{
  "meta": {
    "slug": "nist-800-53-r5-owasp-web-2025",
    "frameworks": [
      "NIST_800-53_r5",
      "OWASP_Web_Top10_2025"
    ],
    "labels": [
      "NIST 800-53 r5",
      "OWASP Top 10 Web 2025"
    ],
    "authoritative": null,
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "NIST_800-53_r5",
      "b": "OWASP_Web_Top10_2025"
    },
    "counts": {
      "pairs": 42,
      "rows": 83,
      "present_a_to_b": 40,
      "present_b_to_a": 31
    },
    "reliability": {
      "reverse_presence_pct": 77.5,
      "extent_rank_correlation": 0.605,
      "completeness_a_to_b_pct": 47.5,
      "completeness_b_to_a_pct": 3.2,
      "none_rate_a_to_b_pct": 4.8,
      "none_rate_b_to_a_pct": 26.2,
      "counterpart_coverage_a": {
        "mapped": 34,
        "universe": 324,
        "pct": 10.5
      },
      "counterpart_coverage_b": {
        "mapped": 10,
        "universe": 10,
        "pct": 100.0
      }
    },
    "abstraction": {
      "breadth_a_to_b": 1.21,
      "breadth_b_to_a": 3.44,
      "depth_a_to_b": 1.48,
      "depth_b_to_a": 1.03,
      "verdict": "OWASP_Web_Top10_2025 sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": {
        "signal": "nist_level",
        "controls": 31,
        "enhancements": 3
      },
      "intrinsic_b": null
    },
    "diff": null,
    "ppt": null
  },
  "diff": null,
  "edges": [
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "AC-2 touches account provisioning and authorization assignments but does not address runtime enforcement failures such as path traversal, IDOR, or function-level checks that define A01."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-24",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "AC-24 directly enforces per-request authorization decisions, blocking most broken-access-control failures, yet the weakness also encompasses implementation flaws (IDOR, path traversal, missing checks) outside this single policy-level control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ac-3.3",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "MAC directly enforces uniform, non-bypassable policy constraints that eliminate most authorization failures, yet Broken Access Control spans additional vectors (IDOR, CSRF, path traversal) outside a single MAC policy's scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-12",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "AU-12 directly implements event logging generation so largely eliminates the 'events aren't logged' facet of A09, yet A09's broader scope (alerting + integrity) means one control cannot remove most of its total risk."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "au-2 directly drives selection of security-relevant events so largely eliminates the logging-failure facet, yet leaves the weakness's alerting and log-integrity dimensions untouched."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "au-5",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "au-5 directly supplies the missing alert-and-response behavior when logging fails, closing most of that facet of A09, yet A09 also covers absent event selection, log integrity, and initial configuration that one failure-response control leaves untouched."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-14",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "CM-14 directly blocks unsigned/compromised installs (one facet of supply-chain failures) but leaves vulnerable/outdated components and build-pipeline issues untouched, so each direction rates only partial."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-3",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Change-control reviews catch misconfigs introduced via modifications but leave initial defaults, hardening gaps, and non-change exposures untouched."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "cm-6 directly mandates restrictive settings, implementation, deviation approval and ongoing monitoring, thereby largely eliminating the described misconfiguration risks while still leaving room for framework/cloud-specific gaps outside its scope."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-6",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "cm-6 can partially reduce risk by locking down build/deploy configs and change monitoring, but supply-chain failures center on upstream dependency integrity and signing that config settings alone do not address."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "cm-8",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Inventory enables component tracking that can surface outdated items but does not enforce secure sourcing, signing, or pipeline controls, removing almost none of the broad supply-chain risk."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-1",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ia-1 policy establishes high-level IA expectations that can indirectly reduce introduction of auth failures, yet the weakness's concrete risks (brute-force, session flaws, credential stuffing) remain fully unaddressed by policy alone."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A01:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ia-13 centralizes authorization decisions and therefore removes most ways Broken Access Control can be introduced, yet the weakness also includes implementation flaws (IDOR, path traversal, missing checks) that one identity-management control cannot fully close."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-13",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ia-13 directly supplies centralized, policy-driven IdP/auth-server mechanisms that eliminate most authentication-failure vectors, yet the weakness also encompasses implementation details (credential stuffing defenses, reset flows, session handling) outside the scope of this single control."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ia-5 directly eliminates many authenticator-related failure modes (defaults, strength, revocation) but leaves session handling, brute-force, and reset-flow risks unaddressed."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.1",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "IA-5(1) enforces crypto-protected transit and salted storage only for passwords, blocking that narrow slice of cryptographic failures while leaving all other sensitive-data exposures untouched."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ia-5.2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A07:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "ia-5.2 eliminates password-based attacks and credential theft via PKI but leaves session management, reset flows, and hijacking risks unaddressed."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-4",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "IR-4's detection/analysis phase touches logging needs indirectly and may surface gaps via lessons-learned, but the control itself neither implements nor enforces logging/alert integrity, leaving the weakness's root causes untouched."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "ir-8",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A09:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "IR-8 plan can reference logging/alerting needs for incident handling (partial prevention), but the plan document alone removes none of the actual logging-failure risk."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Plans document threats, roles and categorization (partial forward help) but do not themselves perform or enforce secure design decisions (no reverse effect)."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "pl-8",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "pl-8 directly requires documented security/privacy architectures that largely eliminate baked-in design weaknesses, yet A06 spans wider design flaws (threat modeling, control selection, etc.) that one architecture outcome cannot fully close."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "sa-17 directly mandates a security architecture and design spec that targets the root of insecure design, preventing most such weaknesses at introduction, yet A06 spans additional design facets (threat modeling, failure modes, etc.) that one control cannot fully close."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-17",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "sa-17 forces explicit integrity mechanisms and control allocation into the design, blocking most A08 defects at introduction, yet A08's breadth (deserialization, CI/CD, updates) requires additional runtime and process controls beyond architecture alone."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-22",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "sa-22 directly eliminates only the outdated/unsupported-component facet of supply-chain failures while leaving pipelines, signing, and compromise vectors untouched."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-24",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SA-24 directly mandates structured resiliency design activities that largely eliminate architecture-level flaws, yet addresses only one facet of the broad Insecure Design weakness."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-3",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SA-3's mandated integration of security into the full SDLC directly targets design-phase risk decisions, preventing most baked-in architecture flaws, yet leaves residual design weaknesses possible when the single control does not prescribe concrete threat-modeling or control-selection techniques."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-4",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SA-4 can require design-related controls/assurance in contracts, blocking some introduction of architectural flaws, yet addresses only the acquisition facet of a broad design weakness."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-8",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A06:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SA-8 directly embeds security principles into design/specification activities, thereby preventing most insecure-design defects, yet a single principle set cannot close every architectural risk vector on its own."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sa-8",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "sa-8 principles embed integrity checks and trust boundaries at design time, blocking most A08 root causes, yet the weakness also spans runtime, supply-chain and CI/CD vectors that one principle set cannot fully close."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-12",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "sc-12 directly addresses only the key-management facet of cryptographic failures, leaving algorithm choice, encryption coverage, and implementation errors unmitigated."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sc-20",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A04:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SC-20 mandates correct use of crypto for DNSSEC-style authentication/integrity, blocking that narrow slice of exposure, but A04 covers all transit/rest data so the single control removes essentially none of the weakness's overall risk."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-11",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SI-11 directly targets only the information-leak facet of error handling while B also covers fail-open and inconsistent-state issues, so each direction addresses merely one slice of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A02:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "si-2 can remediate some misconfigurations via updates and config-management integration but does not address initial hardening or default settings, while misconfiguration risk spans far more than post-release flaw fixes alone."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Patching via SI-2 can close known, externally-supplied injection flaws after discovery but does nothing to stop the weakness from being written into custom application code."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "si-2 drives timely verified updates that can close some unsigned-update paths but does not address deserialization or CI/CD integrity checks, so each direction only partially overlaps the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A10:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "si-2 enables post-discovery correction of exception-handling flaws but neither stops their introduction in code nor covers the full breadth of fail-open/inconsistent-state risks."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A05:2025",
      "extent": "none",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "Malicious-code scanning detects/blocks known malware payloads but neither removes injection flaws from application code nor addresses untrusted-input neutralization at interpreter boundaries."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-3",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SI-3 detects/blocks some malware that could produce integrity failures but does not implement verification, signing, or deserialization controls, so it only addresses one narrow facet of A08."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "si-7",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A08:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "si-7 directly enforces the integrity verification that A08 identifies as missing, eliminating most instances of the weakness, yet A08 spans additional design and pipeline issues that one detection control cannot fully close."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-11",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "SR-11 directly blocks counterfeit/compromised components (one slice of supply-chain failures) but leaves vulnerabilities, outdated deps, build pipelines and signing untouched, so each direction covers only a narrow facet of the other."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-2",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "partial",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "The SR-2 plan can identify supply-chain risks and therefore partially steers later mitigations, yet the plan document itself introduces no technical controls and therefore removes none of the concrete dependency, pipeline or signing weaknesses."
    },
    {
      "source_framework": "NIST_800-53_r5",
      "source_id": "sr-3",
      "target_framework": "OWASP_Web_Top10_2025",
      "target_id": "A03:2025",
      "extent": "mostly",
      "relation": "prevents",
      "authority": "manual_QA_v2",
      "notes": "sr-3 directly targets supply-chain weaknesses via identification, controls, and documentation, preventing most A03 failures, yet one high-level control cannot close every dependency, pipeline, or signing vector of the broad weakness."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-24",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "AC-24 directly enforces per-request authorization decisions, blocking most broken-access-control failures, yet the weakness also encompasses implementation flaws (IDOR, path traversal, missing checks) outside this single policy-level control."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ac-3.3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "MAC directly enforces uniform, non-bypassable policy constraints that eliminate most authorization failures, yet Broken Access Control spans additional vectors (IDOR, CSRF, path traversal) outside a single MAC policy's scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A01:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ia-13 centralizes authorization decisions and therefore removes most ways Broken Access Control can be introduced, yet the weakness also includes implementation flaws (IDOR, path traversal, missing checks) that one identity-management control cannot fully close."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Change-control reviews catch misconfigs introduced via modifications but leave initial defaults, hardening gaps, and non-change exposures untouched."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "mostly",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "cm-6 directly mandates restrictive settings, implementation, deviation approval and ongoing monitoring, thereby largely eliminating the described misconfiguration risks while still leaving room for framework/cloud-specific gaps outside its scope."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A02:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "si-2 can remediate some misconfigurations via updates and config-management integration but does not address initial hardening or default settings, while misconfiguration risk spans far more than post-release flaw fixes alone."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-14",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "CM-14 directly blocks unsigned/compromised installs (one facet of supply-chain failures) but leaves vulnerable/outdated components and build-pipeline issues untouched, so each direction rates only partial."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-6",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "cm-6 can partially reduce risk by locking down build/deploy configs and change monitoring, but supply-chain failures center on upstream dependency integrity and signing that config settings alone do not address."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "cm-8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Inventory enables component tracking that can surface outdated items but does not enforce secure sourcing, signing, or pipeline controls, removing almost none of the broad supply-chain risk."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-22",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "sa-22 directly eliminates only the outdated/unsupported-component facet of supply-chain failures while leaving pipelines, signing, and compromise vectors untouched."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-11",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SR-11 directly blocks counterfeit/compromised components (one slice of supply-chain failures) but leaves vulnerabilities, outdated deps, build pipelines and signing untouched, so each direction covers only a narrow facet of the other."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "The SR-2 plan can identify supply-chain risks and therefore partially steers later mitigations, yet the plan document itself introduces no technical controls and therefore removes none of the concrete dependency, pipeline or signing weaknesses."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A03:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sr-3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "sr-3 directly targets supply-chain weaknesses via identification, controls, and documentation, preventing most A03 failures, yet one high-level control cannot close every dependency, pipeline, or signing vector of the broad weakness."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.1",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "IA-5(1) enforces crypto-protected transit and salted storage only for passwords, blocking that narrow slice of cryptographic failures while leaving all other sensitive-data exposures untouched."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-12",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "sc-12 directly addresses only the key-management facet of cryptographic failures, leaving algorithm choice, encryption coverage, and implementation errors unmitigated."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A04:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sc-20",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SC-20 mandates correct use of crypto for DNSSEC-style authentication/integrity, blocking that narrow slice of exposure, but A04 covers all transit/rest data so the single control removes essentially none of the weakness's overall risk."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Patching via SI-2 can close known, externally-supplied injection flaws after discovery but does nothing to stop the weakness from being written into custom application code."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A05:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Malicious-code scanning detects/blocks known malware payloads but neither removes injection flaws from application code nor addresses untrusted-input neutralization at interpreter boundaries."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-2",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "Plans document threats, roles and categorization (partial forward help) but do not themselves perform or enforce secure design decisions (no reverse effect)."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "pl-8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "pl-8 directly requires documented security/privacy architectures that largely eliminate baked-in design weaknesses, yet A06 spans wider design flaws (threat modeling, control selection, etc.) that one architecture outcome cannot fully close."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "sa-17 directly mandates a security architecture and design spec that targets the root of insecure design, preventing most such weaknesses at introduction, yet A06 spans additional design facets (threat modeling, failure modes, etc.) that one control cannot fully close."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-24",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SA-24 directly mandates structured resiliency design activities that largely eliminate architecture-level flaws, yet addresses only one facet of the broad Insecure Design weakness."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SA-3's mandated integration of security into the full SDLC directly targets design-phase risk decisions, preventing most baked-in architecture flaws, yet leaves residual design weaknesses possible when the single control does not prescribe concrete threat-modeling or control-selection techniques."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-4",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SA-4 can require design-related controls/assurance in contracts, blocking some introduction of architectural flaws, yet addresses only the acquisition facet of a broad design weakness."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A06:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SA-8 directly embeds security principles into design/specification activities, thereby preventing most insecure-design defects, yet a single principle set cannot close every architectural risk vector on its own."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-1",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ia-1 policy establishes high-level IA expectations that can indirectly reduce introduction of auth failures, yet the weakness's concrete risks (brute-force, session flaws, credential stuffing) remain fully unaddressed by policy alone."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-13",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ia-13 directly supplies centralized, policy-driven IdP/auth-server mechanisms that eliminate most authentication-failure vectors, yet the weakness also encompasses implementation details (credential stuffing defenses, reset flows, session handling) outside the scope of this single control."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ia-5 directly eliminates many authenticator-related failure modes (defaults, strength, revocation) but leaves session handling, brute-force, and reset-flow risks unaddressed."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A07:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ia-5.2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "ia-5.2 eliminates password-based attacks and credential theft via PKI but leaves session management, reset flows, and hijacking risks unaddressed."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-17",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "sa-17 forces explicit integrity mechanisms and control allocation into the design, blocking most A08 defects at introduction, yet A08's breadth (deserialization, CI/CD, updates) requires additional runtime and process controls beyond architecture alone."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "sa-8",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "sa-8 principles embed integrity checks and trust boundaries at design time, blocking most A08 root causes, yet the weakness also spans runtime, supply-chain and CI/CD vectors that one principle set cannot fully close."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "si-2 drives timely verified updates that can close some unsigned-update paths but does not address deserialization or CI/CD integrity checks, so each direction only partially overlaps the other."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-3",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SI-3 detects/blocks some malware that could produce integrity failures but does not implement verification, signing, or deserialization controls, so it only addresses one narrow facet of A08."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A08:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-7",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "si-7 directly enforces the integrity verification that A08 identifies as missing, eliminating most instances of the weakness, yet A08 spans additional design and pipeline issues that one detection control cannot fully close."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-12",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "AU-12 directly implements event logging generation so largely eliminates the 'events aren't logged' facet of A09, yet A09's broader scope (alerting + integrity) means one control cannot remove most of its total risk."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "au-2 directly drives selection of security-relevant events so largely eliminates the logging-failure facet, yet leaves the weakness's alerting and log-integrity dimensions untouched."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "au-5",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "au-5 directly supplies the missing alert-and-response behavior when logging fails, closing most of that facet of A09, yet A09 also covers absent event selection, log integrity, and initial configuration that one failure-response control leaves untouched."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-4",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "IR-4's detection/analysis phase touches logging needs indirectly and may surface gaps via lessons-learned, but the control itself neither implements nor enforces logging/alert integrity, leaving the weakness's root causes untouched."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A09:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "ir-8",
      "extent": "none",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "IR-8 plan can reference logging/alerting needs for incident handling (partial prevention), but the plan document alone removes none of the actual logging-failure risk."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-11",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "SI-11 directly targets only the information-leak facet of error handling while B also covers fail-open and inconsistent-state issues, so each direction addresses merely one slice of the other."
    },
    {
      "source_framework": "OWASP_Web_Top10_2025",
      "source_id": "A10:2025",
      "target_framework": "NIST_800-53_r5",
      "target_id": "si-2",
      "extent": "partial",
      "relation": "is_prevented_by",
      "authority": "manual_QA_v2",
      "notes": "si-2 enables post-discovery correction of exception-handling flaws but neither stops their introduction in code nor covers the full breadth of fail-open/inconsistent-state risks."
    }
  ]
}