Cyber Resilience

Cross-walk release · 10 June 2026

CWE ↔ NIST CSF 2.0

A two-way mapping between CWE and NIST CSF 2.0: 145 related pairs, 290 directional rows, LLM-authored (degrades / is prevented by · is degraded by / prevents) and human-QA’d (cohort bulk_after_review_2026_06_08 where applicable). ← all releases

What we add (no authoritative mapping exists)

No standards body publishes a CWE ↔ NIST CSF 2.0 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.

Reliability

CWE → NIST CSF 2.0NIST CSF 2.0 → CWE
Completeness (full + mostly) 29.7% 46.5%
Scope — no counterpart (none) 37.2% 11.0%
Counterpart coverage 44 mapped 57 of 106 (53.8%)
Reverse-presence (bidirectionality) 96.7%
Extent-rank correlation (forward vs reverse) 0.711

Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.

Abstraction

CWENIST CSF 2.0
Breadth (avg counterparts per entity) 3.52.3
Depth (avg coverage strength, 0–3) 1.311.47

Verdict: CWE sits at a higher level of abstraction (fans out more).

CWE abstraction: Base 28, Class 12, Variant 3, Pillar 1

CSF subcategories by function: DE 11, GV 10, ID 11, PR 17, RC 2, RS 6

Raw data

Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX

JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.