{
  "meta": {
    "slug": "nist-800-53-r5-owasp-asvs-5.0",
    "frameworks": [
      "NIST_800-53_r5",
      "OWASP_ASVS_5.0"
    ],
    "labels": [
      "NIST 800-53 r5",
      "OWASP ASVS 5.0"
    ],
    "authoritative": null,
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "NIST_800-53_r5",
      "b": "OWASP_ASVS_5.0"
    },
    "counts": {
      "pairs": 627,
      "rows": 1254,
      "present_a_to_b": 215,
      "present_b_to_a": 572
    },
    "reliability": {
      "reverse_presence_pct": 74.4,
      "extent_rank_correlation": -0.054,
      "completeness_a_to_b_pct": 43.7,
      "completeness_b_to_a_pct": 3.0,
      "none_rate_a_to_b_pct": 65.7,
      "none_rate_b_to_a_pct": 8.8,
      "counterpart_coverage_a": {
        "mapped": 108,
        "universe": 324,
        "pct": 33.3
      },
      "counterpart_coverage_b": {
        "mapped": 273,
        "universe": 345,
        "pct": 79.1
      }
    },
    "abstraction": {
      "breadth_a_to_b": 2.72,
      "breadth_b_to_a": 2.2,
      "depth_a_to_b": 1.86,
      "depth_b_to_a": 1.03,
      "verdict": "NIST_800-53_r5 sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": {
        "signal": "nist_level",
        "controls": 97,
        "enhancements": 11
      },
      "intrinsic_b": null
    },
    "diff": null,
    "ppt": null
  },
  "diff": null,
  "edges": [
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only high-level access-control policy documentation; ASVS V4.1.4 is a narrow technical HTTP-method restriction that such a policy might reference but does not enforce."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AC-1 requires only a high-level access-control policy document; it does not mandate the specific session-lifetime rules or 800-63B justification that V7.1.1 demands."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V7.1.2 is one narrow documentation detail inside the broad access-control policy and procedures required by AC-1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only a generic documented access-control policy; that policy could mention federated session coordination but does not fulfill the concrete ASVS verification, while the narrow ASVS item covers none of AC-1's policy-development, assignment, or review obligations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.1.1 is one narrow authorization-documentation rule inside the broad AC-1 policy-and-procedures control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only a generic documented AC policy; ASVS V8.1.2 demands a narrow, field-level attribute-based authorization rule set that is neither mandated nor precluded by the high-level policy control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only a high-level access-control policy document; ASVS V8.1.3 demands explicit application-level documentation of contextual attributes used in runtime decisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only high-level access-control policy existence and maintenance; ASVS V8.1.4 demands specific contextual-authorization content that a generic policy need not contain."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST enforces the numeric limit while ASVS requires documentation of that limit plus max-reached behaviors."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-11 device lock addresses re-auth after lock but does not implement application session/token invalidation on logout or expiry."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.5.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST device lock requires re-auth to resume access but is not scoped to app-level sensitive transactions, while ASVS does not address device/session locking."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-12 addresses generic automatic session termination; ASVS V7.2.4 requires both termination and fresh token issuance specifically on authentication events."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST mandates automatic termination but omits token invalidation mechanics; ASVS verifies post-termination enforcement but does not require the automatic trigger."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-12 mandates automatic session termination on a configurable trigger, while ASVS V7.4.3 requires only an optional, user-triggered termination of other sessions after an auth-factor change."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-12 supplies generic session timeout but omits IdP/RP federation semantics, documented behavior, and re-auth triggers required by ASVS V7.6.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-14",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-14 addresses policy-level decisions on unauthenticated actions but supplies none of the concrete metadata-validation, consent, or warning controls required by ASVS V10.4.7."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-14",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AC-14 requires documenting permitted unauthenticated actions and could therefore touch the introspection decision, but the ASVS item is a single narrow GraphQL control that does not address the NIST control's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-14",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-14 addresses documentation of unauthenticated actions while ASVS V7.5.1 mandates re-authentication for specific sensitive changes, yielding no fulfillment either direction but a sliver of related scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-14",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.5.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ac-14 addresses documenting actions allowed without any authentication, while ASVS V7.5.3 mandates step-up authentication for sensitive operations; the two share only a tangential relationship to authentication policy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16's attribute framework can loosely encompass OAuth scopes as permitted attributes, but provides no OAuth-specific request verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 provides a broad attribute-management framework that could support audience claims but does not address token-specific audience validation on a resource server."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 broadly requires attribute association/management that can encompass token claims, while ASVS V10.3.2 narrowly requires their use in resource-server authorization decisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 broadly addresses attribute association and management, which can encompass JWT iss/sub usage but does not mandate the specific anti-reassignment check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 provides a general attribute-management framework that could loosely apply to OAuth scopes, but the ASVS item is a narrow OAuth-specific configuration check outside AC-16's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow OAuth-specific integrity check on authorization_details; AC-16 broadly addresses attribute association and change auditing but does not target this mechanism."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 provides general attribute association/auditing that could loosely support a unique user identifier but does not address ID-token claim verification or non-reassignment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST supplies the attribute mechanism that can support authorization rules but omits documentation verification; ASVS touches only the attribute-based rule aspect of the much broader NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 requires attribute association/auditing but does not address field-level authorization rule documentation or read/write restrictions based on consumer permissions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 addresses defining/establishing security attributes and auditing them, which overlaps the ASVS focus on documenting contextual attributes for decisions but omits app-specific documentation and environmental decision context."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 addresses attribute definition/auditing on data but omits ASVS's required authz decision documentation, thresholds, and actions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies an attribute-association mechanism that could support permission checks but does not enforce function-level access; ASVS V8.2.1 addresses only that narrow enforcement point."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies attribute mechanisms that can support fine-grained data permissions but does not mandate application-level enforcement against IDOR/BOLA; ASVS V8.2.2 addresses none of AC-16's attribute lifecycle requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies an attribute-association mechanism that could support field permissions but does not mandate application-level field access enforcement, while ASVS V8.2.3 addresses only one narrow authorization check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies a general attribute-association framework that could support contextual attributes but does not mandate adaptive session-based authz decisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's attribute-change auditing touches the alert/revert aspect but omits immediate propagation and token-specific mitigations; ASVS addresses only a narrow slice of attribute management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies a general attribute-binding framework that could carry subject identity but does not address propagation of original-subject permissions across intermediaries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-17 broadly addresses remote-access authorization policy but does not specifically require OAuth confidential-client authentication for back-channel endpoints."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-17's configuration requirements can loosely encompass the specific WebSocket origin check, but the ASVS item addresses none of the NIST control's policy/authorisation scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-17 addresses remote-access policy and authorization at a high level that can partially support admin-interface controls, while ASVS V8.4.2 demands specific continuous verification, posture assessment, and risk analysis not addressed by AC-17."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-19",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-19 touches device/location aspects of access but does not address adaptive contextual auth decisions applied at session start and ongoing."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.3.2 addresses narrow OAuth token-claim enforcement on a resource server; AC-2 covers broad procedural account/privilege management that only incidentally touches access authorizations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses broad account privileges while ASVS V10.4.11 is a narrow OAuth-scope configuration check with only tangential overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow cryptographic client-authN mechanism for OAuth clients; AC-2 only addresses generic account provisioning and authorization."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 account lifecycle actions can indirectly support token revocation but lack any token/UI specifics, while the narrow ASVS token-UI rule covers none of the broad AC-2 requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS consent review/revoke is a narrow slice of the broad account and access-authorization lifecycle in AC-2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 broadly addresses account documentation/termination/review but omits federated SSO session coordination; ASVS V7.1.3 touches only a narrow slice of AC-2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account disable/remove on termination which can indirectly end access, but does not cover session/token invalidation mechanics required by ASVS V7.4.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 requires account disable/remove on termination but never mentions session termination, while ASVS addresses only that narrow behavior."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 account disable/remove offers indirect support for revoking access but never addresses session termination; ASVS covers none of the broad account-management control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account privileges and access authorizations at a high level but omits function/data-specific authorization rules; ASVS V8.1.1 covers none of the account lifecycle, monitoring, or approval processes in AC-2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account-level access authorizations but omits field-level attribute-based rules; ASVS V8.1.2 has no overlap with account management activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 touches access-authorization conditions but does not require documenting environmental/contextual attributes; ASVS V8.1.3 addresses none of AC-2's account-management scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 touches basic access authorization but omits risk/contextual attributes, thresholds, and step-up actions required by ASVS V8.1.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account provisioning and privilege assignment at an org level but does not cover application-level function access enforcement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 defines and manages account privileges at the system level but does not address application runtime enforcement of per-object data permissions to prevent IDOR/BOLA."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses high-level privilege assignment while ASVS V8.2.3 requires application-enforced field-level checks, yielding only loose directional overlap."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account lifecycle changes and notifications but does not cover immediate enforcement of authorization decisions or token-specific mitigations required by ASVS V8.3.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account provisioning/monitoring but not subject-identity propagation for chained authorization decisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AC-2 account lifecycle rules can support tenant separation via authorizations but do not address multi-tenant isolation enforcement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses basic account provisioning/monitoring but omits continuous verification, device posture, and risk analysis required by ASVS V8.4.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-21",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.7.2 is a narrow UI/consent-prompt requirement for auth servers; AC-21 is a broad org-level control on information-sharing decisions that neither implements nor is implemented by that specific verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 requires policy-based decisions on access requests but does not mandate authorization-code single-use or revocation logic."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies a narrow OAuth/PKCE check on token requests while AC-24 is a generic policy-decision control that only abstractly touches request-time enforcement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 addresses generic access decisions; ASVS V10.4.7 is a narrow OAuth-specific registration control whose consent/warning elements only loosely map to it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 requires decisions on every access request and therefore fully contains the narrow consent step, yet supplies none of the explicit consent-prompting detail demanded by ASVS V10.7.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 requires decision enforcement on requests but says nothing about documenting contextual attributes; ASVS addresses only that narrow documentation sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.2.4 demands specific adaptive/contextual attribute checks at session start and runtime; AC-24 only requires generic per-request decisions and therefore covers the ASVS item only partially while the narrow ASVS item sits inside the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.3.2 is a narrow slice (immediate authz-value propagation + token mitigations) of the broad per-request decision enforcement required by AC-24."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 supplies a generic access-decision requirement that only loosely supports the ASVS multi-tenant isolation rule, while the narrow ASVS line addresses none of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor provides a general tamperproof enforcement substrate that could host OAuth scope checks, but the NIST control itself says nothing about OAuth or scopes while the ASVS item is a narrow OAuth-client policy check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets a narrow OAuth parameter-integrity check while AC-25 is a general tamper-proof reference-monitor mandate; the two intersect only on the abstract notion of tamper resistance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor supplies reliable policy enforcement that could underpin consent checks, but does not address user-consent prompting itself."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor provides a tamperproof enforcement substrate that could host method filtering but does not mandate or verify HTTP-method allow-listing."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor concept could encompass backend session checks but does not require or specify them; ASVS item addresses only one narrow verification practice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor supplies a tamperproof enforcement substrate that could host session checks but does not mandate or describe session termination logic."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor supplies a general tamperproof enforcement substrate that could underpin object-level checks, yet says nothing about explicit per-data-item permissions or IDOR/BOLA; ASVS requirement addresses none of the monitor's required properties."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands app-specific trusted-layer authz; NIST's abstract reference-monitor properties largely satisfy that intent but extend far beyond it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor ensures tamperproof/always-invoked decisions but does not address immediate propagation of authz changes or token-specific alerts/reversion."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor is a general tamperproof mediation architecture; it neither specifies nor guarantees multi-tenant isolation controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.4.2 is a narrow OAuth replay-prevention rule that is one sliver of the broad logical-access enforcement in AC-3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V5.2.5 is one narrow technical measure inside the broad access-enforcement intent of AC-3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3 broadly enforces access authorizations across all logical resources, fully encompassing the narrow ASVS function-level check while the reverse covers only one sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.2.2 is a narrow, app-specific object-level authorization check that is subsumed by the broad AC-3 policy-enforcement control but not fully addressed by it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.2.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3 is a broad policy-level access enforcement control that only partially addresses the narrow field-level BOPLA check required by ASVS V8.2.3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3 supplies the general access-enforcement mechanism while ASVS V8.4.1 adds a narrow multi-tenant isolation requirement not explicitly addressed by the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC policy enforcement addresses general authorization constraints but does not address OAuth token claims or delegated resource-server decisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC policy is a broad, abstract information-flow control; ASVS token-binding is a narrow, concrete OAuth mechanism that only loosely aligns with one aspect of it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires documented ABAC-style rules for function/data access; NIST AC-3.3 enforces a rigid MAC policy with specific non-disclosure constraints, yielding only narrow overlap in either direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC enforces broad policy constraints on information flow and attributes but does not address field-level granularity or authorization documentation; ASVS is too narrow to cover any MAC specifics."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC constrains unauthorized changes to security attributes but does not address immediate propagation or token-specific mitigations required by ASVS V8.3.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3.3 enforces a specific MAC policy model unrelated to ASVS's multi-layer admin checks (identity, device posture, context)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3.4 enforces a specific DAC model while ASVS V8.1.1 requires documented authorization rules; each addresses only a subset of the other's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands documented field-level attribute rules; NIST AC-3.4 only states generic DAC enforcement without that granularity or documentation focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-4.27",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ac-4.27 addresses redundant cross-domain content filters while ASVS V5.2.2 requires specific file-type validation on upload; the scopes overlap only loosely on content checking."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.1.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the general least-privilege principle while ASVS V10.1.1 is a narrow, token-specific instance of that principle."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6's high-level least-privilege principle conceptually supports minimal OAuth scopes but does not address the specific verification requirement, while the narrow ASVS item covers none of the broad organizational control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 provides a high-level least-privilege principle that only loosely relates to client authentication, while the narrow OAuth back-channel requirement covers none of the broad organizational control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.11",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the broad least-privilege principle that directly encompasses the narrow OAuth-scope check, while the single ASVS line covers only one technical instance of that principle."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.4.12 is a narrow technical restriction on OAuth response_mode values; AC-6 states the general least-privilege principle that could motivate it but does not address or enforce this control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the broad least-privilege principle that directly motivates the ASVS grant restriction, yet supplies none of the OAuth-specific mechanics or disallowed-flow rules."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V4.1.4 is one narrow technical instance of least privilege; AC-6 therefore fully encompasses it while the reverse is only a sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the broad least-privilege principle that could loosely support disabling unnecessary GraphQL introspection, while the single ASVS check addresses none of the control's organizational scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 addresses broad authorization scope but does not require immediate propagation of changes or token-specific mitigations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V8.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states broad least-privilege but does not require original-subject identity propagation across services."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-8 requires explicit user acknowledgment before access but targets notification banners, not session-creation consent."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-1 requires only high-level audit policy/procedures while ASVS V16.1.1 demands a concrete, layer-specific logging inventory."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands concrete auth-event logging; au-1 only requires high-level audit policy and procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST non-repudiation may rely on detailed audit metadata but also permits cryptographic or other mechanisms beyond logging."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS focuses narrowly on log readability and common formats for correlation; AU-10 addresses non-repudiation evidence without touching log processing."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-10's broad non-repudiation evidence may be supported by auth logs but does not mandate them, while ASVS V16.3.1 covers only one narrow authentication-logging aspect of non-repudiation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-10 requires irrefutable evidence for arbitrary actions while ASVS V16.3.2 demands only targeted logging of authorization decisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands concrete app-level logging of bypass attempts; au-10 only requires generic non-repudiation evidence that may be satisfied without such logs."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.4.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires log protection; AU-10 requires non-repudiation evidence, which log integrity can support but does not implement or fulfill."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies event-generation capability that partially addresses one ASVS element (events logged) while the ASVS inventory/documentation mandate is otherwise untouched; ASVS does not address AU-12's generation or selection requirements at all."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-12 (via AU-3) requires the same metadata fields ASVS demands but also covers event selection/generation scope beyond ASVS's narrow verification focus."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 ensures audit records are generated with defined content but does not address log-processor readability or common formats for correlation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-12 addresses generic audit generation capability only; it contains no requirement for protection-level rules, exclusion, or masking of sensitive data."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies generic audit capability that can include auth events only if selected via AU-2, while ASVS demands only the narrow slice of authentication operations plus metadata."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies the generic audit-generation mechanism that can support authorization logging but does not mandate those specific events; ASVS V16.3.2 addresses only one narrow event type."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies the general audit-generation mechanism that can cover the specified security and bypass events, while ASVS V16.3.3 addresses only one narrow application-focused subset of the events and configuration options required by AU-12."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies generic audit-generation capability that can encompass the specified error/failure events, while the ASVS line is a narrow, application-specific verification sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 addresses only the audit-logging portion referenced in the ASVS line; it does not cover the required error-handler definition or availability protection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-2 addresses only event-type selection while ASVS V16.1.1 requires a broader inventory covering formats, storage, access, usage, and retention."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-2 addresses event selection and investigation rationale but does not require specific log-entry metadata fields."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow set of auth events+metadata while NIST requires organization-wide event selection, rationale and review, so each covers only part of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-2 defines a generic event-selection process that can include authz events but does not mandate them, while ASVS V16.3.2 names only one narrow event type."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V16.3.3 is a narrow application-level logging rule that forms one sliver of the broad organizational event-selection and policy requirements in AU-2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-2 broadly requires selecting and justifying event types but does not mandate application-specific logging of errors or control failures such as backend TLS issues."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 specifies required audit-record fields while ASVS V16.1.1 demands an inventory of logging scope, formats, storage, access and retention across layers."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 directly specifies the same core metadata elements (when/where/who/what) plus extras, fully satisfying the narrow ASVS logging requirement while ASVS covers only a subset of au-3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 requires a 'when' field but says nothing about clock sync or UTC offsets, while ASVS V16.2.2 addresses only that narrow timing detail."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 mandates specific audit-record content but says nothing about log format or processor correlation; ASVS addresses only the latter."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 supplies the required event/outcome/identity metadata fields that satisfy most of the ASVS auth-logging content needs, yet does not mandate auth events specifically and ASVS addresses only a narrow slice of all audit records."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 supplies generic audit-record fields that support authorization logging but does not mandate those events; ASVS addresses only one narrow class of events."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 defines audit-record fields but does not require logging of the specific security/bypass events demanded by ASVS V16.3.3; ASVS says nothing about those fields."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 defines audit-record content fields but does not require logging of the specific error/failure events demanded by ASVS V16.3.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.4.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-6 covers review/analysis/reporting of existing audit records but says nothing about secure transmission or logical separation of logs."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-7 supports analysis/reporting but does not require common log formats or processor correlation specified in ASVS V16.2.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST covers the UTC/offset timestamp format but omits explicit synchronization of logging time sources; ASVS addresses only that narrow slice of the broader NIST audit-record requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST timestamps support correlation but ignore common format/readability; ASVS never mentions timestamps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires broad logging inventory docs including access-control description; NIST au-9 only enforces protection/alerting of audit data, covering one narrow slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.4.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-9 directly implements the exact ASVS log-protection goals plus extra elements (deletion, alerting, tools)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 mandates only high-level org CM policy/procedures while ASVS V13.1.1 is a narrow, application-specific documentation check that is not addressed by the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 supplies the org-level policy framework that can encompass secrets documentation and rotation, while ASVS V13.1.4 is only one narrow application-level instance of such a policy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 only requires a generic CM policy document; it neither mandates nor verifies the specific server allowlist."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 supplies only high-level policy scaffolding while ASVS V13.2.6 demands concrete verification of service-connection settings."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures that could mention secret rotation, while ASVS 13.3.4 is a narrow verification check that addresses none of the policy development or dissemination elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures that could mention debug settings; ASVS V13.4.2 is a narrow technical verification unrelated to policy authorship."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures; this may indirectly touch endpoint-exposure configuration but does not address the specific ASVS verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures that could encompass web-tier rules, while ASVS V13.4.7 is one narrow technical control unrelated to policy development."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST location/component documentation touches external services only incidentally while ASVS focuses on communication mapping; ASVS covers none of NIST's user-access or change-tracking elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST documents users with access to information locations but never requires or verifies least-privilege access to secrets."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-2 requires generic baseline documentation; ASVS V13.1.2 demands very specific connection-limit and DoS-behavior content that may or may not be present in any given baseline."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST baseline config may document auth settings but does not mandate the specific backend authentication rules required by ASVS."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CM-2 requires documented baselines that could incidentally list privileged accounts, but does not address least-privilege verification for backend component communications."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-2 supplies a generic baseline-config process that may document connection settings but does not address the ASVS-specific verification of runtime connection behavior (timeouts, retries, max-parallel, etc.)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-2 provides a broad baseline process that could encompass disabling debug modes but does not require it; ASVS V13.4.2 addresses only that single verification item."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.7",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.7 is one narrow web-tier setting that a baseline configuration can include, while CM-2 broadly encompasses all such settings."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 requires broad change documentation that may incidentally touch comms configs, while ASVS V13.1.1 is a narrow, application-specific mapping requirement outside CM-3's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3's general change-control process can touch secret rotation as one controlled activity but does not require the specific secrets inventory and threat-based rotation schedule demanded by ASVS V13.1.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 defines a generic change-control process only; it neither requires nor verifies application-layer allowlists for external communications."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 supplies change-control documentation processes that can indirectly support the existence of connection configs, while the narrow ASVS verification item addresses none of the NIST change-control activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 provides a general change-control process that could encompass secret updates but does not require expiration or rotation of secrets."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 defines a generic change-control process that can encompass debug settings only incidentally, while the ASVS item is a narrow production configuration check unrelated to the bulk of CM-3 activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3's change-control process can indirectly govern endpoint-exposure settings but does not address the specific verification of documentation/monitoring endpoints."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-5 addresses access restrictions only for system changes while ASVS V13.3.2 targets least-privilege access to secrets, yielding limited overlap in one direction and none in the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 provides a general configuration-management umbrella that can encompass connection limits as one setting, but does not address the ASVS-specific DoS behavior, fallback, or per-service documentation requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 addresses broad configuration documentation and monitoring, which can touch timeout settings but does not require the ASVS-specific resource-management strategies, release procedures, or retry algorithms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly covers config documentation and monitoring, which can encompass secrets as settings, but does not address secrets identification or rotation schedules."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly requires restrictive configuration settings that can encompass least-privilege accounts, while ASVS V13.2.2 narrowly verifies that specific practice for backend component communications."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly mandates secure configuration settings that implicitly include non-default credentials, while the narrow ASVS check is only one specific instance of such a setting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6's broad mandate for restrictive configuration settings can encompass allowlists but does not specifically require them, while the narrow ASVS allowlist rule addresses only a tiny fraction of CM-6."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 supplies a generic configuration-management framework that can accommodate an allow-list but does not require or describe it; the single ASVS rule addresses only one narrow setting among CM-6's many organizational tasks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 supplies a broad configuration-management framework that can encompass connection settings, while ASVS V13.2.6 only addresses one narrow application-level verification sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly addresses configuration management that can encompass secrets handling, yet does not mandate key vaults or source-code exclusion, while the narrow ASVS item sits fully inside that scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6's restrictive settings provide indirect support for least-privilege access but do not address verification of secret assets; ASVS V13.3.2 covers none of the broad configuration-management activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CM-6 provides a generic mechanism for enforcing configuration settings that could include HSM usage, but does not address the ASVS cryptographic isolation requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly addresses configuration settings and monitoring but does not specifically require secret expiration/rotation, while the narrow ASVS item is one possible instance of such settings."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.1 is one narrow deployment check while CM-6 is a broad configuration-settings control that can encompass it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets one specific config item (debug disabled) while NIST broadly governs all configuration settings management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Directory listing is one narrow web-server setting under the broad CM-6 configuration control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 provides a general configuration framework that can include disabling TRACE but does not specifically require it; the single ASVS item addresses only one narrow setting among many."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.5 is one narrow configuration/verification item inside the broad CM-6 control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.6",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS names one narrow configuration practice while NIST CM-6 broadly governs all system configuration settings."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.7",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.7 is one narrow web-server file-extension rule inside the broad CM-6 configuration-settings control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands explicit documentation of all app communications; CM-7 only restricts functions/ports/protocols without any documentation requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CM-7 restricts system functions/services but does not address least-privilege accounts for backend component communications."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-7 addresses broad service restriction but omits connection-specific behaviors like timeouts/retries; ASVS covers only one narrow aspect of functionality limits."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST inventory may incidentally capture some external services as components but does not address documented communication needs or user-supplied external locations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 broadly requires a CM plan for config items but does not specifically mandate documenting application communication needs or external endpoints."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a general CM plan for config items but does not mandate the specific connection-limit and DoS-behavior documentation called for by ASVS V13.1.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a broad configuration-management plan while ASVS V13.1.3 demands narrow, explicit resource-timeout/retry documentation for external services."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 broadly requires a configuration management plan and definition of items but does not address secrets identification or rotation schedules."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS 13.2.4 is one narrow allow-listing practice that could be placed under a broad CM plan but is never required by CM-9."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 ensures a high-level plan for documenting configuration items but does not address application-level verification of connection behavior or retry logic."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 addresses only the existence of a high-level configuration management plan that could incidentally reference secrets as config items, without requiring any secrets-management solution or controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a broad configuration-management plan that could encompass secrets rotation as one process, while the narrow ASVS secrets-expiry check covers none of the plan's roles, scope, or approval elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.1 is a narrow deployment check that a CM plan could incidentally address as one config item, while CM-9's broad plan, roles, and approval requirements are untouched by the ASVS line."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 supplies a broad CM-plan framework that could encompass debug settings as one config item, while the narrow ASVS check addresses none of the plan's roles, lifecycle, or approval elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires only a high-level CM plan and does not mandate the specific web-server directory-listing control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires only a high-level config-management plan; disabling TRACE is one possible config item that plan might address but is not mandated."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9's protection of the CM plan from disclosure overlaps only narrowly with ASVS's specific check against unintended exposure of API docs and monitoring endpoints."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V13.4.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a high-level configuration-management plan that could encompass web-tier file-extension rules, while the narrow ASVS check addresses only one technical control and touches none of the plan's governance elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only requires high-level IA policy documents that could mention dynamic registration risks, while ASVS V10.4.7 demands concrete technical mitigations absent from the policy control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires high-level IA policy documentation that could encompass auth controls, but does not mandate the specific rate-limiting/anti-automation content required by ASVS V6.1.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.1.2 is one narrow procedural detail inside the broad IA policy and procedures mandated by IA-1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only a high-level IA policy document; ASVS V6.1.3 is a narrow, application-level verification of multi-path auth documentation and consistency that such a policy might reference but does not guarantee."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates existence of generic IA policies while ASVS 6.2.10 demands a precise application-level rule on password lifetime."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy/procedures that could optionally reference password dictionaries, while ASVS V6.2.11 is a narrow technical check unrelated to policy development."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-1 only mandates high-level IA policy existence; it neither requires nor verifies the specific anti-brute-force controls demanded by V6.3.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates high-level IA policy/procedure artifacts; it does not require or verify the specific multi-pathway consistency check demanded by ASVS V6.3.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only requires generic IA policy existence; the narrow email-auth prohibition is neither mandated nor addressed by it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-1 only mandates high-level policy/procedure documents that might reference initial-password rules, while the ASVS item is a narrow technical verification unrelated to policy authorship."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-1 only mandates high-level IA policy/procedures that may reference password-reset rules, giving partial coverage of the narrow ASVS item while the ASVS item addresses none of IA-1's documentation and governance scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy/procedures that could optionally reference token lifetimes, while ASVS V6.5.5 is a narrow technical verification rule unrelated to policy creation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates generic IA policy existence; revocation of factors is neither required nor verifiable from it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates high-level IA policy/procedures and does not address the specific out-of-band binding requirement, while the narrow ASVS item covers none of the policy development activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.8.2 is one narrow technical check inside the broad IA policy/procedure umbrella defined by IA-1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 supplies only high-level IA policy scaffolding while ASVS V7.1.1 demands explicit, 800-63B-referenced session-timeout documentation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires IA policy/procedure documentation at a high level; ASVS V7.1.2 demands one narrow concurrent-session detail that such a policy might contain but does not mandate."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 supplies only a generic IA policy framework while ASVS V7.1.3 demands explicit documentation and coordination of federated session controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy/procedures while ASVS V7.3.2 demands a specific enforceable session-lifetime control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.5.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1's broad policy mandate may touch re-auth needs at a high level while the narrow ASVS technical rule addresses none of the policy/procedure scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy documents that could mention token validation, while ASVS V9.1.1 is a single narrow technical check unrelated to policy development."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 broadly requires adaptive auth for strength/conditions while ASVS V10.3.4 narrowly specifies token-claim verification, so the control fully encompasses the requirement but not vice versa."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 addresses only the adaptive-authentication aspect while ASVS V6.1.1 requires documentation of rate limiting, anti-automation, and lockout prevention as well."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 addresses adaptive auth under conditions but omits documentation and cross-pathway consistency enforcement required by ASVS V6.1.3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets specific brute-force/credential-stuffing controls; IA-10's adaptive authentication is a broader, conditional mechanism that only partially overlaps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 requires adaptive auth under risk conditions but does not mandate user notification of suspicious attempts."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 adaptive auth can be tuned to require MFA for reset flows but does not address password-reset procedures; ASVS addresses only that narrow reset requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10's generic adaptive parameters can be tuned to enforce biometrics only as a secondary factor, but the ASVS rule addresses none of the control's broader adaptive-auth scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 adaptive auth may indirectly mitigate brute-force via risk-based step-up but does not address rate limiting or 64-bit entropy for OOB codes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10's broad adaptive-auth parameter could encompass push-rate-limiting as one possible control, while the narrow ASVS line covers none of the general adaptive-auth requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 broadly requires adaptive auth under conditions, fully encompassing the narrow IdP claim-verification scenario while only partially addressing its specific mechanics and fallback rule."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.2.3 is a narrow check on password-change forms; IA-11 is a broad re-auth control that can encompass it when parameterized appropriately."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-11 supplies a generic re-auth lever that can be tuned to protect password reset but does not mandate the forgotten-password process or its MFA invariant, while ASVS V6.4.3 addresses only that single narrow scenario."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-11 addresses only the recentness aspect via re-auth; ASVS V6.8.4 focuses on IdP claim validation for strength/method/recentness with fallback logic."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 ensures initial unique identity resolution but does not address token claim usage or runtime verification required by ASVS V10.3.3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 covers initial identity proofing only; ASVS V6.4.3 targets MFA-preserving password reset, yielding minimal overlap in one direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 supplies the general identity-proofing process but does not mandate re-proofing on lost MFA factors; ASVS V6.4.4 addresses only that narrow re-proofing scenario."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 covers only the phone-number validation aspect via identity evidence checks while ignoring OTP delivery rules, risk disclosure, and L3 prohibition; ASVS addresses none of the broader identity-proofing requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of auth servers but does not address audience validation of tokens; ASVS specifies one narrow implementation detail."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of authorization servers for decisions but does not address resource-server enforcement of specific token claims such as scope or authorization_details."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdP/auth-server usage for identity decisions but does not address JWT claim uniqueness; ASVS is a narrow implementation detail outside that scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 provides only high-level IdP/auth-server usage; it does not address the specific token-claim verification (acr/amr/auth_time) required by ASVS V10.3.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 is a broad mandate to employ auth servers; it does not require sender-constrained/PoP tokens, while the ASVS line is one narrow technical constraint on token issuance."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.16",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST broadly requires auth servers but does not mandate the specific public-key client auth methods; ASVS is one narrow technical slice inside that broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires only high-level use of authorization servers while ASVS V10.4.5 demands concrete refresh-token replay mitigations absent from the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires broad use of authorization servers for access management but does not address token revocation UI."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-13 broadly requires use of IdPs/auth servers but does not address client-side nonce replay checks; ASVS item is a narrow RP verification unrelated to the control's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.7.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 is a high-level requirement to employ authorization servers; ASVS V10.7.1 is a narrow consent-prompt rule that neither fully maps to nor is fully addressed by the broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 addresses centralized IdP usage for auth decisions but omits any requirement for documenting or verifying consistency across multiple application auth pathways."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires broad use of IdPs for identity/auth decisions that may encompass password policy configuration, while the narrow ASVS password-length check addresses none of the IdP employment scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS line is one narrow credential-lifetime rule inside broad IdP/credential management; IA-13 never addresses rotation policy."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires IdPs for identity management but does not address user password change; ASVS V6.2.2 is one narrow functional check unrelated to the control's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires use of IdPs for auth decisions, which may incidentally supply brute-force protections, while ASVS V6.3.1 narrowly targets those specific controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 addresses broad IdP-based identity management that may incidentally support disabling defaults, while the narrow ASVS check covers none of the NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdPs for auth decisions but does not mandate MFA/hardware/phishing-resistant factors; ASVS V6.3.3 specifies only one narrow slice of authentication mechanisms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 promotes centralized IdP use that may indirectly support consistent auth strength, but does not address undocumented pathways or application-level verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdPs for identity/auth management but does not address initial-password specifics, while ASVS V6.4.1 covers only that narrow sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires broad IdP usage for auth decisions but does not address password-reset flows; ASVS specifies only one narrow reset-MFA rule."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires only the use of IdPs/auth servers at a high level; it does not mandate single-use enforcement for TOTP/lookup/OOB secrets, while the narrow ASVS check addresses none of IA-13's broader identity-management scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdP-based identity/access management (which can include revocation) while ASVS V6.5.6 demands only a narrow, explicit revocation capability for lost auth factors."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 is a high-level requirement to use IdPs; the specific out-of-band binding rule is one possible implementation detail not mandated by the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-13 broadly requires employing IdPs but does not address the specific multi-IdP namespace collision check required by ASVS V6.8.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow technical check on assertion signatures; NIST IA-13 only broadly requires use of IdPs without specifying that check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires only broad employment of IdPs for auth decisions; it does not mandate claim validation or documented fallbacks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires use of IdPs for identity/access management but omits any session-lifetime, termination or re-auth coordination requirements specified in ASVS V7.1.3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly addresses IdP usage for auth decisions while ASVS V7.3.2 specifies only max session lifetime enforcement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.5.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 addresses IdP/Authorization Server infrastructure for auth decisions but does not mandate step-up auth for sensitive transactions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires employing IdPs but does not address specific session lifetime/termination behaviors, while ASVS V7.6.1 covers only one narrow verification aspect of IdP usage."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of IdPs/auth servers but does not address token signature validation; ASVS V9.1.1 is a narrow technical check unrelated to the org-level identity management scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of IdPs/auth servers for identity decisions while ASVS V9.2.2 specifies one narrow token-type validation check performed by a relying service."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires use of IdPs/auth servers at an org level but does not mandate audience validation; ASVS V9.2.3 is one narrow token check unrelated to the breadth of IA-13."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses key protection/generation for tokens but omits dynamic session token mandates; ASVS touches generation yet ignores broader key management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST broadly addresses key protection/management but does not require allow-list validation of token issuer sources or JWT headers."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires audience-restricted tokens as one of six management items, covering the ASVS audience check while ASVS addresses only that narrow enforcement sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies one-time auth-code use plus revocation; NIST broadly lists revocation and time-restriction among six token operations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13.3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires audience restriction (covering the core ASVS mandate) but omits the same-key condition and dynamic-audience validation; ASVS addresses only one narrow facet of the broad NIST token-management list."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 supplies the general unique-ID mandate but says nothing about JWT claims or token introspection; ASVS V10.3.3 is a narrow, token-specific sliver unrelated to the breadth of organizational user auth."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.16",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires general user authentication but does not address OAuth confidential clients or mandate public-key/replay-resistant methods."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 supplies the broad unique-ID mandate while ASVS V10.5.2 adds only the narrow OIDC 'sub' claim check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires org-user authentication at a high level but does not address documentation or consistent enforcement across multiple application auth pathways."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires basic identification/authentication but does not address brute-force or credential-stuffing controls specified by ASVS V6.3.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires unique user identification/authentication but does not explicitly address disabling default accounts."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires only generic identification and authentication while ASVS V6.3.3 mandates MFA (plus hardware phishing resistance at L3)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires basic org-user identification/authentication but does not address application-level multi-pathway consistency or undocumented paths."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires general user authentication but does not address password-reset flows or MFA bypass prevention."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 broadly requires user authentication while ASVS V6.5.8 is a narrow TOTP time-source detail not addressed by the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2's broad unique-ID mandate conceptually encompasses the ASVS multi-IdP namespace rule, while the narrow ASVS line only partially satisfies the org-level control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires user authentication at a high level but does not address signature validation on assertions, while the ASVS item is a narrow technical check unrelated to the breadth of IA-2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.8.4 is a narrow IdP-claim verification detail that sits inside the broad IA-2 authentication mandate."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-2 provides only high-level authentication context while ASVS V7.1.1 demands explicit session-timeout documentation and 800-63B alignment that IA-2 does not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 supplies core authentication but omits federated session documentation, lifetime coordination, and re-auth triggers required by ASVS V7.1.3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires unique user identification but supplies none of the token-generation mechanics demanded by ASVS V7.2.3, while the ASVS line only addresses one narrow implementation detail of authentication."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-2 requires user authentication but contains no inactivity timeout or re-authentication requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires user authentication but does not address session lifetime or forced re-authentication."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2.6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST supplies core MFA + separate-device elements but omits ASVS phishing-resistance, intent-proof, L2/L3 distinctions and relaxation rules; ASVS addresses only application MFA and does not reach NIST's broader account scope or parameterisation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-2.6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2.6 forces separate-device MFA and thereby blocks email-only or email-as-non-device flows, but never addresses the email ban itself; ASVS V6.3.6 says nothing about separate devices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.7.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-3 requires device authentication at connection time but contains no nonce-length or uniqueness mandates, while the ASVS line addresses only one narrow technical property of such authentication."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses identifier reuse prevention at a broad org level while ASVS V10.3.3 narrowly requires stable JWT claims for user identification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses general identifier reuse prevention which only tangentially relates to nonce uniqueness, while ASVS V10.5.1 is a narrow OAuth-specific replay check absent from the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST reuse-prevention clause supports the non-reassignment aspect but omits ID-token claim verification; ASVS covers only that narrow reuse sliver of broad identifier management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses general identifier issuance and reuse prevention but does not explicitly require disabling default accounts, while the ASVS item is a narrow slice unrelated to most IA-4 elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 broadly addresses identifier assignment and reuse prevention but does not mandate IdP-namespaced composite identifiers, while the narrow ASVS rule is fully contained inside that general control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4's identifier-reuse rule touches the uniqueness concept only tangentially, while ASVS V6.8.3 is a narrow SAML-replay control outside IA-4's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses broad organizational identifier assignment and reuse prevention but does not require or verify dynamic token generation for application sessions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 provides general identifier assignment/reuse rules that could loosely support audience IDs, but ASVS V9.2.4's token-specific audience restriction and validation requirement is outside IA-4's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator strength and protection but omits OAuth-specific session/transaction binding required by ASVS V10.1.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength of mechanism but omits token-claim verification for methods/recentness; ASVS covers none of IA-5's management, distribution, or revocation requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator strength/protection that can partially encompass token anti-replay but omits any OAuth-specific sender-constraining mechanisms required by ASVS V10.3.5."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5's 'strength of mechanism' clause can loosely encompass PKCE enforcement, but the ASVS item addresses none of IA-5's distribution, revocation, or lifecycle procedures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.4.8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator issuance/refresh/protection but does not specify absolute expiration for refresh tokens."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses general authenticator strength and protection but does not specify nonce-based ID-token replay checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses general identity verification during authenticator issuance but omits any ID-token claim mechanics, while the narrow ASVS line covers none of ia-5's distribution, revocation, or protection requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength and initial content rules but never mandates a documented context-specific banned-word list, while the ASVS item addresses only that single narrow practice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires strength of mechanism and procedures but omits multi-pathway documentation and explicit consistency enforcement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not mandate specific password lengths, while ASVS addresses only one narrow aspect of the broad IA-5 control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses event-driven authenticator changes (including compromise) but neither prohibits nor precludes mandatory periodic rotation, while ASVS touches only one narrow facet of the broad IA-5 control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not address context-specific password dictionaries; ASVS addresses only one narrow slice of IA-5."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5's 'sufficient strength' clause loosely touches password checks while ASVS addresses only one narrow practice inside a broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 requires procedures for changing authenticators but does not mandate user self-service password change; ASVS covers only that single narrow capability."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator changes at a high level but does not mandate verifying the current password during a change; ASVS addresses only that single narrow check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not mandate a top-3000 password dictionary check, while the ASVS item addresses only one narrow slice of the broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5's high-level protection of authenticator content touches password secrecy only indirectly, while the ASVS item is a narrow UI implementation detail absent from the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.9",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS line is a narrow slice of NIST's broad 'sufficient strength' authenticator clause."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength and lifecycle but omits explicit brute-force/credential-stuffing controls required by ASVS V6.3.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses default authenticators via one clause while ASVS focuses narrowly on disabling default accounts."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses authenticator strength and protection but omits explicit MFA mandates and L3 hardware/phishing controls, while ASVS covers only a narrow slice of the broader NIST management lifecycle."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength but omits multiple-pathway consistency and undocumented paths; ASVS V6.3.4 covers none of IA-5's distribution, revocation, or protection requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not specifically prohibit email, while the narrow ASVS rule addresses none of IA-5's broad management activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses initial authenticator content/strength but omits explicit short expiration and non-permanence rules required by ASVS."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires procedures for lost authenticators (including identity checks) but omits the explicit same-level proofing mandate; ASVS addresses only that narrow sliver of IA-5."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires refreshing authenticators and related procedures but omits renewal notifications and timing reminders; ASVS addresses only that narrow procedural sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses broad authenticator procedures and protection from disclosure, which only loosely touches the narrow admin-reset rule in ASVS V6.4.6."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires protection of authenticator content and sufficient strength but does not specify salted hashing for low-entropy lookup secrets; ASVS addresses only one narrow storage detail."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's generic 'sufficient strength' clause touches the entropy topic but is far broader and less specific than the 20-bit lookup/OOB rule."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator refresh but lacks the ASVS-specific OOB/TOTP lifetime limits; ASVS covers only that narrow sliver of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator strength and management but contains no biometric-specific secondary-factor rule, while the narrow ASVS item addresses none of IA-5's distribution, revocation, or protection elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength in general but omits phone-number validation, user risk disclosure, and the L3 prohibition on PSTN/SMS OTPs."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 covers broad authenticator procedures but does not address OOB binding to a specific request."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.6.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength/protection but omits explicit rate limiting for OOB codes, while ASVS touches only the strength clause of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.7.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.7.1 is a narrow slice (certificate storage for assertion verification) of the broad IA-5 authenticator-protection requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.7.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's generic 'sufficient strength' clause touches nonce requirements only at a high level while ASVS specifies an exact 64-bit unique challenge nonce."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 touches authenticator integrity at a high level but does not require signature validation on assertions; ASVS addresses only one narrow technical check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses broad authenticator lifecycle controls that can indirectly touch token strength but never specifies SAML-unique processing or replay prevention."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength for intended use but omits IdP claim validation or fallback logic required by ASVS V6.8.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator lifecycle and re-issuance events that can indirectly support re-authentication triggers, but omits federated session documentation, lifetime coordination, and SSO termination requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires periodic refresh and strength for authenticators but does not address session-specific dynamic tokens versus static API secrets."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses authenticator revocation procedures but does not mention session termination; ASVS covers only one narrow operational detail unrelated to the bulk of ia-5."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V7.6.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator lifecycle/refresh events that can indirectly support re-auth triggers, but ASVS V7.6.1 focuses narrowly on documented RP-IdP session lifetimes and termination behavior outside IA-5 scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST mentions protecting authenticator content from modification but does not address token signature/MAC validation; ASVS requirement is a narrow technical check outside NIST's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not address token algorithm allow-lists or 'None' algorithm prohibition, while ASVS V9.1.2 is a narrow slice that covers almost none of IA-5's broad management requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.1.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 broadly addresses establishing and protecting trusted authenticator content but does not specifically require allow-list validation of token signature sources such as JWT jku/x5u headers."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses broad authenticator lifecycle procedures but does not mandate runtime token time-span validation such as nbf/exp checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses broad authenticator management including intended-use strength but does not require token-type/purpose validation on receipt; ASVS V9.2.2 is a narrow slice that touches none of ia-5's procedural or lifecycle elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator lifecycle/strength but does not specify audience validation; ASVS V9.2.3 is one narrow technical check among IA-5's many controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's 'expected' passwords list partially overlaps the ASVS context-specific requirement, while ASVS covers only one narrow slice of the multi-part NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST allows long passwords and parameterized complexity rules but does not mandate the specific 8/15-character minimum, while ASVS addresses only length and omits all other IA-5(1) elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses compromised-password list checks but is silent on forbidding periodic rotation, while ASVS covers only that narrow rotation rule."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5(1) directly requires a list check against expected/common passwords, covering the ASVS context-specific list requirement except for the narrow 'documented context-specific' wording; ASVS addresses only one sub-part of the multi-clause NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5.1 explicitly requires the exact ASVS check against compromised passwords (plus many unrelated password rules)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5.1 directly requires checking new/updated passwords against a maintained list of common/compromised passwords, covering the core ASVS check but omitting the explicit top-3000 size and policy-matching detail while also containing many unrelated password controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST explicitly allows all printable characters (fulfilling ASVS) while its remaining seven sub-requirements are untouched by the narrow ASVS line."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.2.9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5(1) explicitly requires support for long passwords/passphrases, fully satisfying the 64-character ASVS rule while the ASVS item addresses only one narrow clause among many NIST requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5.1 touches forced change on recovery but omits random generation, short expiry, and non-reuse of initial secrets."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.5.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires salted KDF storage (one bullet) while ASVS adds entropy threshold, 32-bit salt, and lookup-secret scope; each therefore covers only a slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5.2 details PKI/public-key implementation steps but does not require or enforce MFA, while ASVS V6.3.3 focuses on MFA mandates without addressing certificate path validation or revocation caching."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.3.8",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST broadly requires obscuring auth feedback but omits timing channels and non-auth flows that ASVS explicitly demands."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.7.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS nonce length/uniqueness is one narrow technical detail inside the broad NIST IA-7 requirement to meet applicable standards for cryptographic-module authentication."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-8 requires unique identification of non-org users at a high level; ASVS V6.8.1 adds a narrow multi-IdP namespace rule that IA-8 neither mandates nor precludes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-8 requires non-org user authentication at a high level that can encompass SAML assertion handling, while the ASVS item is only one narrow technical control within that scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V10.5.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 addresses broad service identification while ASVS V10.5.2 is narrowly scoped to user 'sub' claim uniqueness in ID tokens."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-9's broad unique-ID mandate touches the namespace principle but ignores multi-IdP user spoofing; ASVS is a narrow user-identity rule that covers none of the service-auth control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V6.8.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 addresses broad service identification/authentication but contains no SAML or replay-specific requirements, while the ASVS item is a narrow slice of authentication mechanisms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 provides a broad service authentication mandate that only loosely touches token-type validation, while ASVS V9.2.2 is a narrow, token-specific check that addresses almost none of IA-9."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 requires generic service authentication while ASVS V9.2.3 demands a single, narrow JWT audience check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-1 supplies only a high-level media-protection policy umbrella that may reference classification, while ASVS V14.1.1 demands concrete application-level data identification and protection-level assignment."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-1 supplies a media-protection policy framework that only loosely overlaps the ASVS demand for documented sensitive-data controls, while the narrow ASVS line item addresses almost none of MP-1\u2019s broad policy, roles, and review requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "MP-1 only requires a high-level media-protection policy; ASVS V14.2.4 demands verification of concrete technical controls (encryption, logging ACLs, privacy tech) that the policy control does not itself enforce."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-1 only mandates a high-level media-protection policy document; ASVS V14.2.7 demands concrete classification plus automated/scheduled deletion mechanisms that the policy control alone does not enforce."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-2 addresses only media-access restriction, covering one narrow slice of ASVS V14.2.4's access-control mention while ignoring encryption, retention, logging rules, and privacy controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-4 addresses secure storage and eventual sanitization/destruction but omits retention classification and automated deletion schedules required by ASVS."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires app-level identification and classification of sensitive data (incl. encoded forms); NIST MP-6 only consumes existing classification to set sanitization strength."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-6 addresses only the narrow sanitization/disposal aspect of retention while ASVS V14.1.2 requires broad documented protection requirements across encryption, logging, access, privacy, etc."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-6 addresses only the retention/disposal sliver via media sanitization while ASVS V14.2.4 spans encryption, logging, access, privacy and integrity controls unrelated to sanitization."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST covers classified sanitization on disposal but omits retention schedules; ASVS addresses neither media-specific methods nor sanitization strength."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-8 presupposes classification exists but only addresses media downgrading mechanics, while ASVS V14.1.1 focuses on application data identification/classification including encoded forms."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires retention classification plus scheduled deletion; MP-8 addresses only classification-driven media downgrading processes."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "mp-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-8 addresses removal of sensitive data during media classification downgrade but does not target user-uploaded file metadata or consent checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-1 only mandates generic acquisition policy existence; it does not require the specific risk-based remediation timeframes for third-party vulnerabilities demanded by ASVS V15.1.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-1 only requires high-level acquisition policy existence while ASVS demands a concrete SBOM inventory practice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-10 addresses broad developer change control and flaw tracking but does not require SBOM-style inventories or trusted-repository verification for third-party libraries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-10's flaw-tracking clause touches remediation tracking but omits component-specific update time-frame enforcement required by ASVS V15.2.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-10's change-control process can indirectly limit extraneous code but does not specifically require removal of test/dev functionality from production."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires a general flaw remediation process but does not mandate documented risk-based time frames for 3rd-party components; ASVS addresses only one narrow slice of SA-11."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST mentions a flaw remediation process but does not address verifying component update time frames; ASVS covers none of the broader developer testing and assessment activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-11 requires broad developer testing that could incidentally include type-safety checks, while the narrow ASVS line item addresses none of SA-11's assessment, evidence, or remediation activities."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-11 broadly mandates developer security testing and flaw remediation that could incidentally include prototype-pollution checks, while the single ASVS item addresses none of SA-11's process or evidence requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-11 mandates a general developer testing program that could encompass HTTP parameter pollution checks but does not require them; the single ASVS test case addresses none of SA-11's process requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.1.1 is a narrow slice (risk-based 3rd-party remediation timeframes) of the broad documented dev-process requirements in SA-15."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process and tool standards but does not mandate SBOM-style third-party inventories, while ASVS V15.1.2 addresses only that narrow inventory practice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 broadly requires a documented dev process addressing security requirements (availability could be one) while ASVS V15.1.3 is a narrow documentation check on resource-intensive functions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process covering standards/tools but does not specifically mandate highlighting risky third-party libraries in application docs."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 broadly requires documented dev processes addressing security but does not specifically mandate application docs highlighting dangerous functionality."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security needs that could encompass component update time frames, while the narrow ASVS check covers none of the broad NIST process requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing generic security requirements; ASVS V15.2.2 is a narrow runtime availability control that may be referenced inside such a process but is not addressed by it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security but does not specifically mandate removal of extraneous/test code from production."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing security but does not mandate dependency-repository verification, while the narrow ASVS item addresses none of SA-15's process/tool/configuration elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security requirements but does not mandate or verify specific runtime isolation controls for risky components."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing generic security requirements while ASVS V15.3.1 is a narrow runtime data-field exposure rule that such a process might optionally include."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-15's generic dev-process/tool-config mandate can indirectly touch redirect settings but the narrow ASVS check covers none of SA-15's process documentation and review scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.3 is a narrow, code-level check against mass assignment; SA-15 only broadly requires a documented dev process that addresses security requirements in general."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires only a generic documented dev process addressing security requirements; the specific proxy IP-handling rule is neither mandated nor detailed by that process control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.5 is a narrow code-level type-safety check while SA-15 only requires a generic documented development process addressing security requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing security requirements; the narrow JS prototype-pollution check may be included but is not ensured."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security requirements (broadly covering the ASVS item) while the narrow ASVS check addresses none of SA-15's process, standards, or tooling mandates."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires only a high-level documented dev process addressing security, which may incidentally touch thread-safety practices but does not verify the specific concurrency controls demanded by ASVS V15.4.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing security but does not mandate TOCTOU/atomic checks, while the narrow ASVS item addresses none of SA-15's process/tool/configuration scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 broadly requires documented dev standards that could encompass concurrency/locking rules, while ASVS V15.4.3 is a narrow code-level check unrelated to the overall process mandate."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15's generic dev-process mandate could incidentally touch resource policies but does not require the specific thread-starvation control; the narrow ASVS check covers none of SA-15's broad process, standards, and tooling requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 mandates broad developer security architecture docs while ASVS V15.1.3 targets only narrow resource-exhaustion availability documentation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires broad architecture documentation that may incidentally reference components but does not address highlighting risky third-party libraries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires broad security architecture documentation that may incidentally address dangerous functionality, while ASVS V15.1.5 is a narrow verification of one documentation practice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires broad architecture documentation that may reference availability strategies; ASVS demands concrete verification of resource-exhaustion defenses, which the NIST control does not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-17 requires describing required functionality in architecture docs, touching the 'only required code' idea but not production verification or removal of test/dev artifacts."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires only high-level architecture documentation while ASVS V15.2.5 demands concrete runtime isolation controls for risky components."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.1 is a narrow runtime data-minimization check that SA-17's high-level design-spec requirement may indirectly reference but does not enforce."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.5 is a narrow code-level type-safety check while SA-17 only requires high-level design documentation that might mention such practices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires high-level design architecture documentation that could mention parameter-handling defenses but does not mandate or verify the specific control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-22",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-22 addresses replacement of unsupported components but omits any documentation or risk-based remediation timelines for vulnerable libraries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-22",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-22 focuses on replacing unsupported components without mandating SBOMs or trusted repositories, while ASVS V15.1.2 does not address end-of-support replacement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-22",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses end-of-support replacement for system components while ASVS focuses on app-specific update time-frame verification, yielding only partial overlap in one direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-23",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-23's broad trustworthiness-via-specialization language touches only the 'trusted sources' aspect of the SBOM requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-24 touches risk-management processes but does not address 3rd-party component remediation timeframes or library updates."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.2.4 is a narrow supply-chain verification step; SA-24's high-level resiliency design could encompass related techniques but does not address it specifically."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-24 broadly requires resiliency techniques including isolation; ASVS V15.2.5 is one narrow application-level instance of such techniques."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3's general SDLC risk integration touches component risk handling only at a high level while the ASVS item is a narrow documentation requirement outside SA-3's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.1.3 is a narrow documentation requirement for resource-intensive functions that can be viewed as one possible output of broad SDLC security/risk activities, while SA-3 addresses the entire lifecycle process, roles, and risk integration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-3's broad SDLC security mandate can indirectly touch documentation practices but does not address the specific ASVS check for highlighting dangerous functionality."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3's broad SDLC mandate can indirectly touch deployment hygiene but does not address extraneous production functionality; ASVS V15.2.3 is a single narrow check that covers none of the NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3 provides only a high-level SDLC mandate that could encompass supply-chain controls, while ASVS V15.2.4 addresses one narrow dependency-integrity check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3 addresses high-level SDLC process and risk management; ASVS V15.2.5 requires specific runtime isolation for risky components."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3's broad SDLC process may indirectly encompass secure-coding practices that address mass assignment, while the narrow ASVS check covers none of SA-3's organizational lifecycle elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.5 is a narrow code-level type-safety check that forms one sliver of the broad SDLC security activities described by SA-3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-3 mandates a security-aware SDLC process that may indirectly encompass specific app defenses, while V15.3.7 addresses only one narrow technical check unrelated to SDLC roles or risk integration."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.4.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.4.1 is a narrow concurrency requirement while SA-3 is a broad SDLC process control that can encompass it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4 touches supply-chain and documentation requirements in contracts but does not mandate risk-based remediation time frames for vulnerable libraries; ASVS addresses only that narrow documentation practice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-4 requires security documentation in contracts at a high level but does not address the specific resource/time-out functionality described in V15.1.3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4's broad acquisition documentation and supply-chain clauses can indirectly touch risky-component disclosure but do not specifically require application-level highlighting of third-party libraries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4 broadly requires security documentation in acquisitions but does not specifically mandate highlighting dangerous functionality, while the narrow ASVS item covers none of the wide-ranging SA-4 elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4 mentions dev environment description in contracts but does not address production-only functionality; ASVS covers none of the acquisition requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-4 broadly mandates security requirements in acquisition contracts but does not address application-level sandboxing or risky-component isolation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-4 enables inclusion of security requirements in contracts that could encompass type-safety checks, but the ASVS item addresses none of SA-4's acquisition-process scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 requires broad vuln-related admin docs but omits risk-based remediation time frames; ASVS addresses only that narrow sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 broadly requires admin/user documentation on secure operation and security functions but does not mandate the specific resource/time-intensive functionality content required by ASVS V15.1.3."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 requires broad documentation of known vulnerabilities but does not specifically call out highlighting risky third-party libraries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.1.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 broadly requires admin/user docs on vulnerabilities and privileged functions, touching the narrow ASVS demand for highlighting dangerous functionality only incidentally."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V15.3.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.4 is one narrow technical sliver potentially implied by the broad SA-8 engineering principles."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 mandates only generic policy/procedure governance while ASVS 11.1.1 demands a specific key-management policy aligned to 800-57."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 supplies only a generic policy framework that might reference crypto practices, while the ASVS item demands a concrete inventory plus PQC migration plan that SC-1 does not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 requires only high-level policy/procedures for protection controls and does not address the specific crypto-agility design mandate in ASVS V11.2.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only requires a high-level protection policy document that could mention crypto, while ASVS V11.6.1 demands concrete technical verification of approved algorithms and key generation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only requires generic policy/procedure documents for the broad communications-protection domain; it neither mandates nor verifies the specific TLS requirement in ASVS V12.3.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1's high-level policy mandate touches regulatory consistency but does not perform application data identification or classification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 supplies only a generic policy framework while ASVS V14.1.2 demands a detailed, data-specific protection-requirements document; the broad policy fully encompasses that narrow documentation need."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only mandates existence of broad policy/procedures; it neither specifies nor verifies the concrete sensitive-data controls listed in V14.2.4."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only ensures a high-level policy exists; it neither mandates DTLS-specific key handling nor verification steps."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.1.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V3.1.1 is one narrow documentation item inside the broad policy/procedure mandate of SC-1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 requires only the existence of a high-level policy document; any HSTS preload mandate would be an optional detail inside it, while ASVS V3.7.4 is a single technical verification that touches none of the policy-management elements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 only mandates high-level policy/procedure documents for broad communications protection; ASVS V4.2.1 is a narrow technical verification that such a policy might reference but does not itself enforce."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands explicit mTLS client-certificate trust validation; SC-11 only requires a generic trusted path for authentication and does not address certificate validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses a trusted path only for authentication functions while ASVS V12.2.1 requires TLS for all HTTP traffic without fallback."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses a broad trusted path for auth but does not require or verify publicly trusted TLS certificates on external services."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses only an isolated user-to-auth path while ASVS V12.3.1 requires TLS on every connection type with no fallbacks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses a broad trusted path concept but does not specify or require HSTS preload."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 broadly requires key establishment/management per defined requirements (often 800-57), covering ASVS policy/lifecycle intent but not its explicit documentation or oversharing checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses broad key establishment/management but does not require an inventory of algorithms, certificates, or usage/data-type documentation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses only the key-replacement/re-encryption aspect of ASVS V11.2.2 while omitting algorithm agility; conversely ASVS covers only a narrow slice of broader key-establishment requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses broad key-management processes that may reference strength but does not mandate 128-bit primitive security; ASVS covers only that narrow strength check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-12 addresses general crypto key lifecycle; ASVS V11.4.2 is a narrow, password-specific KDF rule that SC-12 only incidentally touches."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.4",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies one narrow KDF/stretching practice while SC-12 is a broad key-management control that encompasses derivation methods."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.5.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-12 addresses only cryptographic key management while ASVS V11.5.1 requires CSPRNG + 128-bit entropy for any non-guessable values, so coverage is one-way and incomplete."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses broad key management but omits algorithm approval and digital-signature rules required by ASVS V11.6.1; ASVS covers only a narrow slice of key-establishment requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 broadly requires approved key-establishment methods and parameters, covering the ASVS crypto-specific check while ASVS addresses only one narrow slice of overall key management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies TLS cipher-suite selection and forward secrecy; SC-12 addresses only key-establishment policy and does not govern algorithm or configuration choices."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 supplies key-management prerequisites for the PKI in ASVS V12.3.5 but omits endpoint authentication, replay resistance, and service-mesh guidance, while ASVS addresses none of the broader key-establishment requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 covers only key management, a narrow slice of ASVS V14.1.2's broad documentation requirements for encryption and other data protections."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS narrowly targets DTLS cert key protection per policy; NIST broadly requires crypto key management per requirements, so the specific is one sliver of the general control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 supplies a generic key-management framework that only loosely touches the narrow DTLS-SRTP cipher-suite and protection-profile verification demanded by ASVS V17.2.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12.2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses only symmetric-key production/control for one slice of key handling; ASVS requires a broad, maintained inventory covering algorithms, certificates, usage restrictions and data types."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 requires determining and implementing crypto types but says nothing about inventories; ASVS V11.1.2 only inventories existing items and does not address selection or implementation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires validated libraries/hardware for crypto ops; SC-13 only mandates determining and applying crypto types without addressing implementation validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 mandates selection and use of specific crypto algorithms but does not require reconfigurability or PQC agility; ASVS V11.2.2 addresses only the narrow agility slice of crypto implementation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 requires org-defined crypto types but does not mandate 128-bit security strength or key-size rules."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 is a high-level requirement to select and use cryptography, offering only indirect and incomplete coverage of the narrow ASVS prohibition on specific weak modes/padding."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 requires selection and use of appropriate cryptography for defined purposes and therefore encompasses approved hash functions, while ASVS V11.4.1 addresses only the narrow hash-function subset of that broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.4.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 broadly mandates crypto implementation but does not specify hash functions or bit lengths for signatures."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 broadly requires determining and implementing required cryptography types, which encompasses the narrower ASVS mandate for approved algorithms, modes, and secure key generation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS narrowly requires verified key-exchange algorithms and parameters; SC-13 broadly mandates crypto types for any use and therefore fully subsumes that sliver while the reverse is only partial."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 addresses only cryptographic implementation while ASVS V14.1.2 requires documented requirements across encryption plus retention, logging, privacy, and access controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 addresses only the encryption subset of the broad ASVS data-protection verification scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-13",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 is a broad crypto mandate that can include DTLS-SRTP when parameters specify it, while the ASVS item is one narrow slice of such controls."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-14",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-14 provides a high-level public-access policy umbrella that could loosely encompass TURN IP filtering, while the narrow ASVS check addresses none of the control's broader scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-14",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-14 provides a high-level public-access umbrella that can encompass CORS rules but does not mandate the specific allow-list or '*' handling required by ASVS V3.4.2; the narrow CORS check addresses only a tiny slice of the broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-14",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-14 is a broad public-access control that can encompass referrer-policy settings as one data-leakage safeguard, while the narrow ASVS line is only one sliver of that control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 addresses only PKI certificate issuance and trust-anchor management, a narrow slice of the broad cryptographic inventory required by ASVS V11.1.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.6.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 addresses only approved PKI providers and trust anchors (a narrow slice of signature/key handling), while ASVS V11.6.1 requires broad verification of crypto algorithms, modes, seeding and key strength across all uses."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST trust-anchor rule enables validation but does not require app-level mTLS client-certificate checks; ASVS line is too narrow to address PKI issuance or store management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 enforces approved/trusted PKI sources and anchors that satisfy the ASVS TLS requirement while covering far broader certificate issuance and store management."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ensures approved trust anchors exist but does not require TLS clients to perform certificate validation; ASVS addresses only that narrow client behavior."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST trust-anchor rule directly satisfies the ASVS internal-service certificate constraint, yet ASVS addresses only one narrow slice of the full PKI issuance and store-management control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 supplies PKI issuance and trust-anchor rules that enable but do not address ASVS's intra-service TLS client-auth and replay-resistance requirements."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-18",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-18 broadly governs mobile code definition/control (covering the listed insecure client-side tech) while ASVS V3.7.1 is a narrow verification slice of that scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-19",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-19 is a high-level placeholder with no technical requirements, so it covers none of the specific DTLS/SDP check while the ASVS item addresses only one narrow VoIP authenticity aspect."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-23",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V14.2.1 is one narrow practice that supports session-token protection; SC-23 is the broad control that encompasses it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-23",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.8",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V17.2.8 is one narrow media-stream technique inside the broad NIST SC-23 requirement for session authenticity."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-23",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.3.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V3.3.4 is one narrow technical measure (HttpOnly + Set-Cookie) inside the broad NIST SC-23 goal of protecting session authenticity."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-24",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-24 addresses generic known-state failure but does not target cryptographic error handling or attacks such as padding oracles."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-25",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.7.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both touch data minimization but ASVS adds processing exposure and immediate encryption while NIST targets minimal node functionality/storage."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-31",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.2.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-31 requires system-level covert-channel identification/estimation while ASVS V11.2.4 demands a narrow, code-level constant-time check; the control therefore supplies no coverage of the ASVS item and the ASVS item addresses only one possible covert-channel type."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-32",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-32 broadly requires domain separation that can encompass hostname partitioning, while ASVS V3.5.4 is a narrow web-specific slice of that concept."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-35",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.6.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-35 provides broad detection of malicious external resources that can indirectly support integrity goals but does not address SRI, versioning, or the specific ASVS verification."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-35",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.7.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST malicious-site detection can indirectly inform an allowlist but does not implement or verify redirect controls; ASVS covers none of the NIST capability."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-36",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST distribution can indirectly aid flood resilience but omits rate limiting; ASVS addresses only signaling-level rate limiting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V11.7.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-4 addresses general shared-resource leakage via isolation/sanitization but does not require or imply memory encryption for data-in-use."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-43",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-43 provides a generic hook for usage rules that could include TLS versions but does not mandate or verify them; ASVS V12.1.1 addresses only one narrow technical setting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-43",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-43 allows broad usage restrictions on components but does not address sensitive-data caching or purging."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-45",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V9.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-45 supplies accurate time as a prerequisite but does not implement token claim checks, while ASVS V9.2.1 addresses only the validation logic and says nothing about clock synchronization."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-46",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-46 provides a broad cross-domain enforcement hook that could subsume origin validation but supplies none of the concrete CSRF mechanisms required by ASVS V3.5.1."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-46",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-46 provides a broad cross-domain enforcement hook that could loosely encompass CORS policy checks, while the narrow ASVS preflight test addresses none of the control's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-5",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.3.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V17.3.2 is a narrow, app-level input-validation check for one server type while SC-5 is a broad, parameterized DoS-protection control that can encompass it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad SC-6 resource allocation can indirectly support TURN exhaustion resistance but does not address the specific verification; the narrow TURN check covers none of the general NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.2.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 addresses broad boundary/interface controls but does not specify TLS or encryption, so it only partially touches the narrow ASVS TLS mandate while ASVS addresses none of the NIST control's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 addresses managed boundary interfaces but contains no encryption or TLS mandate, while ASVS V12.3.1 is limited to requiring TLS on all connections."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 addresses control at key internal interfaces but does not require transport encryption, while ASVS V12.3.3 is only one narrow technical measure within boundary protection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 addresses interface monitoring and boundary controls that can indirectly support internal auth but omits PKI/client cert/replay specifics; ASVS V12.3.5 is a narrow sliver unrelated to subnetworks or external boundaries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 network boundary controls can incidentally limit some external data flows but do not address application-level decisions about sending sensitive data to trackers."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V17.1.1 is a narrow TURN-specific IP allow-list check while SC-7 is a broad boundary-protection control that can only incidentally support such a check."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides generic network-boundary monitoring that may incidentally limit RTP traffic but does not mandate SRTP authentication checks inside a media server."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 boundary controls may indirectly limit external floods but do not address media-server SRTP resilience from legitimate users."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.2.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides perimeter traffic controls that may incidentally limit some SRTP floods, but does not address media-server recording resilience; ASVS requirement addresses none of SC-7's boundary architecture scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V17.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides broad network boundary controls that may incidentally limit some floods but does not address signaling-server rate limiting."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 provides network boundary controls that could incidentally enforce HTTP method rules via WAFs, but ASVS V3.5.3 is a narrow app-level check unrelated to the broad scope of SC-7."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides network-boundary controls that could incidentally support method filtering via L7 devices but does not address the specific ASVS requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 provides broad boundary-device requirements that could incidentally include HTTP-boundary handling, while ASVS V4.2.1 is a narrow protocol-specific check that addresses almost none of SC-7's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7.4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V12.3.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7.4 requires protecting confidentiality/integrity over external interfaces but omits TLS mandates or fallback prohibitions, while ASVS addresses only that single protection aspect among NIST's broader policy, exception, and control-plane rules."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-7.4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V4.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7.4 requires protecting confidentiality/integrity of external traffic but does not address HTTP-to-HTTPS redirect behavior or endpoint distinctions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-8",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V14.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-8 addresses only transmission confidentiality/integrity, a narrow slice of ASVS V14.1.2's broad documentation mandate covering encryption, retention, logging, privacy, and more."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 requires only high-level integrity policy/procedures while ASVS V1.2.8 is a narrow technical verification; the policy may reference such checks but does not fulfill them."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V16.3.3 is a narrow app-logging rule that a generic integrity policy/procedure control could mention but does not mandate; SI-1 itself is untouched by the ASVS line."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 requires high-level integrity policies that could mention input validation but does not mandate the specific documentation rule; ASVS addresses only one narrow app-level item."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-1 requires high-level integrity policies that could encompass data-validation documentation, while the narrow ASVS item addresses none of the broad policy/procedure mandates."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 mandates high-level integrity policy/procedure documentation that could incidentally include business-logic limits, while ASVS V2.1.3 addresses only one narrow documentation expectation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.4.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 requires only high-level integrity policy documentation that may reference anti-automation, while ASVS demands concrete technical controls the policy alone does not deliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-1",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 mandates high-level integrity policy/procedure documentation that could incidentally include browser-feature expectations, while the narrow ASVS item addresses none of SI-1's scope, roles, reviews, or integrity topics."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 requires generic input validity checks while ASVS V1.1.1 demands a precise canonicalization/decoding-once-before-validation step that the control does not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies OS command injection via parameterization/encoding; NIST si-10 provides only generic input validation that may encompass it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.7",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 provides broad input validation that can address XPath injection but does not mandate parameterization, while the ASVS item is one narrow technique inside that control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 broadly requires input validation (covering allow-lists) while ASVS V1.2.8 adds specific LaTeX processor configuration outside pure input checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 provides only generic input validation while ASVS demands a specific HTML sanitization library; the narrow ASVS item is one concrete case of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.11",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS line is one narrow instance of input sanitization; broad NIST SI-10 validation can encompass it when parameterized but does not mandate mail-specific checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 is a generic input-validation control that only loosely touches sanitization while saying nothing about regex safety; the narrow ReDoS requirement therefore covers almost none of it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST input validation addresses only the sanitization clause of the ASVS rule while leaving the avoid-eval mandate untouched; ASVS itself is only one narrow instance of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10's generic validity check overlaps the ASVS sanitization rule only at a high level, while ASVS addresses just one narrow technique within the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.4",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow, SVG-specific sanitization rule while NIST si-10 is a generic input-validation control that encompasses it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.5",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a broad input-validation control that fully encompasses the narrow ASVS sanitization rule, while ASVS covers only a sliver of general input validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.6",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V1.3.6 is a narrow, SSRF-specific validation rule while SI-10 is a broad input-validation control that can encompass it when parameters are defined accordingly."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.7",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 supplies a broad input-validation control that fully encompasses the specific template-injection case while the ASVS line only exercises one narrow slice of that control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 provides generic input validation that can address JNDI sanitization if parameterized but omits JNDI configuration; ASVS requirement is a narrow, technology-specific slice."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.9",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS item is a narrow memcache-specific sanitization check while SI-10 is a broad input-validation control that subsumes it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a high-level generic input-validation control that can encompass overflow checks but does not mandate the sign/range techniques required by the narrow ASVS item."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a generic input-validation control that may encompass XXE prevention only incidentally, while the ASVS item is one narrow parser-configuration requirement inside that broad topic."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 is a broad generic input-validation control that may encompass deserialization checks only if explicitly parameterized, while the ASVS item is one narrow technical instance of such validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.5.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10's broad input-validation mandate encompasses the specific parser-consistency requirement, while the ASVS line addresses only one narrow facet of validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 requires performing input validation but does not address documentation of rules, while ASVS V2.1.1 only requires existence of such documentation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 requires generic input validity checks but omits the ASVS emphasis on documented logical/contextual consistency of combined items."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 requires input validation checks but omits business-logic documentation and per-user/global distinctions, while ASVS V2.1.3 addresses only that narrow documentation sliver."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a generic placeholder for validity checks while ASVS V2.2.1 adds explicit positive/allow-list and business-logic expectations that the control text does not mandate."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 mandates server-side input validation and therefore satisfies the core ASVS trusted-layer rule, yet omits the explicit client-side prohibition and is far broader in scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a broad input-validation control that can encompass the specific cross-field reasonableness checks required by ASVS V2.2.3, while the ASVS item addresses only one narrow aspect of validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V2.3.1 requires workflow sequencing enforcement; SI-10 only supplies generic input checks that can support step validation but do not address order or completeness."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.3.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 addresses generic input validity checks while ASVS V2.3.2 requires documented, application-specific business logic limits that exceed ordinary input validation."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-10.6",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.8",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10.6 broadly requires preventing untrusted data injections (encompassing JNDI) while ASVS V1.3.8 is a narrow, verifier-oriented slice that adds JNDI-specific config checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V1.1.2 requires broad output encoding/escaping; SI-11 only constrains error-message content and recipients."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-11 addresses only error-message content while ASVS V16.2.5 governs all sensitive-data logging decisions."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-11",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST covers the no-exposure intent but adds authorized-recipient scope absent from ASVS; ASVS is narrower and verifier-specific."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.1.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation is broader than encoding/escaping and does not mandate the ASVS technique."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15's broad output validation encompasses context-specific encoding as one possible technique, while the ASVS item is only a narrow technical slice of that control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.10",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 is a broad output-validation control that can encompass CSV escaping as one instance, while ASVS V1.2.10 is a narrow, prescriptive sliver of that topic."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 is a broad output-validation control that only partially addresses the narrow URL-encoding and safe-protocol rules in ASVS V1.2.2, while the ASVS rule is one specific instance fully inside that broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS names one narrow encoding technique for JS/JSON while NIST states a broad output-consistency requirement that subsumes it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation is tangentially related to command-output encoding but does not address parameterized OS calls or injection prevention."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation may incidentally catch bad HTML but does not address the ASVS input-sanitization requirement; the narrow ASVS item covers none of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation broadly overlaps mail-injection prevention but is not specific to input sanitization or SMTP/IMAP; ASVS covers only one narrow slice unrelated to general output filtering."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output filtering addresses only the output-sanitization aspect of the ASVS line while ASVS's input-focused sanitization rules do not address the NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets input sanitization of user-supplied template languages while NIST addresses general output validation, yielding no direct fulfillment either direction."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.9",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS is a narrow memcache-specific sanitization check while NIST si-15 is a broad output-filtering control that can encompass it when parameterized."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output-consistency validation overlaps the consistency-checking concept but ignores the documentation requirement and is narrower in scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-15 implements output validation for content consistency; ASVS V2.1.3 only requires documenting business-logic limits and does not address the control's validation mechanism."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output-consistency checks can partially satisfy reasonableness rules when data combinations appear in output, but the ASVS item addresses general data-item validation unrelated to NIST's output-filtering scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation is broad enough to touch context correctness but does not address the specific browser rendering controls (CSP sandbox, Sec-Fetch, Content-Disposition) required by ASVS."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.2.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies one narrow output-encoding technique; broad NIST output-filtering control encompasses it but is not limited to it."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-15 addresses generic output validation for content consistency; ASVS V3.4.3 requires a precise web-specific CSP header policy that is outside SI-15's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15's generic output validation can be read to include header-based content-type enforcement, but the single ASVS header check addresses only a minuscule slice of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.4.7",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output-filtering control broadly encompasses CSP violation reporting as one validation mechanism."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V3.5.8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 addresses generic content-consistency validation; ASVS V3.5.8 requires specific cross-origin header enforcement that si-15 does not provide."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 addresses output validation but omits ASVS's documentation mandate for upload limits and malicious-file handling."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.4.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-15 is a broad output-validation control that can encompass the specific filename/Content-Disposition check, while the narrow ASVS rule only addresses one possible output-filtering scenario."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 provides a generic output-validation hook that may incidentally include filename sanitization, while ASVS V5.4.2 addresses only one narrow encoding case."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-15",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.4.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation may incidentally reduce malicious content served but does not address AV scanning of untrusted input files."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-16",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-16 addresses runtime memory protections against unauthorized execution; ASVS V1.4.1 requires specific secure-coding practices that are neither mandated nor verified by the control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-17",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V16.5.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-17's broad fail-safe mandate covers the specific ASVS graceful-failure rule when parameterized appropriately, while the narrow ASVS item addresses only one sliver of possible fail-safe scenarios."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-18",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-18 addresses PII accuracy checking but omits documentation of input-validation rules; ASVS V2.1.1 touches data validity only narrowly and does not address PII lifecycle operations."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.2.6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-2 addresses general flaw remediation processes while ASVS V1.2.6 requires verification of a specific input-validation control against LDAP injection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-3 addresses broad malware scanning/eradication at entry points while ASVS V1.3.1 requires a narrow, specific HTML sanitization library; the two overlap only loosely."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-3 addresses deployed AV/malware scanning at boundaries; ASVS V1.3.2 is a narrow secure-coding rule against eval/SpEL that si-3 neither requires nor verifies."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-3 focuses on malware scanning/detection while ASVS V5.3.1 requires a narrow web-server execution-prevention configuration for uploaded files."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.4.3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-3 explicitly requires real-time scans of external files, fulfilling the narrow ASVS scanner check while the ASVS item addresses only one sliver of the broad NIST control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.1.1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V5.1.1 requires specific upload documentation and malicious-file handling rules; SI-4's attack monitoring only incidentally touches detection behavior, leaving documentation and file-type controls unaddressed."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-4",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V5.3.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-4 is a broad detection/monitoring control that may observe path-traversal attempts but does not implement or enforce the preventive input sanitization required by ASVS V5.3.2."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-9 provides only a high-level organizational restriction on inputs while ASVS V1.3.11 demands a precise application-level sanitization control against mail injection."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 addresses broad organizational restrictions on input sources/methods while ASVS V1.3.3 requires specific technical sanitization and length checks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 provides only generic input restrictions that may incidentally limit template data; ASVS V1.3.7 addresses one narrow template-injection case that does not satisfy the broad control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.3.8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 provides a broad organizational policy on restricting allowed inputs, which only loosely overlaps the narrow ASVS JNDI sanitization requirement."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V1.4.2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 provides a broad policy-level restriction on inputs that may incidentally support range checks, while ASVS V1.4.2 demands specific code-level validation against integer overflows."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-9",
      "target_framework": "OWASP_ASVS_5.0",
      "target_id": "V2.2.2",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V2.2.2 is a narrow app-design rule for trusted-layer validation; SI-9 is a broad org-level input-restriction control that encompasses it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 requires generic input validity checks while ASVS V1.1.1 demands a precise canonicalization/decoding-once-before-validation step that the control does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V1.1.2 requires broad output encoding/escaping; SI-11 only constrains error-message content and recipients."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation is broader than encoding/escaping and does not mandate the ASVS technique."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15's broad output validation encompasses context-specific encoding as one possible technique, while the ASVS item is only a narrow technical slice of that control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 is a broad output-validation control that can encompass CSV escaping as one instance, while ASVS V1.2.10 is a narrow, prescriptive sliver of that topic."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 is a broad output-validation control that only partially addresses the narrow URL-encoding and safe-protocol rules in ASVS V1.2.2, while the ASVS rule is one specific instance fully inside that broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS names one narrow encoding technique for JS/JSON while NIST states a broad output-consistency requirement that subsumes it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies OS command injection via parameterization/encoding; NIST si-10 provides only generic input validation that may encompass it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation is tangentially related to command-output encoding but does not address parameterized OS calls or injection prevention."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-2 addresses general flaw remediation processes while ASVS V1.2.6 requires verification of a specific input-validation control against LDAP injection."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 provides broad input validation that can address XPath injection but does not mandate parameterization, while the ASVS item is one narrow technique inside that control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 requires only high-level integrity policy/procedures while ASVS V1.2.8 is a narrow technical verification; the policy may reference such checks but does not fulfill them."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.2.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 broadly requires input validation (covering allow-lists) while ASVS V1.2.8 adds specific LaTeX processor configuration outside pure input checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 provides only generic input validation while ASVS demands a specific HTML sanitization library; the narrow ASVS item is one concrete case of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation may incidentally catch bad HTML but does not address the ASVS input-sanitization requirement; the narrow ASVS item covers none of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-3 addresses broad malware scanning/eradication at entry points while ASVS V1.3.1 requires a narrow, specific HTML sanitization library; the two overlap only loosely."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS line is one narrow instance of input sanitization; broad NIST SI-10 validation can encompass it when parameterized but does not mandate mail-specific checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation broadly overlaps mail-injection prevention but is not specific to input sanitization or SMTP/IMAP; ASVS covers only one narrow slice unrelated to general output filtering."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-9 provides only a high-level organizational restriction on inputs while ASVS V1.3.11 demands a precise application-level sanitization control against mail injection."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.12",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 is a generic input-validation control that only loosely touches sanitization while saying nothing about regex safety; the narrow ReDoS requirement therefore covers almost none of it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST input validation addresses only the sanitization clause of the ASVS rule while leaving the avoid-eval mandate untouched; ASVS itself is only one narrow instance of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-3 addresses deployed AV/malware scanning at boundaries; ASVS V1.3.2 is a narrow secure-coding rule against eval/SpEL that si-3 neither requires nor verifies."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10's generic validity check overlaps the ASVS sanitization rule only at a high level, while ASVS addresses just one narrow technique within the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output filtering addresses only the output-sanitization aspect of the ASVS line while ASVS's input-focused sanitization rules do not address the NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 addresses broad organizational restrictions on input sources/methods while ASVS V1.3.3 requires specific technical sanitization and length checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow, SVG-specific sanitization rule while NIST si-10 is a generic input-validation control that encompasses it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a broad input-validation control that fully encompasses the narrow ASVS sanitization rule, while ASVS covers only a sliver of general input validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets input sanitization of user-supplied template languages while NIST addresses general output validation, yielding no direct fulfillment either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V1.3.6 is a narrow, SSRF-specific validation rule while SI-10 is a broad input-validation control that can encompass it when parameters are defined accordingly."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 supplies a broad input-validation control that fully encompasses the specific template-injection case while the ASVS line only exercises one narrow slice of that control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 provides only generic input restrictions that may incidentally limit template data; ASVS V1.3.7 addresses one narrow template-injection case that does not satisfy the broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 provides generic input validation that can address JNDI sanitization if parameterized but omits JNDI configuration; ASVS requirement is a narrow, technology-specific slice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10.6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10.6 broadly requires preventing untrusted data injections (encompassing JNDI) while ASVS V1.3.8 is a narrow, verifier-oriented slice that adds JNDI-specific config checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 provides a broad organizational policy on restricting allowed inputs, which only loosely overlaps the narrow ASVS JNDI sanitization requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.9",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS item is a narrow memcache-specific sanitization check while SI-10 is a broad input-validation control that subsumes it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.3.9",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS is a narrow memcache-specific sanitization check while NIST si-15 is a broad output-filtering control that can encompass it when parameterized."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-16",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-16 addresses runtime memory protections against unauthorized execution; ASVS V1.4.1 requires specific secure-coding practices that are neither mandated nor verified by the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a high-level generic input-validation control that can encompass overflow checks but does not mandate the sign/range techniques required by the narrow ASVS item."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-9 provides a broad policy-level restriction on inputs that may incidentally support range checks, while ASVS V1.4.2 demands specific code-level validation against integer overflows."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a generic input-validation control that may encompass XXE prevention only incidentally, while the ASVS item is one narrow parser-configuration requirement inside that broad topic."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 is a broad generic input-validation control that may encompass deserialization checks only if explicitly parameterized, while the ASVS item is one narrow technical instance of such validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V1.5.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10's broad input-validation mandate encompasses the specific parser-consistency requirement, while the ASVS line addresses only one narrow facet of validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the general least-privilege principle while ASVS V10.1.1 is a narrow, token-specific instance of that principle."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator strength and protection but omits OAuth-specific session/transaction binding required by ASVS V10.1.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16's attribute framework can loosely encompass OAuth scopes as permitted attributes, but provides no OAuth-specific request verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor provides a general tamperproof enforcement substrate that could host OAuth scope checks, but the NIST control itself says nothing about OAuth or scopes while the ASVS item is a narrow OAuth-client policy check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6's high-level least-privilege principle conceptually supports minimal OAuth scopes but does not address the specific verification requirement, while the narrow ASVS item covers none of the broad organizational control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 provides a broad attribute-management framework that could support audience claims but does not address token-specific audience validation on a resource server."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of auth servers but does not address audience validation of tokens; ASVS specifies one narrow implementation detail."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires audience-restricted tokens as one of six management items, covering the ASVS audience check while ASVS addresses only that narrow enforcement sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 broadly requires attribute association/management that can encompass token claims, while ASVS V10.3.2 narrowly requires their use in resource-server authorization decisions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.3.2 addresses narrow OAuth token-claim enforcement on a resource server; AC-2 covers broad procedural account/privilege management that only incidentally touches access authorizations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC policy enforcement addresses general authorization constraints but does not address OAuth token claims or delegated resource-server decisions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of authorization servers for decisions but does not address resource-server enforcement of specific token claims such as scope or authorization_details."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 broadly addresses attribute association and management, which can encompass JWT iss/sub usage but does not mandate the specific anti-reassignment check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 ensures initial unique identity resolution but does not address token claim usage or runtime verification required by ASVS V10.3.3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdP/auth-server usage for identity decisions but does not address JWT claim uniqueness; ASVS is a narrow implementation detail outside that scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 supplies the general unique-ID mandate but says nothing about JWT claims or token introspection; ASVS V10.3.3 is a narrow, token-specific sliver unrelated to the breadth of organizational user auth."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses identifier reuse prevention at a broad org level while ASVS V10.3.3 narrowly requires stable JWT claims for user identification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 broadly requires adaptive auth for strength/conditions while ASVS V10.3.4 narrowly specifies token-claim verification, so the control fully encompasses the requirement but not vice versa."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 provides only high-level IdP/auth-server usage; it does not address the specific token-claim verification (acr/amr/auth_time) required by ASVS V10.3.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength of mechanism but omits token-claim verification for methods/recentness; ASVS covers none of IA-5's management, distribution, or revocation requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC policy is a broad, abstract information-flow control; ASVS token-binding is a narrow, concrete OAuth mechanism that only loosely aligns with one aspect of it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator strength/protection that can partially encompass token anti-replay but omits any OAuth-specific sender-constraining mechanisms required by ASVS V10.3.5."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-17 broadly addresses remote-access authorization policy but does not specifically require OAuth confidential-client authentication for back-channel endpoints."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 provides a high-level least-privilege principle that only loosely relates to client authentication, while the narrow OAuth back-channel requirement covers none of the broad organizational control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 provides a general attribute-management framework that could loosely apply to OAuth scopes, but the ASVS item is a narrow OAuth-specific configuration check outside AC-16's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses broad account privileges while ASVS V10.4.11 is a narrow OAuth-scope configuration check with only tangential overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the broad least-privilege principle that directly encompasses the narrow OAuth-scope check, while the single ASVS line covers only one technical instance of that principle."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.12",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.4.12 is a narrow technical restriction on OAuth response_mode values; AC-6 states the general least-privilege principle that could motivate it but does not address or enforce this control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.14",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 is a broad mandate to employ auth servers; it does not require sender-constrained/PoP tokens, while the ASVS line is one narrow technical constraint on token issuance."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.15",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow OAuth-specific integrity check on authorization_details; AC-16 broadly addresses attribute association and change auditing but does not target this mechanism."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.15",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets a narrow OAuth parameter-integrity check while AC-25 is a general tamper-proof reference-monitor mandate; the two intersect only on the abstract notion of tamper resistance."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.16",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow cryptographic client-authN mechanism for OAuth clients; AC-2 only addresses generic account provisioning and authorization."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.16",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST broadly requires auth servers but does not mandate the specific public-key client auth methods; ASVS is one narrow technical slice inside that broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.16",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires general user authentication but does not address OAuth confidential clients or mandate public-key/replay-resistant methods."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 requires policy-based decisions on access requests but does not mandate authorization-code single-use or revocation logic."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.4.2 is a narrow OAuth replay-prevention rule that is one sliver of the broad logical-access enforcement in AC-3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies one-time auth-code use plus revocation; NIST broadly lists revocation and time-restriction among six token operations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the broad least-privilege principle that directly motivates the ASVS grant restriction, yet supplies none of the OAuth-specific mechanics or disallowed-flow rules."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires only high-level use of authorization servers while ASVS V10.4.5 demands concrete refresh-token replay mitigations absent from the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies a narrow OAuth/PKCE check on token requests while AC-24 is a generic policy-decision control that only abstractly touches request-time enforcement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5's 'strength of mechanism' clause can loosely encompass PKCE enforcement, but the ASVS item addresses none of IA-5's distribution, revocation, or lifecycle procedures."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-14",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-14 addresses policy-level decisions on unauthenticated actions but supplies none of the concrete metadata-validation, consent, or warning controls required by ASVS V10.4.7."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 addresses generic access decisions; ASVS V10.4.7 is a narrow OAuth-specific registration control whose consent/warning elements only loosely map to it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only requires high-level IA policy documents that could mention dynamic registration risks, while ASVS V10.4.7 demands concrete technical mitigations absent from the policy control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator issuance/refresh/protection but does not specify absolute expiration for refresh tokens."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.9",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 account lifecycle actions can indirectly support token revocation but lack any token/UI specifics, while the narrow ASVS token-UI rule covers none of the broad AC-2 requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.4.9",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires broad use of authorization servers for access management but does not address token revocation UI."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-13 broadly requires use of IdPs/auth servers but does not address client-side nonce replay checks; ASVS item is a narrow RP verification unrelated to the control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses general identifier reuse prevention which only tangentially relates to nonce uniqueness, while ASVS V10.5.1 is a narrow OAuth-specific replay check absent from the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses general authenticator strength and protection but does not specify nonce-based ID-token replay checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 provides general attribute association/auditing that could loosely support a unique user identifier but does not address ID-token claim verification or non-reassignment."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 supplies the broad unique-ID mandate while ASVS V10.5.2 adds only the narrow OIDC 'sub' claim check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST reuse-prevention clause supports the non-reassignment aspect but omits ID-token claim verification; ASVS covers only that narrow reuse sliver of broad identifier management."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses general identity verification during authenticator issuance but omits any ID-token claim mechanics, while the narrow ASVS line covers none of ia-5's distribution, revocation, or protection requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 addresses broad service identification while ASVS V10.5.2 is narrowly scoped to user 'sub' claim uniqueness in ID tokens."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 requires decisions on every access request and therefore fully contains the narrow consent step, yet supplies none of the explicit consent-prompting detail demanded by ASVS V10.7.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor supplies reliable policy enforcement that could underpin consent checks, but does not address user-consent prompting itself."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 is a high-level requirement to employ authorization servers; ASVS V10.7.1 is a narrow consent-prompt rule that neither fully maps to nor is fully addressed by the broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-21",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V10.7.2 is a narrow UI/consent-prompt requirement for auth servers; AC-21 is a broad org-level control on information-sharing decisions that neither implements nor is implemented by that specific verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V10.7.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS consent review/revoke is a narrow slice of the broad account and access-authorization lifecycle in AC-2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 mandates only generic policy/procedure governance while ASVS 11.1.1 demands a specific key-management policy aligned to 800-57."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 broadly requires key establishment/management per defined requirements (often 800-57), covering ASVS policy/lifecycle intent but not its explicit documentation or oversharing checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses broad key establishment/management but does not require an inventory of algorithms, certificates, or usage/data-type documentation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses only symmetric-key production/control for one slice of key handling; ASVS requires a broad, maintained inventory covering algorithms, certificates, usage restrictions and data types."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 requires determining and implementing crypto types but says nothing about inventories; ASVS V11.1.2 only inventories existing items and does not address selection or implementation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 addresses only PKI certificate issuance and trust-anchor management, a narrow slice of the broad cryptographic inventory required by ASVS V11.1.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 supplies only a generic policy framework that might reference crypto practices, while the ASVS item demands a concrete inventory plus PQC migration plan that SC-1 does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires validated libraries/hardware for crypto ops; SC-13 only mandates determining and applying crypto types without addressing implementation validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 requires only high-level policy/procedures for protection controls and does not address the specific crypto-agility design mandate in ASVS V11.2.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses only the key-replacement/re-encryption aspect of ASVS V11.2.2 while omitting algorithm agility; conversely ASVS covers only a narrow slice of broader key-establishment requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 mandates selection and use of specific crypto algorithms but does not require reconfigurability or PQC agility; ASVS V11.2.2 addresses only the narrow agility slice of crypto implementation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses broad key-management processes that may reference strength but does not mandate 128-bit primitive security; ASVS covers only that narrow strength check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 requires org-defined crypto types but does not mandate 128-bit security strength or key-size rules."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-31",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-31 requires system-level covert-channel identification/estimation while ASVS V11.2.4 demands a narrow, code-level constant-time check; the control therefore supplies no coverage of the ASVS item and the ASVS item addresses only one possible covert-channel type."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-24 addresses generic known-state failure but does not target cryptographic error handling or attacks such as padding oracles."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 is a high-level requirement to select and use cryptography, offering only indirect and incomplete coverage of the narrow ASVS prohibition on specific weak modes/padding."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 requires selection and use of appropriate cryptography for defined purposes and therefore encompasses approved hash functions, while ASVS V11.4.1 addresses only the narrow hash-function subset of that broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-12 addresses general crypto key lifecycle; ASVS V11.4.2 is a narrow, password-specific KDF rule that SC-12 only incidentally touches."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 broadly mandates crypto implementation but does not specify hash functions or bit lengths for signatures."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies one narrow KDF/stretching practice while SC-12 is a broad key-management control that encompasses derivation methods."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-12 addresses only cryptographic key management while ASVS V11.5.1 requires CSPRNG + 128-bit entropy for any non-guessable values, so coverage is one-way and incomplete."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only requires a high-level protection policy document that could mention crypto, while ASVS V11.6.1 demands concrete technical verification of approved algorithms and key generation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 addresses broad key management but omits algorithm approval and digital-signature rules required by ASVS V11.6.1; ASVS covers only a narrow slice of key-establishment requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 broadly requires determining and implementing required cryptography types, which encompasses the narrower ASVS mandate for approved algorithms, modes, and secure key generation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 addresses only approved PKI providers and trust anchors (a narrow slice of signature/key handling), while ASVS V11.6.1 requires broad verification of crypto algorithms, modes, seeding and key strength across all uses."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 broadly requires approved key-establishment methods and parameters, covering the ASVS crypto-specific check while ASVS addresses only one narrow slice of overall key management."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.6.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS narrowly requires verified key-exchange algorithms and parameters; SC-13 broadly mandates crypto types for any use and therefore fully subsumes that sliver while the reverse is only partial."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.7.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-4 addresses general shared-resource leakage via isolation/sanitization but does not require or imply memory encryption for data-in-use."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V11.7.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Both touch data minimization but ASVS adds processing exposure and immediate encryption while NIST targets minimal node functionality/storage."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-43",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-43 provides a generic hook for usage rules that could include TLS versions but does not mandate or verify them; ASVS V12.1.1 addresses only one narrow technical setting."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies TLS cipher-suite selection and forward secrecy; SC-12 addresses only key-establishment policy and does not govern algorithm or configuration choices."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands explicit mTLS client-certificate trust validation; SC-11 only requires a generic trusted path for authentication and does not address certificate validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST trust-anchor rule enables validation but does not require app-level mTLS client-certificate checks; ASVS line is too narrow to address PKI issuance or store management."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses a trusted path only for authentication functions while ASVS V12.2.1 requires TLS for all HTTP traffic without fallback."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 addresses broad boundary/interface controls but does not specify TLS or encryption, so it only partially touches the narrow ASVS TLS mandate while ASVS addresses none of the NIST control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses a broad trusted path for auth but does not require or verify publicly trusted TLS certificates on external services."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-17",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 enforces approved/trusted PKI sources and anchors that satisfy the ASVS TLS requirement while covering far broader certificate issuance and store management."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only requires generic policy/procedure documents for the broad communications-protection domain; it neither mandates nor verifies the specific TLS requirement in ASVS V12.3.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses only an isolated user-to-auth path while ASVS V12.3.1 requires TLS on every connection type with no fallbacks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 addresses managed boundary interfaces but contains no encryption or TLS mandate, while ASVS V12.3.1 is limited to requiring TLS on all connections."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7.4 requires protecting confidentiality/integrity over external interfaces but omits TLS mandates or fallback prohibitions, while ASVS addresses only that single protection aspect among NIST's broader policy, exception, and control-plane rules."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ensures approved trust anchors exist but does not require TLS clients to perform certificate validation; ASVS addresses only that narrow client behavior."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 addresses control at key internal interfaces but does not require transport encryption, while ASVS V12.3.3 is only one narrow technical measure within boundary protection."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-17",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST trust-anchor rule directly satisfies the ASVS internal-service certificate constraint, yet ASVS addresses only one narrow slice of the full PKI issuance and store-management control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 supplies key-management prerequisites for the PKI in ASVS V12.3.5 but omits endpoint authentication, replay resistance, and service-mesh guidance, while ASVS addresses none of the broader key-establishment requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-17 supplies PKI issuance and trust-anchor rules that enable but do not address ASVS's intra-service TLS client-auth and replay-resistance requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V12.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 addresses interface monitoring and boundary controls that can indirectly support internal auth but omits PKI/client cert/replay specifics; ASVS V12.3.5 is a narrow sliver unrelated to subnetworks or external boundaries."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 mandates only high-level org CM policy/procedures while ASVS V13.1.1 is a narrow, application-specific documentation check that is not addressed by the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST location/component documentation touches external services only incidentally while ASVS focuses on communication mapping; ASVS covers none of NIST's user-access or change-tracking elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 requires broad change documentation that may incidentally touch comms configs, while ASVS V13.1.1 is a narrow, application-specific mapping requirement outside CM-3's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands explicit documentation of all app communications; CM-7 only restricts functions/ports/protocols without any documentation requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST inventory may incidentally capture some external services as components but does not address documented communication needs or user-supplied external locations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 broadly requires a CM plan for config items but does not specifically mandate documenting application communication needs or external endpoints."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-2 requires generic baseline documentation; ASVS V13.1.2 demands very specific connection-limit and DoS-behavior content that may or may not be present in any given baseline."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 provides a general configuration-management umbrella that can encompass connection limits as one setting, but does not address the ASVS-specific DoS behavior, fallback, or per-service documentation requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a general CM plan for config items but does not mandate the specific connection-limit and DoS-behavior documentation called for by ASVS V13.1.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 addresses broad configuration documentation and monitoring, which can touch timeout settings but does not require the ASVS-specific resource-management strategies, release procedures, or retry algorithms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a broad configuration-management plan while ASVS V13.1.3 demands narrow, explicit resource-timeout/retry documentation for external services."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 supplies the org-level policy framework that can encompass secrets documentation and rotation, while ASVS V13.1.4 is only one narrow application-level instance of such a policy."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3's general change-control process can touch secret rotation as one controlled activity but does not require the specific secrets inventory and threat-based rotation schedule demanded by ASVS V13.1.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly covers config documentation and monitoring, which can encompass secrets as settings, but does not address secrets identification or rotation schedules."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 broadly requires a configuration management plan and definition of items but does not address secrets identification or rotation schedules."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST baseline config may document auth settings but does not mandate the specific backend authentication rules required by ASVS."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CM-2 requires documented baselines that could incidentally list privileged accounts, but does not address least-privilege verification for backend component communications."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly requires restrictive configuration settings that can encompass least-privilege accounts, while ASVS V13.2.2 narrowly verifies that specific practice for backend component communications."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CM-7 restricts system functions/services but does not address least-privilege accounts for backend component communications."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly mandates secure configuration settings that implicitly include non-default credentials, while the narrow ASVS check is only one specific instance of such a setting."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 defines a generic change-control process only; it neither requires nor verifies application-layer allowlists for external communications."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6's broad mandate for restrictive configuration settings can encompass allowlists but does not specifically require them, while the narrow ASVS allowlist rule addresses only a tiny fraction of CM-6."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS 13.2.4 is one narrow allow-listing practice that could be placed under a broad CM plan but is never required by CM-9."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 only requires a generic CM policy document; it neither mandates nor verifies the specific server allowlist."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 supplies a generic configuration-management framework that can accommodate an allow-list but does not require or describe it; the single ASVS rule addresses only one narrow setting among CM-6's many organizational tasks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 supplies only high-level policy scaffolding while ASVS V13.2.6 demands concrete verification of service-connection settings."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-2 supplies a generic baseline-config process that may document connection settings but does not address the ASVS-specific verification of runtime connection behavior (timeouts, retries, max-parallel, etc.)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 supplies change-control documentation processes that can indirectly support the existence of connection configs, while the narrow ASVS verification item addresses none of the NIST change-control activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 supplies a broad configuration-management framework that can encompass connection settings, while ASVS V13.2.6 only addresses one narrow application-level verification sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-7 addresses broad service restriction but omits connection-specific behaviors like timeouts/retries; ASVS covers only one narrow aspect of functionality limits."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 ensures a high-level plan for documenting configuration items but does not address application-level verification of connection behavior or retry logic."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly addresses configuration management that can encompass secrets handling, yet does not mandate key vaults or source-code exclusion, while the narrow ASVS item sits fully inside that scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 addresses only the existence of a high-level configuration management plan that could incidentally reference secrets as config items, without requiring any secrets-management solution or controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST documents users with access to information locations but never requires or verifies least-privilege access to secrets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-5 addresses access restrictions only for system changes while ASVS V13.3.2 targets least-privilege access to secrets, yielding limited overlap in one direction and none in the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6's restrictive settings provide indirect support for least-privilege access but do not address verification of secret assets; ASVS V13.3.2 covers none of the broad configuration-management activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CM-6 provides a generic mechanism for enforcing configuration settings that could include HSM usage, but does not address the ASVS cryptographic isolation requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures that could mention secret rotation, while ASVS 13.3.4 is a narrow verification check that addresses none of the policy development or dissemination elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 provides a general change-control process that could encompass secret updates but does not require expiration or rotation of secrets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 broadly addresses configuration settings and monitoring but does not specifically require secret expiration/rotation, while the narrow ASVS item is one possible instance of such settings."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a broad configuration-management plan that could encompass secrets rotation as one process, while the narrow ASVS secrets-expiry check covers none of the plan's roles, scope, or approval elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.1 is one narrow deployment check while CM-6 is a broad configuration-settings control that can encompass it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.1 is a narrow deployment check that a CM plan could incidentally address as one config item, while CM-9's broad plan, roles, and approval requirements are untouched by the ASVS line."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures that could mention debug settings; ASVS V13.4.2 is a narrow technical verification unrelated to policy authorship."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-2 provides a broad baseline process that could encompass disabling debug modes but does not require it; ASVS V13.4.2 addresses only that single verification item."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3 defines a generic change-control process that can encompass debug settings only incidentally, while the ASVS item is a narrow production configuration check unrelated to the bulk of CM-3 activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets one specific config item (debug disabled) while NIST broadly governs all configuration settings management."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 supplies a broad CM-plan framework that could encompass debug settings as one config item, while the narrow ASVS check addresses none of the plan's roles, lifecycle, or approval elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Directory listing is one narrow web-server setting under the broad CM-6 configuration control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires only a high-level CM plan and does not mandate the specific web-server directory-listing control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-6 provides a general configuration framework that can include disabling TRACE but does not specifically require it; the single ASVS item addresses only one narrow setting among many."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires only a high-level config-management plan; disabling TRACE is one possible config item that plan might address but is not mandated."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures; this may indirectly touch endpoint-exposure configuration but does not address the specific ASVS verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-3's change-control process can indirectly govern endpoint-exposure settings but does not address the specific verification of documentation/monitoring endpoints."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.5 is one narrow configuration/verification item inside the broad CM-6 control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9's protection of the CM plan from disclosure overlaps only narrowly with ASVS's specific check against unintended exposure of API docs and monitoring endpoints."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS names one narrow configuration practice while NIST CM-6 broadly governs all system configuration settings."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-1 requires only high-level CM policy/procedures that could encompass web-tier rules, while ASVS V13.4.7 is one narrow technical control unrelated to policy development."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.7 is one narrow web-tier setting that a baseline configuration can include, while CM-2 broadly encompasses all such settings."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V13.4.7 is one narrow web-server file-extension rule inside the broad CM-6 configuration-settings control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V13.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST CM-9 requires a high-level configuration-management plan that could encompass web-tier file-extension rules, while the narrow ASVS check addresses only one technical control and touches none of the plan's governance elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-1 supplies only a high-level media-protection policy umbrella that may reference classification, while ASVS V14.1.1 demands concrete application-level data identification and protection-level assignment."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires app-level identification and classification of sensitive data (incl. encoded forms); NIST MP-6 only consumes existing classification to set sanitization strength."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-8 presupposes classification exists but only addresses media downgrading mechanics, while ASVS V14.1.1 focuses on application data identification/classification including encoded forms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1's high-level policy mandate touches regulatory consistency but does not perform application data identification or classification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-1 supplies a media-protection policy framework that only loosely overlaps the ASVS demand for documented sensitive-data controls, while the narrow ASVS line item addresses almost none of MP-1\u2019s broad policy, roles, and review requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-6 addresses only the narrow sanitization/disposal aspect of retention while ASVS V14.1.2 requires broad documented protection requirements across encryption, logging, access, privacy, etc."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 supplies only a generic policy framework while ASVS V14.1.2 demands a detailed, data-specific protection-requirements document; the broad policy fully encompasses that narrow documentation need."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 covers only key management, a narrow slice of ASVS V14.1.2's broad documentation requirements for encryption and other data protections."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 addresses only cryptographic implementation while ASVS V14.1.2 requires documented requirements across encryption plus retention, logging, privacy, and access controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-8 addresses only transmission confidentiality/integrity, a narrow slice of ASVS V14.1.2's broad documentation mandate covering encryption, retention, logging, privacy, and more."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-23",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V14.2.1 is one narrow practice that supports session-token protection; SC-23 is the broad control that encompasses it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-43",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-43 allows broad usage restrictions on components but does not address sensitive-data caching or purging."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 network boundary controls can incidentally limit some external data flows but do not address application-level decisions about sending sensitive data to trackers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "MP-1 only requires a high-level media-protection policy; ASVS V14.2.4 demands verification of concrete technical controls (encryption, logging ACLs, privacy tech) that the policy control does not itself enforce."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-2 addresses only media-access restriction, covering one narrow slice of ASVS V14.2.4's access-control mention while ignoring encryption, retention, logging rules, and privacy controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-6 addresses only the retention/disposal sliver via media sanitization while ASVS V14.2.4 spans encryption, logging, access, privacy and integrity controls unrelated to sanitization."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only mandates existence of broad policy/procedures; it neither specifies nor verifies the concrete sensitive-data controls listed in V14.2.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 addresses only the encryption subset of the broad ASVS data-protection verification scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-1 only mandates a high-level media-protection policy document; ASVS V14.2.7 demands concrete classification plus automated/scheduled deletion mechanisms that the policy control alone does not enforce."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-4 addresses secure storage and eventual sanitization/destruction but omits retention classification and automated deletion schedules required by ASVS."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST covers classified sanitization on disposal but omits retention schedules; ASVS addresses neither media-specific methods nor sanitization strength."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-8",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires retention classification plus scheduled deletion; MP-8 addresses only classification-driven media downgrading processes."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V14.2.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "mp-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MP-8 addresses removal of sensitive data during media classification downgrade but does not target user-uploaded file metadata or consent checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-1 only mandates generic acquisition policy existence; it does not require the specific risk-based remediation timeframes for third-party vulnerabilities demanded by ASVS V15.1.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires a general flaw remediation process but does not mandate documented risk-based time frames for 3rd-party components; ASVS addresses only one narrow slice of SA-11."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.1.1 is a narrow slice (risk-based 3rd-party remediation timeframes) of the broad documented dev-process requirements in SA-15."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-22",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-22 addresses replacement of unsupported components but omits any documentation or risk-based remediation timelines for vulnerable libraries."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-24 touches risk-management processes but does not address 3rd-party component remediation timeframes or library updates."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3's general SDLC risk integration touches component risk handling only at a high level while the ASVS item is a narrow documentation requirement outside SA-3's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4 touches supply-chain and documentation requirements in contracts but does not mandate risk-based remediation time frames for vulnerable libraries; ASVS addresses only that narrow documentation practice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 requires broad vuln-related admin docs but omits risk-based remediation time frames; ASVS addresses only that narrow sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-1 only requires high-level acquisition policy existence while ASVS demands a concrete SBOM inventory practice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-10 addresses broad developer change control and flaw tracking but does not require SBOM-style inventories or trusted-repository verification for third-party libraries."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process and tool standards but does not mandate SBOM-style third-party inventories, while ASVS V15.1.2 addresses only that narrow inventory practice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-22",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-22 focuses on replacing unsupported components without mandating SBOMs or trusted repositories, while ASVS V15.1.2 does not address end-of-support replacement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-23",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-23's broad trustworthiness-via-specialization language touches only the 'trusted sources' aspect of the SBOM requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 broadly requires a documented dev process addressing security requirements (availability could be one) while ASVS V15.1.3 is a narrow documentation check on resource-intensive functions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 mandates broad developer security architecture docs while ASVS V15.1.3 targets only narrow resource-exhaustion availability documentation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.1.3 is a narrow documentation requirement for resource-intensive functions that can be viewed as one possible output of broad SDLC security/risk activities, while SA-3 addresses the entire lifecycle process, roles, and risk integration."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-4 requires security documentation in contracts at a high level but does not address the specific resource/time-out functionality described in V15.1.3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 broadly requires admin/user documentation on secure operation and security functions but does not mandate the specific resource/time-intensive functionality content required by ASVS V15.1.3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process covering standards/tools but does not specifically mandate highlighting risky third-party libraries in application docs."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires broad architecture documentation that may incidentally reference components but does not address highlighting risky third-party libraries."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4's broad acquisition documentation and supply-chain clauses can indirectly touch risky-component disclosure but do not specifically require application-level highlighting of third-party libraries."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 requires broad documentation of known vulnerabilities but does not specifically call out highlighting risky third-party libraries."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 broadly requires documented dev processes addressing security but does not specifically mandate application docs highlighting dangerous functionality."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires broad security architecture documentation that may incidentally address dangerous functionality, while ASVS V15.1.5 is a narrow verification of one documentation practice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-3's broad SDLC security mandate can indirectly touch documentation practices but does not address the specific ASVS check for highlighting dangerous functionality."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4 broadly requires security documentation in acquisitions but does not specifically mandate highlighting dangerous functionality, while the narrow ASVS item covers none of the wide-ranging SA-4 elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.1.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-5 broadly requires admin/user docs on vulnerabilities and privileged functions, touching the narrow ASVS demand for highlighting dangerous functionality only incidentally."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-10's flaw-tracking clause touches remediation tracking but omits component-specific update time-frame enforcement required by ASVS V15.2.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST mentions a flaw remediation process but does not address verifying component update time frames; ASVS covers none of the broader developer testing and assessment activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security needs that could encompass component update time frames, while the narrow ASVS check covers none of the broad NIST process requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-22",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses end-of-support replacement for system components while ASVS focuses on app-specific update time-frame verification, yielding only partial overlap in one direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing generic security requirements; ASVS V15.2.2 is a narrow runtime availability control that may be referenced inside such a process but is not addressed by it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires broad architecture documentation that may reference availability strategies; ASVS demands concrete verification of resource-exhaustion defenses, which the NIST control does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-10's change-control process can indirectly limit extraneous code but does not specifically require removal of test/dev functionality from production."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security but does not specifically mandate removal of extraneous/test code from production."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-17 requires describing required functionality in architecture docs, touching the 'only required code' idea but not production verification or removal of test/dev artifacts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3's broad SDLC mandate can indirectly touch deployment hygiene but does not address extraneous production functionality; ASVS V15.2.3 is a single narrow check that covers none of the NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-4 mentions dev environment description in contracts but does not address production-only functionality; ASVS covers none of the acquisition requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing security but does not mandate dependency-repository verification, while the narrow ASVS item addresses none of SA-15's process/tool/configuration elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.2.4 is a narrow supply-chain verification step; SA-24's high-level resiliency design could encompass related techniques but does not address it specifically."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3 provides only a high-level SDLC mandate that could encompass supply-chain controls, while ASVS V15.2.4 addresses one narrow dependency-integrity check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security requirements but does not mandate or verify specific runtime isolation controls for risky components."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires only high-level architecture documentation while ASVS V15.2.5 demands concrete runtime isolation controls for risky components."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-24 broadly requires resiliency techniques including isolation; ASVS V15.2.5 is one narrow application-level instance of such techniques."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3 addresses high-level SDLC process and risk management; ASVS V15.2.5 requires specific runtime isolation for risky components."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-4 broadly mandates security requirements in acquisition contracts but does not address application-level sandboxing or risky-component isolation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing generic security requirements while ASVS V15.3.1 is a narrow runtime data-field exposure rule that such a process might optionally include."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.1 is a narrow runtime data-minimization check that SA-17's high-level design-spec requirement may indirectly reference but does not enforce."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-15's generic dev-process/tool-config mandate can indirectly touch redirect settings but the narrow ASVS check covers none of SA-15's process documentation and review scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.3 is a narrow, code-level check against mass assignment; SA-15 only broadly requires a documented dev process that addresses security requirements in general."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-3's broad SDLC process may indirectly encompass secure-coding practices that address mass assignment, while the narrow ASVS check covers none of SA-3's organizational lifecycle elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires only a generic documented dev process addressing security requirements; the specific proxy IP-handling rule is neither mandated nor detailed by that process control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.4 is one narrow technical sliver potentially implied by the broad SA-8 engineering principles."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-11 requires broad developer testing that could incidentally include type-safety checks, while the narrow ASVS line item addresses none of SA-11's assessment, evidence, or remediation activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.5 is a narrow code-level type-safety check while SA-15 only requires a generic documented development process addressing security requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.5 is a narrow code-level type-safety check while SA-17 only requires high-level design documentation that might mention such practices."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.3.5 is a narrow code-level type-safety check that forms one sliver of the broad SDLC security activities described by SA-3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-4 enables inclusion of security requirements in contracts that could encompass type-safety checks, but the ASVS item addresses none of SA-4's acquisition-process scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-11 broadly mandates developer security testing and flaw remediation that could incidentally include prototype-pollution checks, while the single ASVS item addresses none of SA-11's process or evidence requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing security requirements; the narrow JS prototype-pollution check may be included but is not ensured."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-11 mandates a general developer testing program that could encompass HTTP parameter pollution checks but does not require them; the single ASVS test case addresses none of SA-11's process requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a documented dev process addressing security requirements (broadly covering the ASVS item) while the narrow ASVS check addresses none of SA-15's process, standards, or tooling mandates."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-17 requires high-level design architecture documentation that could mention parameter-handling defenses but does not mandate or verify the specific control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.3.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SA-3 mandates a security-aware SDLC process that may indirectly encompass specific app defenses, while V15.3.7 addresses only one narrow technical check unrelated to SDLC roles or risk integration."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires only a high-level documented dev process addressing security, which may incidentally touch thread-safety practices but does not verify the specific concurrency controls demanded by ASVS V15.4.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V15.4.1 is a narrow concurrency requirement while SA-3 is a broad SDLC process control that can encompass it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 requires a broad documented dev process addressing security but does not mandate TOCTOU/atomic checks, while the narrow ASVS item addresses none of SA-15's process/tool/configuration scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15 broadly requires documented dev standards that could encompass concurrency/locking rules, while ASVS V15.4.3 is a narrow code-level check unrelated to the overall process mandate."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V15.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SA-15's generic dev-process mandate could incidentally touch resource policies but does not require the specific thread-starvation control; the narrow ASVS check covers none of SA-15's broad process, standards, and tooling requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-1 requires only high-level audit policy/procedures while ASVS V16.1.1 demands a concrete, layer-specific logging inventory."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies event-generation capability that partially addresses one ASVS element (events logged) while the ASVS inventory/documentation mandate is otherwise untouched; ASVS does not address AU-12's generation or selection requirements at all."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-2 addresses only event-type selection while ASVS V16.1.1 requires a broader inventory covering formats, storage, access, usage, and retention."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 specifies required audit-record fields while ASVS V16.1.1 demands an inventory of logging scope, formats, storage, access and retention across layers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires broad logging inventory docs including access-control description; NIST au-9 only enforces protection/alerting of audit data, covering one narrow slice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST non-repudiation may rely on detailed audit metadata but also permits cryptographic or other mechanisms beyond logging."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-12 (via AU-3) requires the same metadata fields ASVS demands but also covers event selection/generation scope beyond ASVS's narrow verification focus."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-2 addresses event selection and investigation rationale but does not require specific log-entry metadata fields."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 directly specifies the same core metadata elements (when/where/who/what) plus extras, fully satisfying the narrow ASVS logging requirement while ASVS covers only a subset of au-3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 requires a 'when' field but says nothing about clock sync or UTC offsets, while ASVS V16.2.2 addresses only that narrow timing detail."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST covers the UTC/offset timestamp format but omits explicit synchronization of logging time sources; ASVS addresses only that narrow slice of the broader NIST audit-record requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS focuses narrowly on log readability and common formats for correlation; AU-10 addresses non-repudiation evidence without touching log processing."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 ensures audit records are generated with defined content but does not address log-processor readability or common formats for correlation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-3 mandates specific audit-record content but says nothing about log format or processor correlation; ASVS addresses only the latter."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-7 supports analysis/reporting but does not require common log formats or processor correlation specified in ASVS V16.2.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST timestamps support correlation but ignore common format/readability; ASVS never mentions timestamps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-12 addresses generic audit generation capability only; it contains no requirement for protection-level rules, exclusion, or masking of sensitive data."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-11 addresses only error-message content while ASVS V16.2.5 governs all sensitive-data logging decisions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands concrete auth-event logging; au-1 only requires high-level audit policy and procedures."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-10's broad non-repudiation evidence may be supported by auth logs but does not mandate them, while ASVS V16.3.1 covers only one narrow authentication-logging aspect of non-repudiation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies generic audit capability that can include auth events only if selected via AU-2, while ASVS demands only the narrow slice of authentication operations plus metadata."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow set of auth events+metadata while NIST requires organization-wide event selection, rationale and review, so each covers only part of the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 supplies the required event/outcome/identity metadata fields that satisfy most of the ASVS auth-logging content needs, yet does not mandate auth events specifically and ASVS addresses only a narrow slice of all audit records."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-10 requires irrefutable evidence for arbitrary actions while ASVS V16.3.2 demands only targeted logging of authorization decisions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies the generic audit-generation mechanism that can support authorization logging but does not mandate those specific events; ASVS V16.3.2 addresses only one narrow event type."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-2 defines a generic event-selection process that can include authz events but does not mandate them, while ASVS V16.3.2 names only one narrow event type."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 supplies generic audit-record fields that support authorization logging but does not mandate those events; ASVS addresses only one narrow class of events."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands concrete app-level logging of bypass attempts; au-10 only requires generic non-repudiation evidence that may be satisfied without such logs."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies the general audit-generation mechanism that can cover the specified security and bypass events, while ASVS V16.3.3 addresses only one narrow application-focused subset of the events and configuration options required by AU-12."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V16.3.3 is a narrow application-level logging rule that forms one sliver of the broad organizational event-selection and policy requirements in AU-2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 defines audit-record fields but does not require logging of the specific security/bypass events demanded by ASVS V16.3.3; ASVS says nothing about those fields."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V16.3.3 is a narrow app-logging rule that a generic integrity policy/procedure control could mention but does not mandate; SI-1 itself is untouched by the ASVS line."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 supplies generic audit-generation capability that can encompass the specified error/failure events, while the ASVS line is a narrow, application-specific verification sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-2 broadly requires selecting and justifying event types but does not mandate application-specific logging of errors or control failures such as backend TLS issues."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-3 defines audit-record content fields but does not require logging of the specific error/failure events demanded by ASVS V16.3.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-10",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires log protection; AU-10 requires non-repudiation evidence, which log integrity can support but does not implement or fulfill."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-9",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-9 directly implements the exact ASVS log-protection goals plus extra elements (deletion, alerting, tools)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-6",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST au-6 covers review/analysis/reporting of existing audit records but says nothing about secure transmission or logical separation of logs."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST covers the no-exposure intent but adds authorized-recipient scope absent from ASVS; ASVS is narrower and verifier-specific."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-17's broad fail-safe mandate covers the specific ASVS graceful-failure rule when parameterized appropriately, while the narrow ASVS item addresses only one sliver of possible fail-safe scenarios."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V16.5.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AU-12 addresses only the audit-logging portion referenced in the ASVS line; it does not cover the required error-handler definition or availability protection."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-14 provides a high-level public-access policy umbrella that could loosely encompass TURN IP filtering, while the narrow ASVS check addresses none of the control's broader scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V17.1.1 is a narrow TURN-specific IP allow-list check while SC-7 is a broad boundary-protection control that can only incidentally support such a check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Broad SC-6 resource allocation can indirectly support TURN exhaustion resistance but does not address the specific verification; the narrow TURN check covers none of the general NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-1 only ensures a high-level policy exists; it neither mandates DTLS-specific key handling nor verification steps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS narrowly targets DTLS cert key protection per policy; NIST broadly requires crypto key management per requirements, so the specific is one sliver of the general control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-12 supplies a generic key-management framework that only loosely touches the narrow DTLS-SRTP cipher-suite and protection-profile verification demanded by ASVS V17.2.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-13 is a broad crypto mandate that can include DTLS-SRTP when parameters specify it, while the ASVS item is one narrow slice of such controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides generic network-boundary monitoring that may incidentally limit RTP traffic but does not mandate SRTP authentication checks inside a media server."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 boundary controls may indirectly limit external floods but do not address media-server SRTP resilience from legitimate users."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides perimeter traffic controls that may incidentally limit some SRTP floods, but does not address media-server recording resilience; ASVS requirement addresses none of SC-7's boundary architecture scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-19",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-19 is a high-level placeholder with no technical requirements, so it covers none of the specific DTLS/SDP check while the ASVS item addresses only one narrow VoIP authenticity aspect."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.2.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-23",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V17.2.8 is one narrow media-stream technique inside the broad NIST SC-23 requirement for session authenticity."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-36",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST distribution can indirectly aid flood resilience but omits rate limiting; ASVS addresses only signaling-level rate limiting."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides broad network boundary controls that may incidentally limit some floods but does not address signaling-server rate limiting."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V17.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V17.3.2 is a narrow, app-level input-validation check for one server type while SC-5 is a broad, parameterized DoS-protection control that can encompass it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 requires high-level integrity policies that could mention input validation but does not mandate the specific documentation rule; ASVS addresses only one narrow app-level item."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 requires performing input validation but does not address documentation of rules, while ASVS V2.1.1 only requires existence of such documentation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-18",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-18 addresses PII accuracy checking but omits documentation of input-validation rules; ASVS V2.1.1 touches data validity only narrowly and does not address PII lifecycle operations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-1 requires high-level integrity policies that could encompass data-validation documentation, while the narrow ASVS item addresses none of the broad policy/procedure mandates."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-10 requires generic input validity checks but omits the ASVS emphasis on documented logical/contextual consistency of combined items."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output-consistency validation overlaps the consistency-checking concept but ignores the documentation requirement and is narrower in scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 mandates high-level integrity policy/procedure documentation that could incidentally include business-logic limits, while ASVS V2.1.3 addresses only one narrow documentation expectation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 requires input validation checks but omits business-logic documentation and per-user/global distinctions, while ASVS V2.1.3 addresses only that narrow documentation sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-15 implements output validation for content consistency; ASVS V2.1.3 only requires documenting business-logic limits and does not address the control's validation mechanism."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a generic placeholder for validity checks while ASVS V2.2.1 adds explicit positive/allow-list and business-logic expectations that the control text does not mandate."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 mandates server-side input validation and therefore satisfies the core ASVS trusted-layer rule, yet omits the explicit client-side prohibition and is far broader in scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V2.2.2 is a narrow app-design rule for trusted-layer validation; SI-9 is a broad org-level input-restriction control that encompasses it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 is a broad input-validation control that can encompass the specific cross-field reasonableness checks required by ASVS V2.2.3, while the ASVS item addresses only one narrow aspect of validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output-consistency checks can partially satisfy reasonableness rules when data combinations appear in output, but the ASVS item addresses general data-item validation unrelated to NIST's output-filtering scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V2.3.1 requires workflow sequencing enforcement; SI-10 only supplies generic input checks that can support step validation but do not address order or completeness."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-10 addresses generic input validity checks while ASVS V2.3.2 requires documented, application-specific business logic limits that exceed ordinary input validation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V2.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 requires only high-level integrity policy documentation that may reference anti-automation, while ASVS demands concrete technical controls the policy alone does not deliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V3.1.1 is one narrow documentation item inside the broad policy/procedure mandate of SC-1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-1 mandates high-level integrity policy/procedure documentation that could incidentally include browser-feature expectations, while the narrow ASVS item addresses none of SI-1's scope, roles, reviews, or integrity topics."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation is broad enough to touch context correctness but does not address the specific browser rendering controls (CSP sandbox, Sec-Fetch, Content-Disposition) required by ASVS."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS specifies one narrow output-encoding technique; broad NIST output-filtering control encompasses it but is not limited to it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-23",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V3.3.4 is one narrow technical measure (HttpOnly + Set-Cookie) inside the broad NIST SC-23 goal of protecting session authenticity."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-14 provides a high-level public-access umbrella that can encompass CORS rules but does not mandate the specific allow-list or '*' handling required by ASVS V3.4.2; the narrow CORS check addresses only a tiny slice of the broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-15 addresses generic output validation for content consistency; ASVS V3.4.3 requires a precise web-specific CSP header policy that is outside SI-15's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15's generic output validation can be read to include header-based content-type enforcement, but the single ASVS header check addresses only a minuscule slice of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-14 is a broad public-access control that can encompass referrer-policy settings as one data-leakage safeguard, while the narrow ASVS line is only one sliver of that control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.4.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output-filtering control broadly encompasses CSP violation reporting as one validation mechanism."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-46",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-46 provides a broad cross-domain enforcement hook that could subsume origin validation but supplies none of the concrete CSRF mechanisms required by ASVS V3.5.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-46",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-46 provides a broad cross-domain enforcement hook that could loosely encompass CORS policy checks, while the narrow ASVS preflight test addresses none of the control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 provides network boundary controls that could incidentally enforce HTTP method rules via WAFs, but ASVS V3.5.3 is a narrow app-level check unrelated to the broad scope of SC-7."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-32",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-32 broadly requires domain separation that can encompass hostname partitioning, while ASVS V3.5.4 is a narrow web-specific slice of that concept."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.5.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 addresses generic content-consistency validation; ASVS V3.5.8 requires specific cross-origin header enforcement that si-15 does not provide."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-35",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-35 provides broad detection of malicious external resources that can indirectly support integrity goals but does not address SRI, versioning, or the specific ASVS verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-18",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-18 broadly governs mobile code definition/control (covering the listed insecure client-side tech) while ASVS V3.7.1 is a narrow verification slice of that scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-35",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST malicious-site detection can indirectly inform an allowlist but does not implement or verify redirect controls; ASVS covers none of the NIST capability."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 requires only the existence of a high-level policy document; any HSTS preload mandate would be an optional detail inside it, while ASVS V3.7.4 is a single technical verification that touches none of the policy-management elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V3.7.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-11",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-11 addresses a broad trusted path concept but does not specify or require HSTS preload."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7.4 requires protecting confidentiality/integrity of external traffic but does not address HTTP-to-HTTPS redirect behavior or endpoint distinctions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only high-level access-control policy documentation; ASVS V4.1.4 is a narrow technical HTTP-method restriction that such a policy might reference but does not enforce."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor provides a tamperproof enforcement substrate that could host method filtering but does not mandate or verify HTTP-method allow-listing."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V4.1.4 is one narrow technical instance of least privilege; AC-6 therefore fully encompasses it while the reverse is only a sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "SC-7 provides network-boundary controls that could incidentally support method filtering via L7 devices but does not address the specific ASVS requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-1 only mandates high-level policy/procedure documents for broad communications protection; ASVS V4.2.1 is a narrow technical verification that such a policy might reference but does not itself enforce."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-7 provides broad boundary-device requirements that could incidentally include HTTP-boundary handling, while ASVS V4.2.1 is a narrow protocol-specific check that addresses almost none of SC-7's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-14",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AC-14 requires documenting permitted unauthenticated actions and could therefore touch the introspection decision, but the ASVS item is a single narrow GraphQL control that does not address the NIST control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states the broad least-privilege principle that could loosely support disabling unnecessary GraphQL introspection, while the single ASVS check addresses none of the control's organizational scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V4.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-17's configuration requirements can loosely encompass the specific WebSocket origin check, but the ASVS item addresses none of the NIST control's policy/authorisation scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 addresses output validation but omits ASVS's documentation mandate for upload limits and malicious-file handling."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V5.1.1 requires specific upload documentation and malicious-file handling rules; SI-4's attack monitoring only incidentally touches detection behavior, leaving documentation and file-type controls unaddressed."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-4.27",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ac-4.27 addresses redundant cross-domain content filters while ASVS V5.2.2 requires specific file-type validation on upload; the scopes overlap only loosely on content checking."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V5.2.5 is one narrow technical measure inside the broad access-enforcement intent of AC-3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-3 focuses on malware scanning/detection while ASVS V5.3.1 requires a narrow web-server execution-prevention configuration for uploaded files."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-4 is a broad detection/monitoring control that may observe path-traversal attempts but does not implement or enforce the preventive input sanitization required by ASVS V5.3.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SI-15 is a broad output-validation control that can encompass the specific filename/Content-Disposition check, while the narrow ASVS rule only addresses one possible output-filtering scenario."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-15 provides a generic output-validation hook that may incidentally include filename sanitization, while ASVS V5.4.2 addresses only one narrow encoding case."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-15",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST output validation may incidentally reduce malicious content served but does not address AV scanning of untrusted input files."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V5.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST si-3 explicitly requires real-time scans of external files, fulfilling the narrow ASVS scanner check while the ASVS item addresses only one sliver of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires high-level IA policy documentation that could encompass auth controls, but does not mandate the specific rate-limiting/anti-automation content required by ASVS V6.1.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 addresses only the adaptive-authentication aspect while ASVS V6.1.1 requires documentation of rate limiting, anti-automation, and lockout prevention as well."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.1.2 is one narrow procedural detail inside the broad IA policy and procedures mandated by IA-1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength and initial content rules but never mandates a documented context-specific banned-word list, while the ASVS item addresses only that single narrow practice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's 'expected' passwords list partially overlaps the ASVS context-specific requirement, while ASVS covers only one narrow slice of the multi-part NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only a high-level IA policy document; ASVS V6.1.3 is a narrow, application-level verification of multi-path auth documentation and consistency that such a policy might reference but does not guarantee."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 addresses adaptive auth under conditions but omits documentation and cross-pathway consistency enforcement required by ASVS V6.1.3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 addresses centralized IdP usage for auth decisions but omits any requirement for documenting or verifying consistency across multiple application auth pathways."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires org-user authentication at a high level but does not address documentation or consistent enforcement across multiple application auth pathways."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires strength of mechanism and procedures but omits multi-pathway documentation and explicit consistency enforcement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires broad use of IdPs for identity/auth decisions that may encompass password policy configuration, while the narrow ASVS password-length check addresses none of the IdP employment scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not mandate specific password lengths, while ASVS addresses only one narrow aspect of the broad IA-5 control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST allows long passwords and parameterized complexity rules but does not mandate the specific 8/15-character minimum, while ASVS addresses only length and omits all other IA-5(1) elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates existence of generic IA policies while ASVS 6.2.10 demands a precise application-level rule on password lifetime."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS line is one narrow credential-lifetime rule inside broad IdP/credential management; IA-13 never addresses rotation policy."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses event-driven authenticator changes (including compromise) but neither prohibits nor precludes mandatory periodic rotation, while ASVS touches only one narrow facet of the broad IA-5 control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.10",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses compromised-password list checks but is silent on forbidding periodic rotation, while ASVS covers only that narrow rotation rule."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy/procedures that could optionally reference password dictionaries, while ASVS V6.2.11 is a narrow technical check unrelated to policy development."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not address context-specific password dictionaries; ASVS addresses only one narrow slice of IA-5."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.11",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5(1) directly requires a list check against expected/common passwords, covering the ASVS context-specific list requirement except for the narrow 'documented context-specific' wording; ASVS addresses only one sub-part of the multi-clause NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.12",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5's 'sufficient strength' clause loosely touches password checks while ASVS addresses only one narrow practice inside a broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.12",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "full",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5.1 explicitly requires the exact ASVS check against compromised passwords (plus many unrelated password rules)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires IdPs for identity management but does not address user password change; ASVS V6.2.2 is one narrow functional check unrelated to the control's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 requires procedures for changing authenticators but does not mandate user self-service password change; ASVS covers only that single narrow capability."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.2.3 is a narrow check on password-change forms; IA-11 is a broad re-auth control that can encompass it when parameterized appropriately."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator changes at a high level but does not mandate verifying the current password during a change; ASVS addresses only that single narrow check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not mandate a top-3000 password dictionary check, while the ASVS item addresses only one narrow slice of the broad control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5.1 directly requires checking new/updated passwords against a maintained list of common/compromised passwords, covering the core ASVS check but omitting the explicit top-3000 size and policy-matching detail while also containing many unrelated password controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST explicitly allows all printable characters (fulfilling ASVS) while its remaining seven sub-requirements are untouched by the narrow ASVS line."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5's high-level protection of authenticator content touches password secrecy only indirectly, while the ASVS item is a narrow UI implementation detail absent from the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.9",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS line is a narrow slice of NIST's broad 'sufficient strength' authenticator clause."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.2.9",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5(1) explicitly requires support for long passwords/passphrases, fully satisfying the 64-character ASVS rule while the ASVS item addresses only one narrow clause among many NIST requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-1 only mandates high-level IA policy existence; it neither requires nor verifies the specific anti-brute-force controls demanded by V6.3.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS targets specific brute-force/credential-stuffing controls; IA-10's adaptive authentication is a broader, conditional mechanism that only partially overlaps."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires use of IdPs for auth decisions, which may incidentally supply brute-force protections, while ASVS V6.3.1 narrowly targets those specific controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires basic identification/authentication but does not address brute-force or credential-stuffing controls specified by ASVS V6.3.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength and lifecycle but omits explicit brute-force/credential-stuffing controls required by ASVS V6.3.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 addresses broad IdP-based identity management that may incidentally support disabling defaults, while the narrow ASVS check covers none of the NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires unique user identification/authentication but does not explicitly address disabling default accounts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses general identifier issuance and reuse prevention but does not explicitly require disabling default accounts, while the ASVS item is a narrow slice unrelated to most IA-4 elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses default authenticators via one clause while ASVS focuses narrowly on disabling default accounts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdPs for auth decisions but does not mandate MFA/hardware/phishing-resistant factors; ASVS V6.3.3 specifies only one narrow slice of authentication mechanisms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires only generic identification and authentication while ASVS V6.3.3 mandates MFA (plus hardware phishing resistance at L3)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2.6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST supplies core MFA + separate-device elements but omits ASVS phishing-resistance, intent-proof, L2/L3 distinctions and relaxation rules; ASVS addresses only application MFA and does not reach NIST's broader account scope or parameterisation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses authenticator strength and protection but omits explicit MFA mandates and L3 hardware/phishing controls, while ASVS covers only a narrow slice of the broader NIST management lifecycle."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5.2 details PKI/public-key implementation steps but does not require or enforce MFA, while ASVS V6.3.3 focuses on MFA mandates without addressing certificate path validation or revocation caching."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates high-level IA policy/procedure artifacts; it does not require or verify the specific multi-pathway consistency check demanded by ASVS V6.3.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 promotes centralized IdP use that may indirectly support consistent auth strength, but does not address undocumented pathways or application-level verification."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires basic org-user identification/authentication but does not address application-level multi-pathway consistency or undocumented paths."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength but omits multiple-pathway consistency and undocumented paths; ASVS V6.3.4 covers none of IA-5's distribution, revocation, or protection requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 requires adaptive auth under risk conditions but does not mandate user notification of suspicious attempts."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only requires generic IA policy existence; the narrow email-auth prohibition is neither mandated nor addressed by it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2.6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2.6 forces separate-device MFA and thereby blocks email-only or email-as-non-device flows, but never addresses the email ban itself; ASVS V6.3.6 says nothing about separate devices."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not specifically prohibit email, while the narrow ASVS rule addresses none of IA-5's broad management activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.3.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST broadly requires obscuring auth feedback but omits timing channels and non-auth flows that ASVS explicitly demands."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-1 only mandates high-level policy/procedure documents that might reference initial-password rules, while the ASVS item is a narrow technical verification unrelated to policy authorship."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdPs for identity/auth management but does not address initial-password specifics, while ASVS V6.4.1 covers only that narrow sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses initial authenticator content/strength but omits explicit short expiration and non-permanence rules required by ASVS."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5.1 touches forced change on recovery but omits random generation, short expiry, and non-reuse of initial secrets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-1 only mandates high-level IA policy/procedures that may reference password-reset rules, giving partial coverage of the narrow ASVS item while the ASVS item addresses none of IA-1's documentation and governance scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 adaptive auth can be tuned to require MFA for reset flows but does not address password-reset procedures; ASVS addresses only that narrow reset requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-11 supplies a generic re-auth lever that can be tuned to protect password reset but does not mandate the forgotten-password process or its MFA invariant, while ASVS V6.4.3 addresses only that single narrow scenario."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 covers initial identity proofing only; ASVS V6.4.3 targets MFA-preserving password reset, yielding minimal overlap in one direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires broad IdP usage for auth decisions but does not address password-reset flows; ASVS specifies only one narrow reset-MFA rule."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires general user authentication but does not address password-reset flows or MFA bypass prevention."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 supplies the general identity-proofing process but does not mandate re-proofing on lost MFA factors; ASVS V6.4.4 addresses only that narrow re-proofing scenario."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires procedures for lost authenticators (including identity checks) but omits the explicit same-level proofing mandate; ASVS addresses only that narrow sliver of IA-5."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires refreshing authenticators and related procedures but omits renewal notifications and timing reminders; ASVS addresses only that narrow procedural sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.4.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses broad authenticator procedures and protection from disclosure, which only loosely touches the narrow admin-reset rule in ASVS V6.4.6."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires only the use of IdPs/auth servers at a high level; it does not mandate single-use enforcement for TOTP/lookup/OOB secrets, while the narrow ASVS check addresses none of IA-13's broader identity-management scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires protection of authenticator content and sufficient strength but does not specify salted hashing for low-entropy lookup secrets; ASVS addresses only one narrow storage detail."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires salted KDF storage (one bullet) while ASVS adds entropy threshold, 32-bit salt, and lookup-secret scope; each therefore covers only a slice of the other."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's generic 'sufficient strength' clause touches the entropy topic but is far broader and less specific than the 20-bit lookup/OOB rule."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy/procedures that could optionally reference token lifetimes, while ASVS V6.5.5 is a narrow technical verification rule unrelated to policy creation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator refresh but lacks the ASVS-specific OOB/TOTP lifetime limits; ASVS covers only that narrow sliver of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates generic IA policy existence; revocation of factors is neither required nor verifiable from it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.6",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires IdP-based identity/access management (which can include revocation) while ASVS V6.5.6 demands only a narrow, explicit revocation capability for lost auth factors."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10's generic adaptive parameters can be tuned to enforce biometrics only as a secondary factor, but the ASVS rule addresses none of the control's broader adaptive-auth scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.7",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator strength and management but contains no biometric-specific secondary-factor rule, while the narrow ASVS item addresses none of IA-5's distribution, revocation, or protection elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.5.8",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 broadly requires user authentication while ASVS V6.5.8 is a narrow TOTP time-source detail not addressed by the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-12 covers only the phone-number validation aspect via identity evidence checks while ignoring OTP delivery rules, risk disclosure, and L3 prohibition; ASVS addresses none of the broader identity-proofing requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength in general but omits phone-number validation, user risk disclosure, and the L3 prohibition on PSTN/SMS OTPs."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 only mandates high-level IA policy/procedures and does not address the specific out-of-band binding requirement, while the narrow ASVS item covers none of the policy development activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 is a high-level requirement to use IdPs; the specific out-of-band binding rule is one possible implementation detail not mandated by the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 covers broad authenticator procedures but does not address OOB binding to a specific request."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 adaptive auth may indirectly mitigate brute-force via risk-based step-up but does not address rate limiting or 64-bit entropy for OOB codes."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength/protection but omits explicit rate limiting for OOB codes, while ASVS touches only the strength clause of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.6.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10's broad adaptive-auth parameter could encompass push-rate-limiting as one possible control, while the narrow ASVS line covers none of the general adaptive-auth requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.7.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.7.1 is a narrow slice (certificate storage for assertion verification) of the broad IA-5 authenticator-protection requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.7.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-3",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-3 requires device authentication at connection time but contains no nonce-length or uniqueness mandates, while the ASVS line addresses only one narrow technical property of such authentication."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.7.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's generic 'sufficient strength' clause touches nonce requirements only at a high level while ASVS specifies an exact 64-bit unique challenge nonce."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.7.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-7",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS nonce length/uniqueness is one narrow technical detail inside the broad NIST IA-7 requirement to meet applicable standards for cryptographic-module authentication."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-13 broadly requires employing IdPs but does not address the specific multi-IdP namespace collision check required by ASVS V6.8.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2's broad unique-ID mandate conceptually encompasses the ASVS multi-IdP namespace rule, while the narrow ASVS line only partially satisfies the org-level control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 broadly addresses identifier assignment and reuse prevention but does not mandate IdP-namespaced composite identifiers, while the narrow ASVS rule is fully contained inside that general control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-8 requires unique identification of non-org users at a high level; ASVS V6.8.1 adds a narrow multi-IdP namespace rule that IA-8 neither mandates nor precludes."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-9's broad unique-ID mandate touches the namespace principle but ignores multi-IdP user spoofing; ASVS is a narrow user-identity rule that covers none of the service-auth control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.8.2 is one narrow technical check inside the broad IA policy/procedure umbrella defined by IA-1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands a narrow technical check on assertion signatures; NIST IA-13 only broadly requires use of IdPs without specifying that check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires user authentication at a high level but does not address signature validation on assertions, while the ASVS item is a narrow technical check unrelated to the breadth of IA-2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 touches authenticator integrity at a high level but does not require signature validation on assertions; ASVS addresses only one narrow technical check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4's identifier-reuse rule touches the uniqueness concept only tangentially, while ASVS V6.8.3 is a narrow SAML-replay control outside IA-4's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses broad authenticator lifecycle controls that can indirectly touch token strength but never specifies SAML-unique processing or replay prevention."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-8 requires non-org user authentication at a high level that can encompass SAML assertion handling, while the ASVS item is only one narrow technical control within that scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 addresses broad service identification/authentication but contains no SAML or replay-specific requirements, while the ASVS item is a narrow slice of authentication mechanisms."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-10 broadly requires adaptive auth under conditions, fully encompassing the narrow IdP claim-verification scenario while only partially addressing its specific mechanics and fallback rule."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-11 addresses only the recentness aspect via re-auth; ASVS V6.8.4 focuses on IdP claim validation for strength/method/recentness with fallback logic."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires only broad employment of IdPs for auth decisions; it does not mandate claim validation or documented fallbacks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V6.8.4 is a narrow IdP-claim verification detail that sits inside the broad IA-2 authentication mandate."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V6.8.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator strength for intended use but omits IdP claim validation or fallback logic required by ASVS V6.8.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AC-1 requires only a high-level access-control policy document; it does not mandate the specific session-lifetime rules or 800-63B justification that V7.1.1 demands."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 supplies only high-level IA policy scaffolding while ASVS V7.1.1 demands explicit, 800-63B-referenced session-timeout documentation."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-2 provides only high-level authentication context while ASVS V7.1.1 demands explicit session-timeout documentation and 800-63B alignment that IA-2 does not address."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V7.1.2 is one narrow documentation detail inside the broad access-control policy and procedures required by AC-1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-10",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST enforces the numeric limit while ASVS requires documentation of that limit plus max-reached behaviors."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires IA policy/procedure documentation at a high level; ASVS V7.1.2 demands one narrow concurrent-session detail that such a policy might contain but does not mandate."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only a generic documented access-control policy; that policy could mention federated session coordination but does not fulfill the concrete ASVS verification, while the narrow ASVS item covers none of AC-1's policy-development, assignment, or review obligations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 broadly addresses account documentation/termination/review but omits federated SSO session coordination; ASVS V7.1.3 touches only a narrow slice of AC-2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 supplies only a generic IA policy framework while ASVS V7.1.3 demands explicit documentation and coordination of federated session controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires use of IdPs for identity/access management but omits any session-lifetime, termination or re-auth coordination requirements specified in ASVS V7.1.3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 supplies core authentication but omits federated session documentation, lifetime coordination, and re-auth triggers required by ASVS V7.1.3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator lifecycle and re-issuance events that can indirectly support re-authentication triggers, but omits federated session documentation, lifetime coordination, and SSO termination requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor concept could encompass backend session checks but does not require or specify them; ASVS item addresses only one narrow verification practice."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST addresses key protection/generation for tokens but omits dynamic session token mandates; ASVS touches generation yet ignores broader key management."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 addresses broad organizational identifier assignment and reuse prevention but does not require or verify dynamic token generation for application sessions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires periodic refresh and strength for authenticators but does not address session-specific dynamic tokens versus static API secrets."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires unique user identification but supplies none of the token-generation mechanics demanded by ASVS V7.2.3, while the ASVS line only addresses one narrow implementation detail of authentication."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-12 addresses generic automatic session termination; ASVS V7.2.4 requires both termination and fresh token issuance specifically on authentication events."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "IA-2 requires user authentication but contains no inactivity timeout or re-authentication requirement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy/procedures while ASVS V7.3.2 demands a specific enforceable session-lifetime control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly addresses IdP usage for auth decisions while ASVS V7.3.2 specifies only max session lifetime enforcement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-2 requires user authentication but does not address session lifetime or forced re-authentication."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-11 device lock addresses re-auth after lock but does not implement application session/token invalidation on logout or expiry."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST mandates automatic termination but omits token invalidation mechanics; ASVS verifies post-termination enforcement but does not require the automatic trigger."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account disable/remove on termination which can indirectly end access, but does not cover session/token invalidation mechanics required by ASVS V7.4.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor supplies a tamperproof enforcement substrate that could host session checks but does not mandate or describe session termination logic."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 requires account disable/remove on termination but never mentions session termination, while ASVS addresses only that narrow behavior."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses authenticator revocation procedures but does not mention session termination; ASVS covers only one narrow operational detail unrelated to the bulk of ia-5."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-12 mandates automatic session termination on a configurable trigger, while ASVS V7.4.3 requires only an optional, user-triggered termination of other sessions after an auth-factor change."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.4.5",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 account disable/remove offers indirect support for revoking access but never addresses session termination; ASVS covers none of the broad account-management control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.5.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-14",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-14 addresses documentation of unauthenticated actions while ASVS V7.5.1 mandates re-authentication for specific sensitive changes, yielding no fulfillment either direction but a sliver of related scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.5.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-11",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST device lock requires re-auth to resume access but is not scoped to app-level sensitive transactions, while ASVS does not address device/session locking."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.5.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-14",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ac-14 addresses documenting actions allowed without any authentication, while ASVS V7.5.3 mandates step-up authentication for sensitive operations; the two share only a tangential relationship to authentication policy."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.5.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1's broad policy mandate may touch re-auth needs at a high level while the narrow ASVS technical rule addresses none of the policy/procedure scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.5.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 addresses IdP/Authorization Server infrastructure for auth decisions but does not mandate step-up auth for sensitive transactions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-12",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-12 supplies generic session timeout but omits IdP/RP federation semantics, documented behavior, and re-auth triggers required by ASVS V7.6.1."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires employing IdPs but does not address specific session lifetime/termination behaviors, while ASVS V7.6.1 covers only one narrow verification aspect of IdP usage."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses authenticator lifecycle/refresh events that can indirectly support re-auth triggers, but ASVS V7.6.1 focuses narrowly on documented RP-IdP session lifetimes and termination behavior outside IA-5 scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V7.6.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-8",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-8 requires explicit user acknowledgment before access but targets notification banners, not session-creation consent."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.1.1 is one narrow authorization-documentation rule inside the broad AC-1 policy-and-procedures control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST supplies the attribute mechanism that can support authorization rules but omits documentation verification; ASVS touches only the attribute-based rule aspect of the much broader NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account privileges and access authorizations at a high level but omits function/data-specific authorization rules; ASVS V8.1.1 covers none of the account lifecycle, monitoring, or approval processes in AC-2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS requires documented ABAC-style rules for function/data access; NIST AC-3.3 enforces a rigid MAC policy with specific non-disclosure constraints, yielding only narrow overlap in either direction."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3.4 enforces a specific DAC model while ASVS V8.1.1 requires documented authorization rules; each addresses only a subset of the other's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only a generic documented AC policy; ASVS V8.1.2 demands a narrow, field-level attribute-based authorization rule set that is neither mandated nor precluded by the high-level policy control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 requires attribute association/auditing but does not address field-level authorization rule documentation or read/write restrictions based on consumer permissions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account-level access authorizations but omits field-level attribute-based rules; ASVS V8.1.2 has no overlap with account management activities."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC enforces broad policy constraints on information flow and attributes but does not address field-level granularity or authorization documentation; ASVS is too narrow to cover any MAC specifics."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands documented field-level attribute rules; NIST AC-3.4 only states generic DAC enforcement without that granularity or documentation focus."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only a high-level access-control policy document; ASVS V8.1.3 demands explicit application-level documentation of contextual attributes used in runtime decisions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 addresses defining/establishing security attributes and auditing them, which overlaps the ASVS focus on documenting contextual attributes for decisions but omits app-specific documentation and environmental decision context."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 touches access-authorization conditions but does not require documenting environmental/contextual attributes; ASVS V8.1.3 addresses none of AC-2's account-management scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 requires decision enforcement on requests but says nothing about documenting contextual attributes; ASVS addresses only that narrow documentation sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-1 requires only high-level access-control policy existence and maintenance; ASVS V8.1.4 demands specific contextual-authorization content that a generic policy need not contain."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 addresses attribute definition/auditing on data but omits ASVS's required authz decision documentation, thresholds, and actions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.1.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 touches basic access authorization but omits risk/contextual attributes, thresholds, and step-up actions required by ASVS V8.1.4."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies an attribute-association mechanism that could support permission checks but does not enforce function-level access; ASVS V8.2.1 addresses only that narrow enforcement point."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account provisioning and privilege assignment at an org level but does not cover application-level function access enforcement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3 broadly enforces access authorizations across all logical resources, fully encompassing the narrow ASVS function-level check while the reverse covers only one sliver."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies attribute mechanisms that can support fine-grained data permissions but does not mandate application-level enforcement against IDOR/BOLA; ASVS V8.2.2 addresses none of AC-16's attribute lifecycle requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 defines and manages account privileges at the system level but does not address application runtime enforcement of per-object data permissions to prevent IDOR/BOLA."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor supplies a general tamperproof enforcement substrate that could underpin object-level checks, yet says nothing about explicit per-data-item permissions or IDOR/BOLA; ASVS requirement addresses none of the monitor's required properties."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.2.2 is a narrow, app-specific object-level authorization check that is subsumed by the broad AC-3 policy-enforcement control but not fully addressed by it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies an attribute-association mechanism that could support field permissions but does not mandate application-level field access enforcement, while ASVS V8.2.3 addresses only one narrow authorization check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses high-level privilege assignment while ASVS V8.2.3 requires application-enforced field-level checks, yielding only loose directional overlap."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3 is a broad policy-level access enforcement control that only partially addresses the narrow field-level BOPLA check required by ASVS V8.2.3."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies a general attribute-association framework that could support contextual attributes but does not mandate adaptive session-based authz decisions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-19",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-19 touches device/location aspects of access but does not address adaptive contextual auth decisions applied at session start and ongoing."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.2.4 demands specific adaptive/contextual attribute checks at session start and runtime; AC-24 only requires generic per-request decisions and therefore covers the ASVS item only partially while the narrow ASVS item sits inside the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS demands app-specific trusted-layer authz; NIST's abstract reference-monitor properties largely satisfy that intent but extend far beyond it."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST's attribute-change auditing touches the alert/revert aspect but omits immediate propagation and token-specific mitigations; ASVS addresses only a narrow slice of attribute management."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account lifecycle changes and notifications but does not cover immediate enforcement of authorization decisions or token-specific mitigations required by ASVS V8.3.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "ASVS V8.3.2 is a narrow slice (immediate authz-value propagation + token mitigations) of the broad per-request decision enforcement required by AC-24."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor ensures tamperproof/always-invoked decisions but does not address immediate propagation of authz changes or token-specific alerts/reversion."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST MAC constrains unauthorized changes to security attributes but does not address immediate propagation or token-specific mitigations required by ASVS V8.3.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 addresses broad authorization scope but does not require immediate propagation of changes or token-specific mitigations."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-16",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-16 supplies a general attribute-binding framework that could carry subject identity but does not address propagation of original-subject permissions across intermediaries."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses account provisioning/monitoring but not subject-identity propagation for chained authorization decisions."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.3.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-6",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-6 states broad least-privilege but does not require original-subject identity propagation across services."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AC-2 account lifecycle rules can support tenant separation via authorizations but do not address multi-tenant isolation enforcement."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-24 supplies a generic access-decision requirement that only loosely supports the ASVS multi-tenant isolation rule, while the narrow ASVS line addresses none of the broad NIST control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-25",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Reference monitor is a general tamperproof mediation architecture; it neither specifies nor guarantees multi-tenant isolation controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3 supplies the general access-enforcement mechanism while ASVS V8.4.1 adds a narrow multi-tenant isolation requirement not explicitly addressed by the control."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-17",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-17 addresses remote-access policy and authorization at a high level that can partially support admin-interface controls, while ASVS V8.4.2 demands specific continuous verification, posture assessment, and risk analysis not addressed by AC-17."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-2",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-2 addresses basic account provisioning/monitoring but omits continuous verification, device posture, and risk analysis required by ASVS V8.4.2."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V8.4.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.3",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST AC-3.3 enforces a specific MAC policy model unrelated to ASVS's multi-layer admin checks (identity, device posture, context)."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-1 requires only high-level IA policy documents that could mention token validation, while ASVS V9.1.1 is a single narrow technical check unrelated to policy development."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of IdPs/auth servers but does not address token signature validation; ASVS V9.1.1 is a narrow technical check unrelated to the org-level identity management scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST mentions protecting authenticator content from modification but does not address token signature/MAC validation; ASVS requirement is a narrow technical check outside NIST's scope."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 requires sufficient authenticator strength but does not address token algorithm allow-lists or 'None' algorithm prohibition, while ASVS V9.1.2 is a narrow slice that covers almost none of IA-5's broad management requirements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13.1",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST broadly addresses key protection/management but does not require allow-list validation of token issuer sources or JWT headers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.1.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 broadly addresses establishing and protecting trusted authenticator content but does not specifically require allow-list validation of token signature sources such as JWT jku/x5u headers."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses broad authenticator lifecycle procedures but does not mandate runtime token time-span validation such as nbf/exp checks."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.1",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-45",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST SC-45 supplies accurate time as a prerequisite but does not implement token claim checks, while ASVS V9.2.1 addresses only the validation logic and says nothing about clock synchronization."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 broadly requires use of IdPs/auth servers for identity decisions while ASVS V9.2.2 specifies one narrow token-type validation check performed by a relying service."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST ia-5 addresses broad authenticator management including intended-use strength but does not require token-type/purpose validation on receipt; ASVS V9.2.2 is a narrow slice that touches none of ia-5's procedural or lifecycle elements."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.2",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 provides a broad service authentication mandate that only loosely touches token-type validation, while ASVS V9.2.2 is a narrow, token-specific check that addresses almost none of IA-9."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-13 requires use of IdPs/auth servers at an org level but does not mandate audience validation; ASVS V9.2.3 is one narrow token check unrelated to the breadth of IA-13."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-5 addresses general authenticator lifecycle/strength but does not specify audience validation; ASVS V9.2.3 is one narrow technical check among IA-5's many controls."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.3",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-9",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-9 requires generic service authentication while ASVS V9.2.3 demands a single, narrow JWT audience check."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13.3",
      "extent": "mostly",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST requires audience restriction (covering the core ASVS mandate) but omits the same-key condition and dynamic-audience validation; ASVS addresses only one narrow facet of the broad NIST token-management list."
    },
    {
      "source_framework": "OWASP_ASVS_5.0",
      "source_id": "V9.2.4",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-4",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "NIST IA-4 provides general identifier assignment/reuse rules that could loosely support audience IDs, but ASVS V9.2.4's token-specific audience restriction and validation requirement is outside IA-4's scope."
    }
  ]
}