtime protection."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-11",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-11's backup-protection requirement directly closes the backup-exposure vector (partial) but removes essentially none of CWE-200's overall risk surface across the product."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.IR-01's segmentation/zero-trust controls largely eliminate network-level unauthorized access paths that enable exposure, yet CWE-200 spans many additional vectors (API responses, logs, app logic) that network controls alone cannot close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Hardened baselines and least-functionality config can close certain misconfiguration exposures but address only one narrow facet of the broad CWE-200 weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Routine patching and replacement can close specific disclosure bugs that have vendor fixes, but the control does not address the majority of design, configuration, or coding causes of CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-03",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-03's secure-disposal clause can block one narrow hardware-retirement vector for exposure, but CWE-200 spans far broader software/runtime disclosure paths that this control never touches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 blocks one vector (unauthorized software) that could cause exposure, but CWE-200 arises from many unrelated causes that this control does not address."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices catch most exposure flaws via design, testing and release controls, yet CWE-200 spans runtime/config issues a single development outcome cannot fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 defines and reviews access policies but does not address code-level pathname neutralization, so neither direction prevents CWE-22."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Patching/maintenance can remediate known path-traversal flaws in deployed software (partial prevention of exploitability) but does nothing to stop the coding defect from being introduced in the first place."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 omits exactly the security details that DE.AE-02's log analysis and SIEM monitoring rely on, largely blinding the outcome while still leaving non-omitted data usable."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-04",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223's omission of attack-relevant details largely blinds impact/scope estimation (DE.AE-04), removing most of its efficacy while not quite defeating every possible manual or external-data workaround."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 directly omits the security-relevant data that DE.AE-06 must deliver, largely defeating the outcome's purpose while not always eliminating every possible channel."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-07",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 omits the raw security data that DE.AE-07 must integrate with CTI, largely starving the analysis outcome in both directions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-08",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Missing security-relevant data largely blinds the criteria-based incident declaration process, removing most of its efficacy without making it completely impossible."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-06",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 omission directly blinds DE.CM-06 monitoring of external-provider activity by withholding the very security-relevant data needed to detect adverse events, impairing most (but not all) of the outcome's scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 directly blinds DE.CM-09's monitoring by withholding the security data needed to detect adverse events, removing most of the outcome's efficacy across its scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Missing security-relevant data largely blinds root-cause and sequence analysis (forward) while removing most of the outcome's evidentiary value (reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223's omission directly impairs the completeness of required investigation-action records (mostly degrading RS.AN-06), while the outcome's integrity/provenance focus is only secondarily affected."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 directly omits the security-relevant data that RS.AN-07 must collect and preserve, largely defeating the outcome while leaving ancillary provenance steps potentially intact."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Omission of security-relevant data largely blinds RS.AN-08's search for IoCs and persistence evidence, removing most of the outcome's ability to validate incident magnitude."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-223",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Missing security-relevant details directly blind incident categorization and prioritization by removing the data needed to identify type, scope, and impact."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-250",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 directly enforces least privilege so largely eliminates CWE-250 at design time, yet the weakness can still arise from runtime escalation paths, third-party code, or misapplied role definitions outside this single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies credential/identity lifecycle support that can reduce some privilege-assignment errors but does not itself assign, modify, or check privileges, leaving most of CWE-269's risk unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 enforces least privilege/SoD and periodic reviews that directly remove most privilege-assignment defects, yet CWE-269 also covers escalation paths and role design outside a single access-management control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 protects data-in-use without touching privilege assignment/tracking, so it neither prevents CWE-269 nor removes more than one narrow facet of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Config baselines and default reviews can enforce some privilege-related settings (one facet) but do not address code-level assignment/tracking logic that defines CWE-269."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 can partially limit exploitability of some privilege issues via execution restrictions, but does not address the core design/implementation flaws of CWE-269 at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies managed identities/credentials that support but do not implement access-control decisions, so it only partially prevents CWE-284 in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Authentication directly blocks unauthenticated actors (partial prevention of CWE-284) but leaves authorization logic, policy enforcement, and role checks untouched, so the control neither eliminates nor fully mitigates the broader weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 directly enforces policy-based access management and least privilege, eliminating most improper-access-control defects, yet CWE-284 also covers implementation flaws and design gaps outside a single management control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 encryption mitigates impact of failed access checks on stored data but neither implements nor constrains access-control logic itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 directly mitigates unauthorized access only for data-in-use (one narrow facet of CWE-284), so it prevents that slice mostly while removing only a small fraction of the weakness's overall risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.IR-01 implements network segmentation/zero-trust controls that address only the network facet of access enforcement, leaving application-level authorization defects possible and unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Hardened baselines and deviation monitoring directly eliminate most configuration-induced access-control defects, yet CWE-284 also encompasses code-level and design flaws outside the scope of configuration management alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Routine patching and replacement can eliminate some shipped access-control bugs after introduction, but the maintenance outcome itself neither designs nor enforces authorization logic and therefore removes none of CWE-284's total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 partially prevents CWE-284 by stopping unauthorized software execution (one facet of access) but leaves the broad weakness's design/implementation defects largely unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices catch most access-control defects during design/coding/testing (mostly), yet leave residual risk from runtime configuration, architecture, and operational controls (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies managed identities and access-request workflows that can support downstream authorization decisions, yet does nothing to enforce or verify authorization checks inside a product, leaving CWE-285 fully unaddressed by this control alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-05",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 mostly prevents CWE-285 via enforced policy, reviews, and least-privilege authorization decisions, yet CWE-285 remains only partially prevented because code-level check omissions or errors can still occur outside that single control."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.IR-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Network segmentation/zero-trust limits external reachability (partial prevention of exploitation) but leaves application-level authorization logic untouched, so the CWE remains fully introducible and only one facet of its risk is addressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-05",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 blocks unauthorized binaries/DNS while CWE-285 is an in-product authorization-check defect, so the control neither prevents the weakness nor removes any of its risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices catch and eliminate most authorization defects before release, yet a single broad outcome cannot address every design, role, and runtime facet of CWE-285."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies and governs credentials/tokens that authentication relies on, removing some weak-credential cases, yet leaves verification logic, missing checks, and protocol flaws untouched."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-02",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-02 ensures valid enrollment and unique credential binding, which reduces some improper-auth risks at issuance time but leaves runtime claim verification untouched, so each direction only partially addresses the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-03",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-03 directly enforces authentication mechanisms that eliminate most improper-authentication defects, yet CWE-287 spans additional vectors (missing checks, flawed protocols, session handling) that one control does not fully close."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-04",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-04 directly enables verification of identity assertions (mostly preventing CWE-287 in that scope) yet leaves many other authentication failure modes unaddressed (only partial prevention overall)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-01 can enforce auth-related settings via hardened baselines and default reviews, blocking some config-based instances of CWE-287, yet leaves code-level auth flaws untouched so neither direction reaches mostly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Patching/maintenance can remediate some known auth vulnerabilities after deployment (partial forward) but does not address the design or implementation of authentication logic itself (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 directly mandates encryption for data-at-rest and therefore prevents CWE-311 mostly for storage, yet the weakness also spans transmission and other contexts that this single at-rest control leaves unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-02",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-02 directly eliminates the transmission facet of CWE-311 via mandatory encryption but leaves the storage facet untouched, so each direction rates only partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 promotes encryption for data-at-rest but never requires strong algorithms, leaving CWE-327 fully possible; the weakness is also far broader than data-at-rest so one narrow control removes none of its total risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.RP-05",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly impairs RC.RP-05's verification of restored-asset integrity/authenticity, largely defeating the outcome while still leaving other restoration-confirmation steps partially viable."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RC.CO-04",
      "extent": "partial",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 does not impair RC.CO-04's ability to issue approved public recovery updates, yet any resulting PII exposure can partially undermine the outcome's overall efficacy and trust."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-437",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-437's incomplete endpoint model directly impairs a monitor's detection logic (mostly degrading DE.CM-01's adverse-event finding), while the same flaw removes most of the monitoring outcome's reliability across its scope."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-437",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MI-01",
      "extent": "partial",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "CWE-437 can cause monitoring/containment products to take incorrect actions due to an incomplete endpoint model, impairing (but not fully defeating) RS.MI-01's automatic or manual containment capability."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-455",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-03",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-03 addresses only hardware lifecycle/replacement and has no effect on software initialization error-handling logic."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-502",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-02 addresses only post-deployment updates/patching and cannot prevent introduction of unsafe deserialization code, yet it can remediate some instances when the flaw exists in outdated libraries or components."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-591",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 encryption of data-at-rest can protect swapped pages but does not stop improper memory locking, addressing only one exposure facet of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-04",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-04 addresses protection/verification of identity assertions in SSO/federation contexts while CWE-757 concerns protocol-level crypto algorithm negotiation, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging largely blinds event analysis by omitting the critical details needed to understand adverse activities."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-03",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves the multiple log sources and SIEM correlation that DE.AE-03 relies on, largely defeating its ability to operate while the logging gap removes most of the correlation outcome's value."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-04",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves impact/scope estimation of the event details required to produce accurate estimates, removing most of the outcome's value while leaving limited non-log avenues intact."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves DE.AE-06 of the event data that must be delivered to staff/tools, removing most of the outcome's value while the delivery mechanisms themselves remain intact."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-08",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves incident declaration of the event details needed to evaluate criteria, removing most of the outcome's efficacy in both directions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-01",
      "extent": "partial",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging impairs detail capture for some log-driven network monitoring (partial degradation of DE.CM-01) while the weakness itself only removes part of the monitoring outcome's scope since real-time traffic/wireless checks can occur independently of logs."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-02",
      "extent": "partial",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves the log- and record-dependent examples in DE.CM-02 (Ex1/Ex2), largely blinding those detection paths, yet Ex3's physical tampering checks remain unaffected so overall efficacy loss is only partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-03",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves DE.CM-03's log-dependent monitoring (Ex2) of the events needed to detect adverse activity, largely defeating that aspect while other methods (analytics, deception) remain partially viable."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.CM-09",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves DE.CM-09's monitoring of the event data needed for detection, impairing most of its efficacy across authentication, config, and vector monitoring."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-03",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves RS.AN-03 of the event sequence and detail data required for root-cause reconstruction, removing most (but not all) analytic value."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-06",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging directly starves the required recording and integrity preservation of investigation actions, removing most of RS.AN-06's value."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-07",
      "extent": "full",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging directly prevents generation of the incident data/metadata that RS.AN-07 requires, so the weakness starves collection/preservation completely in both directions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.AN-08",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves RS.AN-08's evidence gathering for IoCs/persistence, largely impairing magnitude estimation while not eliminating every non-log source."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-778",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "RS.MA-03",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves incident categorization/prioritization of the event details needed for accurate scoping and response selection, removing most of the outcome's value."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-779",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-02",
      "extent": "partial",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Excessive logging undermines event analysis by flooding logs with noise that hinders processing and forensic review, but does not blind or defeat the outcome the way insufficient logging would."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-779",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-04",
      "extent": "mostly",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Excessive logging hinders log processing and forensic analysis, largely undermining DE.AE-04's ability to estimate impact/scope via SIEMs or tools while removing most of that outcome's efficacy."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-779",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "DE.AE-06",
      "extent": "partial",
      "relation": "degrades",
      "authority": "manual_QA_v2",
      "notes": "Excessive logging impairs processing of provided event data and log-analysis findings (one aspect of DE.AE-06) without fully defeating alert/ticket distribution."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Routine patching/maintenance can remediate known command-injection CVEs in dependencies (partial forward) but does nothing to stop developers from introducing improper neutralization in custom code (none reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-06's SDLC practices directly require secure coding and input handling that blocks command-injection defects, yet the single broad outcome leaves many specific neutralization vectors and verification gaps unaddressed."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Patching and EOL replacement can remediate known XSS instances in libraries or frameworks (partial) but do nothing to enforce input neutralization in application code (none)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices directly target introduction of XSS via coding standards/testing (mostly), yet the single broad outcome leaves many specific neutralization vectors unaddressed (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01's credential/key-management processes can reduce the incentive to embed secrets but do not address or detect hard-coded values in source code, so the weakness remains fully possible."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AA-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-02 addresses human identity proofing and per-person credential issuance at enrollment; it has no bearing on whether developers embed static credentials in software."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-01",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 addresses encryption and integrity of stored data but never touches credential or key management practices, so it neither prevents hard-coded credentials nor removes any of their risk."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.AT-02",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Training raises developer awareness of SQLi risks and can reduce introduction likelihood (partial) but removes none of the actual coding flaw's risk by itself since technical neutralization is still required."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices directly target injection flaws during coding and review so largely prevent CWE-89 introduction, yet the single broad outcome leaves residual risk from incomplete neutralization techniques or missed edge cases."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-94",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.DS-10",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 protects runtime data confidentiality/integrity but has no bearing on neutralizing externally influenced input during code generation, so neither direction shows any preventive effect."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-94",
      "target_framework": "NIST_CSF_2.0",
      "target_id": "PR.PS-06",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-06's SDLC practices directly target injection flaws via secure coding and testing (mostly), yet as a single broad outcome it leaves many code-generation specifics unaddressed (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 omits exactly the security details that DE.AE-02's log analysis and SIEM monitoring rely on, largely blinding the outcome while still leaving non-omitted data usable."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging largely blinds event analysis by omitting the critical details needed to understand adverse activities."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-02",
      "target_framework": "CWE",
      "target_id": "CWE-779",
      "extent": "partial",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Excessive logging undermines event analysis by flooding logs with noise that hinders processing and forensic review, but does not blind or defeat the outcome the way insufficient logging would."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-03",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves the multiple log sources and SIEM correlation that DE.AE-03 relies on, largely defeating its ability to operate while the logging gap removes most of the correlation outcome's value."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-04",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223's omission of attack-relevant details largely blinds impact/scope estimation (DE.AE-04), removing most of its efficacy while not quite defeating every possible manual or external-data workaround."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-04",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves impact/scope estimation of the event details required to produce accurate estimates, removing most of the outcome's value while leaving limited non-log avenues intact."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-04",
      "target_framework": "CWE",
      "target_id": "CWE-779",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Excessive logging hinders log processing and forensic analysis, largely undermining DE.AE-04's ability to estimate impact/scope via SIEMs or tools while removing most of that outcome's efficacy."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "none",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220 permits unauthorized access to sensitive assets but neither prevents nor impairs the delivery of adverse-event information to authorized recipients."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 directly omits the security-relevant data that DE.AE-06 must deliver, largely defeating the outcome's purpose while not always eliminating every possible channel."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves DE.AE-06 of the event data that must be delivered to staff/tools, removing most of the outcome's value while the delivery mechanisms themselves remain intact."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-06",
      "target_framework": "CWE",
      "target_id": "CWE-779",
      "extent": "partial",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Excessive logging impairs processing of provided event data and log-analysis findings (one aspect of DE.AE-06) without fully defeating alert/ticket distribution."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-07",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 omits the raw security data that DE.AE-07 must integrate with CTI, largely starving the analysis outcome in both directions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-08",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Missing security-relevant data largely blinds the criteria-based incident declaration process, removing most of its efficacy without making it completely impossible."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.AE-08",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves incident declaration of the event details needed to evaluate criteria, removing most of the outcome's efficacy in both directions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "CWE",
      "target_id": "CWE-437",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-437's incomplete endpoint model directly impairs a monitor's detection logic (mostly degrading DE.CM-01's adverse-event finding), while the same flaw removes most of the monitoring outcome's reliability across its scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-01",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "partial",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging impairs detail capture for some log-driven network monitoring (partial degradation of DE.CM-01) while the weakness itself only removes part of the monitoring outcome's scope since real-time traffic/wireless checks can occur independently of logs."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-02",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves the log- and record-dependent examples in DE.CM-02 (Ex1/Ex2), largely blinding those detection paths, yet Ex3's physical tampering checks remain unaffected so overall efficacy loss is only partial."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-03",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves DE.CM-03's log-dependent monitoring (Ex2) of the events needed to detect adverse activity, largely defeating that aspect while other methods (analytics, deception) remain partially viable."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-06",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 omission directly blinds DE.CM-06 monitoring of external-provider activity by withholding the very security-relevant data needed to detect adverse events, impairing most (but not all) of the outcome's scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "CWE",
      "target_id": "CWE-1299",
      "extent": "partial",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-1299 can impair DE.CM-09 by letting adverse events on unguarded alternate interfaces evade monitoring that assumes primary paths, yet the weakness only affects one narrow slice of the broad monitoring outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 directly blinds DE.CM-09's monitoring by withholding the security data needed to detect adverse events, removing most of the outcome's efficacy across its scope."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "DE.CM-09",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves DE.CM-09's monitoring of the event data needed for detection, impairing most of its efficacy across authentication, config, and vector monitoring."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.OC-05",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.OC-05's dependency inventory can surface some external component risks (partial prevention), yet the control alone never enforces trustworthiness evaluation or selection inside a product (none)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.PO-01",
      "target_framework": "CWE",
      "target_id": "CWE-1426",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.PO-01 can indirectly require AI-output validation rules inside a risk policy (partial prevention of the weakness), yet a high-level policy alone removes none of the concrete validation gap described by CWE-1426."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "CWE",
      "target_id": "CWE-1104",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04's high-level risk-response criteria can indirectly discourage unmaintained third-party use via policy, but alone removes none of the concrete supply-chain or maintenance decisions that produce CWE-1104."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "CWE",
      "target_id": "CWE-1177",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04 can set high-level risk policies that include prohibiting certain third-party components, thereby partially blocking introduction of CWE-1177, yet the weakness's concrete code-selection risk is untouched by this single strategic outcome."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04's risk-acceptance criteria can indirectly discourage use of untrusted components (partial forward) but supplies no technical verification or component-hardening steps that would actually prevent CWE-1357 (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-04",
      "target_framework": "CWE",
      "target_id": "CWE-1395",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-04 supplies high-level risk-acceptance criteria that can discourage risky third-party choices (partial forward) yet addresses only one narrow facet of a broad technical weakness and cannot remove most of its risk surface (partial reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.RM-05",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.RM-05's supplier-risk communication channels can surface component-trust issues (partial forward) but address only one narrow facet and do not evaluate or restrict component selection (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-01",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-01's program-level policies and processes directly target supply-chain component trustworthiness (mostly), yet only lay the governance foundation and do not by themselves perform the concrete evaluations or selections that fully close CWE-1357 (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-04",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-04 enables focused scrutiny of critical suppliers, partially lowering the chance of selecting untrustworthy components, yet alone removes none of CWE-1357's broader risk around trust verification and component evaluation."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "CWE",
      "target_id": "CWE-1277",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-05 can embed firmware-update requirements in supplier contracts (partial prevention for third-party components) but addresses none of the weakness for internally developed firmware and is too narrow to remove meaningful risk on its own."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-05 contractual requirements can reduce supply-chain component risk but do not verify or guarantee trustworthiness, while CWE-1357 also covers non-contractual components and broader design choices beyond any single control."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-05",
      "target_framework": "CWE",
      "target_id": "CWE-1395",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Contractual supply-chain requirements can eliminate most introduction of known vulnerable dependencies, yet leave residual risk from incomplete verification, discovery of new vulns, and non-contractual lifecycle factors."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-06",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-06's supplier due diligence directly targets trustworthiness assessment before selection (mostly preventing introduction) yet leaves runtime verification, updates, and non-supplier components unaddressed (only partial prevention of the full weakness)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-07",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-07's supplier assessment/monitoring directly targets component trustworthiness risks (mostly preventing introduction), yet leaves gaps in verification depth and non-supplier facets so only partially prevents the full weakness."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "GV.SC-09",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "GV.SC-09 supply-chain controls directly verify component provenance/authenticity and therefore mostly block introduction of untrusted components, yet the weakness spans design-time trust decisions and non-supply-chain facets that one risk-management outcome cannot fully close."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "CWE",
      "target_id": "CWE-1059",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Life-cycle management can indirectly encourage documentation as part of cybersecurity integration, but addresses only one narrow facet of the broad documentation weakness and removes essentially none of its total risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "CWE",
      "target_id": "CWE-1256",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ID.AM-08's generic lifecycle-management guidance has no direct bearing on hardware-interface restriction defects, so neither direction removes or mitigates CWE-1256."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.AM-08",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Lifecycle management with cybersecurity integration directly vets and maintains component trustworthiness (mostly forward) but leaves supply-chain, initial selection, and assurance gaps unaddressed (partial reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-01",
      "target_framework": "CWE",
      "target_id": "CWE-1273",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Audits/evaluations can surface credential-sharing issues after the fact (partial forward) but ID.IM-01 itself neither implements credential controls nor removes any meaningful portion of this specific weakness's risk (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.IM-02",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Supplier-coordinated exercises can reveal trustworthiness gaps and prompt improvements, yet the weakness spans initial component selection and supply-chain decisions that one post-test improvement process does not close."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "CWE",
      "target_id": "CWE-1051",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-01's code/architecture reviews can surface hard-coded network data after the fact (partial forward) but do nothing to stop developers from embedding it during initial design or coding (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "CWE",
      "target_id": "CWE-1256",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-01 can surface the hardware-interface flaw during architecture review or testing (partial forward) but supplies no design or implementation restrictions that actually eliminate the root weakness (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "CWE",
      "target_id": "CWE-1277",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Vulnerability identification and recording detects design flaws but neither implements firmware update capability nor removes the risk of that omission."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-01",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-01 can surface some vulnerabilities inside an already-chosen component (partial forward) but does nothing to ensure only sufficiently trustworthy components are selected in the first place (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-04",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Risk assessment identifies and records impacts of using untrustworthy components (partial prevention via awareness) but alone removes none of the actual selection, supply-chain, or integration decisions that create the weakness."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-05",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Risk assessment can surface component-trust issues and inform avoidance, yielding only partial prevention, while the single broad outcome removes essentially none of the architectural reliance risk itself."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-06",
      "target_framework": "CWE",
      "target_id": "CWE-12",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-06's risk-response planning can indirectly trigger selection of controls that later fix the misconfiguration, but the CWE itself is a narrow ASP.NET config error that this high-level process alone does not address or remove."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-07",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Risk assessments during changes can surface trustworthiness issues for new or updated components (partial forward) but leave initial selection, procurement, and supply-chain decisions unaddressed (partial reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-08",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Disclosure/response processes can surface issues in an already-chosen component (partial forward) but do nothing to avoid selecting or relying on an insufficiently trustworthy one in the first place (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "CWE",
      "target_id": "CWE-1224",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Pre-acquisition integrity checks may spot some flawed hardware (partial forward) but do not constrain register design or eliminate the root coding defect (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-09",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ID.RA-09 directly blocks introduction of untrustworthy components via pre-acquisition checks (mostly), yet leaves post-acquisition, undetected-supply-chain, and design-level facets of CWE-1357 unaddressed (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "CWE",
      "target_id": "CWE-1209",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Supplier assessments are a high-level procurement control that cannot detect or enforce the specific hardware-design practice of disabling reserved bits."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "ID.RA-10",
      "target_framework": "CWE",
      "target_id": "CWE-1357",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Pre-acquisition supplier assessment directly blocks introduction of untrusted components (mostly) yet leaves post-integration, non-critical, and ongoing-trust aspects of CWE-1357 unaddressed (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01's credential issuance and key-management processes directly block most weak/default credential usage, yet leave hard-coded or product-design instances of CWE-1391 only partially addressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies proper credential lifecycle controls that reduce unauthorized access paths, yet leaves many other exposure vectors (error messages, logging, side channels, etc.) unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies credential/identity lifecycle support that can reduce some privilege-assignment errors but does not itself assign, modify, or check privileges, leaving most of CWE-269's risk unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies managed identities/credentials that support but do not implement access-control decisions, so it only partially prevents CWE-284 in either direction."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies managed identities and access-request workflows that can support downstream authorization decisions, yet does nothing to enforce or verify authorization checks inside a product, leaving CWE-285 fully unaddressed by this control alone."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01 supplies and governs credentials/tokens that authentication relies on, removing some weak-credential cases, yet leaves verification logic, missing checks, and protocol flaws untouched."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-01",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-01's credential/key-management processes can reduce the incentive to embed secrets but do not address or detect hard-coded values in source code, so the weakness remains fully possible."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-02",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-02 ensures valid enrollment and unique credential binding, which reduces some improper-auth risks at issuance time but leaves runtime claim verification untouched, so each direction only partially addresses the other."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-02",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-02 addresses human identity proofing and per-person credential issuance at enrollment; it has no bearing on whether developers embed static credentials in software."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Password-strength policies in PR.AA-03 directly block weak authenticators, but the control leaves hard-coded/default credentials largely unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Authentication verifies actor identity and is a prerequisite for access decisions, yet addresses only one facet of the broad set of exposure vectors in CWE-200."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Authentication directly blocks unauthenticated actors (partial prevention of CWE-284) but leaves authorization logic, policy enforcement, and role checks untouched, so the control neither eliminates nor fully mitigates the broader weakness."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-03",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-03 directly enforces authentication mechanisms that eliminate most improper-authentication defects, yet CWE-287 spans additional vectors (missing checks, flawed protocols, session handling) that one control does not fully close."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-04",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-04 directly protects one narrow class of sensitive data (identity assertions) via signing/encryption, eliminating exposure only in SSO/federation contexts while leaving the broad CWE-200 surface untouched."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-04",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-04 directly enables verification of identity assertions (mostly preventing CWE-287 in that scope) yet leaves many other authentication failure modes unaddressed (only partial prevention overall)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-04",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-04 addresses protection/verification of identity assertions in SSO/federation contexts while CWE-757 concerns protocol-level crypto algorithm negotiation, so the control neither prevents nor meaningfully mitigates the weakness."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-1268",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 policy/least-privilege practices can surface inconsistent privilege definitions (partial prevention) but do not address hardware-specific control-vs-data agent discrepancies at all (none)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 governs post-authentication authorization/least-privilege reviews and does not constrain credential selection or strength, so it neither prevents CWE-1391 nor removes any of its risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 directly enforces least-privilege authorization that blocks most unauthorized disclosures, yet CWE-200 also arises from logging, error messages, and side-channel paths that access controls alone do not address."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 defines and reviews access policies but does not address code-level pathname neutralization, so neither direction prevents CWE-22."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-250",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 directly enforces least privilege so largely eliminates CWE-250 at design time, yet the weakness can still arise from runtime escalation paths, third-party code, or misapplied role definitions outside this single control."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 enforces least privilege/SoD and periodic reviews that directly remove most privilege-assignment defects, yet CWE-269 also covers escalation paths and role design outside a single access-management control."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 directly enforces policy-based access management and least privilege, eliminating most improper-access-control defects, yet CWE-284 also covers implementation flaws and design gaps outside a single management control."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AA-05",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.AA-05 mostly prevents CWE-285 via enforced policy, reviews, and least-privilege authorization decisions, yet CWE-285 remains only partially prevented because code-level check omissions or errors can still occur outside that single control."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-01",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Training raises password-hygiene awareness and can therefore reduce some weak-credential mistakes, yet supplies no enforcement mechanism and leaves the dominant technical sources of CWE-1391 untouched."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "CWE",
      "target_id": "CWE-1004",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Role-based training can reduce the chance developers introduce missing HttpOnly flags but supplies no enforcement or detection, leaving essentially all of the implementation flaw's risk intact."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Role-based awareness training can reduce the chance developers or admins introduce weak credentials but supplies no enforcement or verification, leaving the bulk of CWE-1391 risk untouched."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Training (PR.AT-02) reduces likelihood of introducing exposure flaws via awareness but does not directly eliminate coding or design causes; CWE-200's broad technical roots mean one awareness control removes only a fraction of total risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.AT-02",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Training raises developer awareness of SQLi risks and can reduce introduction likelihood (partial) but removes none of the actual coding flaw's risk by itself since technical neutralization is still required."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 directly eliminates exposure for data-at-rest via encryption but addresses only one facet of CWE-200's many vectors, so each direction rates partial."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 encryption mitigates impact of failed access checks on stored data but neither implements nor constrains access-control logic itself."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 directly mandates encryption for data-at-rest and therefore prevents CWE-311 mostly for storage, yet the weakness also spans transmission and other contexts that this single at-rest control leaves unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 promotes encryption for data-at-rest but never requires strong algorithms, leaving CWE-327 fully possible; the weakness is also far broader than data-at-rest so one narrow control removes none of its total risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "CWE",
      "target_id": "CWE-591",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 encryption of data-at-rest can protect swapped pages but does not stop improper memory locking, addressing only one exposure facet of the weakness."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-01",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-01 addresses encryption and integrity of stored data but never touches credential or key management practices, so it neither prevents hard-coded credentials nor removes any of their risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-02 directly blocks exposure only for data-in-transit and selected outbound channels, so it prevents one facet of CWE-200 (partial) while the broad weakness spans many other vectors that this single control leaves open (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-02",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-02 directly eliminates the transmission facet of CWE-311 via mandatory encryption but leaves the storage facet untouched, so each direction rates only partial."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "CWE",
      "target_id": "CWE-1274",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 directly requires protecting data-in-use (including VM) from unauthorized access, eliminating most of this specific boot-code exposure, yet the weakness also spans secure-boot process design and NVM-to-VM transfer that one general data-protection outcome does not fully close."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 mostly prevents CWE-200 by directly eliminating unauthorized access to sensitive data-in-use, yet only partially addresses the weakness because CWE-200 spans many other exposure vectors outside runtime protection."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 protects data-in-use without touching privilege assignment/tracking, so it neither prevents CWE-269 nor removes more than one narrow facet of its risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 directly mitigates unauthorized access only for data-in-use (one narrow facet of CWE-284), so it prevents that slice mostly while removing only a small fraction of the weakness's overall risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-10",
      "target_framework": "CWE",
      "target_id": "CWE-94",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-10 protects runtime data confidentiality/integrity but has no bearing on neutralizing externally influenced input during code generation, so neither direction shows any preventive effect."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.DS-11",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.DS-11's backup-protection requirement directly closes the backup-exposure vector (partial) but removes essentially none of CWE-200's overall risk surface across the product."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.IR-01's segmentation + zero-trust rules directly enforce minimum-necessary access at network boundaries, removing most instances of overly broad policy; CWE-1220 can still exist in application-layer or intra-segment controls that this single outcome does not address."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.IR-01's segmentation/zero-trust controls largely eliminate network-level unauthorized access paths that enable exposure, yet CWE-200 spans many additional vectors (API responses, logs, app logic) that network controls alone cannot close."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.IR-01 implements network segmentation/zero-trust controls that address only the network facet of access enforcement, leaving application-level authorization defects possible and unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.IR-01",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Network segmentation/zero-trust limits external reachability (partial prevention of exploitation) but leaves application-level authorization logic untouched, so the CWE remains fully introducible and only one facet of its risk is addressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "CWE",
      "target_id": "CWE-1256",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-01's least-functionality baselines can partially limit exposure to risky hardware interfaces when they are configurable, but CWE-1256 is a design-level failure to implement proper restrictions that config management alone does not prevent."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Hardened baselines and default-setting reviews directly block default/hard-coded creds (mostly), yet leave algorithmic guessing, reuse, and non-config sources of weak credentials untouched (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Hardened baselines and least-functionality config can close certain misconfiguration exposures but address only one narrow facet of the broad CWE-200 weakness."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Config baselines and default reviews can enforce some privilege-related settings (one facet) but do not address code-level assignment/tracking logic that defines CWE-269."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Hardened baselines and deviation monitoring directly eliminate most configuration-induced access-control defects, yet CWE-284 also encompasses code-level and design flaws outside the scope of configuration management alone."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-01",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-01 can enforce auth-related settings via hardened baselines and default reviews, blocking some config-based instances of CWE-287, yet leaves code-level auth flaws untouched so neither direction reaches mostly."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-1391",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Maintenance/patching can incidentally remove known weak-default creds in updated versions (partial forward) but does nothing to ensure credentials are strong at design, deployment or config time (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Routine patching and replacement can close specific disclosure bugs that have vendor fixes, but the control does not address the majority of design, configuration, or coding causes of CWE-200."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Patching/maintenance can remediate known path-traversal flaws in deployed software (partial prevention of exploitability) but does nothing to stop the coding defect from being introduced in the first place."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Routine patching and replacement can eliminate some shipped access-control bugs after introduction, but the maintenance outcome itself neither designs nor enforces authorization logic and therefore removes none of CWE-284's total risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Patching/maintenance can remediate some known auth vulnerabilities after deployment (partial forward) but does not address the design or implementation of authentication logic itself (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-502",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-02 addresses only post-deployment updates/patching and cannot prevent introduction of unsafe deserialization code, yet it can remediate some instances when the flaw exists in outdated libraries or components."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Routine patching/maintenance can remediate known command-injection CVEs in dependencies (partial forward) but does nothing to stop developers from introducing improper neutralization in custom code (none reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-02",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Patching and EOL replacement can remediate known XSS instances in libraries or frameworks (partial) but do nothing to enforce input neutralization in application code (none)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-03",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-03's secure-disposal clause can block one narrow hardware-retirement vector for exposure, but CWE-200 spans far broader software/runtime disclosure paths that this control never touches."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-03",
      "target_framework": "CWE",
      "target_id": "CWE-455",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-03 addresses only hardware lifecycle/replacement and has no effect on software initialization error-handling logic."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 blocks one vector (unauthorized software) that could cause exposure, but CWE-200 arises from many unrelated causes that this control does not address."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 can partially limit exploitability of some privilege issues via execution restrictions, but does not address the core design/implementation flaws of CWE-269 at all."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 partially prevents CWE-284 by stopping unauthorized software execution (one facet of access) but leaves the broad weakness's design/implementation defects largely unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-05",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-05 blocks unauthorized binaries/DNS while CWE-285 is an in-product authorization-check defect, so the control neither prevents the weakness nor removes any of its risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-1004",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Broad SDLC practices catch cookie-handling defects via standards/testing (mostly forward) yet remain too general to guarantee this narrow flag setting is always enforced (partial reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-06's general SDLC practices can surface granularity issues during design/review (partial prevention) but do not specifically target access-control policy breadth, so they remove only part of CWE-1220's risk."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices catch most exposure flaws via design, testing and release controls, yet CWE-200 spans runtime/config issues a single development outcome cannot fully close."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices catch most access-control defects during design/coding/testing (mostly), yet leave residual risk from runtime configuration, architecture, and operational controls (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices catch and eliminate most authorization defects before release, yet a single broad outcome cannot address every design, role, and runtime facet of CWE-285."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-06's SDLC practices directly require secure coding and input handling that blocks command-injection defects, yet the single broad outcome leaves many specific neutralization vectors and verification gaps unaddressed."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices directly target introduction of XSS via coding standards/testing (mostly), yet the single broad outcome leaves many specific neutralization vectors unaddressed (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Secure SDLC practices directly target injection flaws during coding and review so largely prevent CWE-89 introduction, yet the single broad outcome leaves residual risk from incomplete neutralization techniques or missed edge cases."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "PR.PS-06",
      "target_framework": "CWE",
      "target_id": "CWE-94",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "PR.PS-06's SDLC practices directly target injection flaws via secure coding and testing (mostly), yet as a single broad outcome it leaves many code-generation specifics unaddressed (partial)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.CO-04",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "none",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 does not impair RC.CO-04's ability to issue approved public recovery updates, yet any resulting PII exposure can partially undermine the outcome's overall efficacy and trust."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RC.RP-05",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly impairs RC.RP-05's verification of restored-asset integrity/authenticity, largely defeating the outcome while still leaving other restoration-confirmation steps partially viable."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "none",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-179 is a coding flaw enabling input-validation bypasses; it neither impairs post-incident forensic/root-cause processes (RS.AN-03) nor is itself mitigated or exposed by those processes."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Missing security-relevant data largely blinds root-cause and sequence analysis (forward) while removing most of the outcome's evidentiary value (reverse)."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-03",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves RS.AN-03 of the event sequence and detail data required for root-cause reconstruction, removing most (but not all) analytic value."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223's omission directly impairs the completeness of required investigation-action records (mostly degrading RS.AN-06), while the outcome's integrity/provenance focus is only secondarily affected."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-06",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging directly starves the required recording and integrity preservation of investigation actions, removing most of RS.AN-06's value."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-223 directly omits the security-relevant data that RS.AN-07 must collect and preserve, largely defeating the outcome while leaving ancillary provenance steps potentially intact."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-07",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "full",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging directly prevents generation of the incident data/metadata that RS.AN-07 requires, so the weakness starves collection/preservation completely in both directions."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Omission of security-relevant data largely blinds RS.AN-08's search for IoCs and persistence evidence, removing most of the outcome's ability to validate incident magnitude."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.AN-08",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves RS.AN-08's evidence gathering for IoCs/persistence, largely impairing magnitude estimation while not eliminating every non-log source."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "CWE",
      "target_id": "CWE-223",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Missing security-relevant details directly blind incident categorization and prioritization by removing the data needed to identify type, scope, and impact."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MA-03",
      "target_framework": "CWE",
      "target_id": "CWE-778",
      "extent": "mostly",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "Insufficient logging starves incident categorization/prioritization of the event details needed for accurate scoping and response selection, removing most of the outcome's value."
    },
    {
      "source_framework": "NIST_CSF_2.0",
      "source_id": "RS.MI-01",
      "target_framework": "CWE",
      "target_id": "CWE-437",
      "extent": "partial",
      "relation": "is_degraded_by",
      "authority": "manual_QA_v2",
      "notes": "CWE-437 can cause monitoring/containment products to take incorrect actions due to an incomplete endpoint model, impairing (but not fully defeating) RS.MI-01's automatic or manual containment capability."
    }
  ]
}