CWE ↔ NIST CSF 2.0
A two-way mapping between CWE and
NIST CSF 2.0: 145 related pairs, 290 directional
rows, LLM-authored (degrades / is prevented by · is degraded by / prevents) and human-QA’d
(cohort bulk_after_review_2026_06_08 where applicable).
← all releases
What we add (no authoritative mapping exists)
No standards body publishes a CWE ↔ NIST CSF 2.0 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.
Reliability
| CWE → NIST CSF 2.0 | NIST CSF 2.0 → CWE | |
|---|---|---|
| Completeness (full + mostly) | 29.7% | 46.5% |
| Scope — no counterpart (none) | 37.2% | 11.0% |
| Counterpart coverage | 44 mapped | 57 of 106 (53.8%) |
| Reverse-presence (bidirectionality) | 96.7% |
|---|---|
| Extent-rank correlation (forward vs reverse) | 0.711 |
Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.
Abstraction
| CWE | NIST CSF 2.0 | |
|---|---|---|
| Breadth (avg counterparts per entity) | 3.5 | 2.3 |
| Depth (avg coverage strength, 0–3) | 1.31 | 1.47 |
Verdict: CWE sits at a higher level of abstraction (fans out more).
CWE abstraction: Base 28, Class 12, Variant 3, Pillar 1
CSF subcategories by function: DE 11, GV 10, ID 11, PR 17, RC 2, RS 6
Raw data
Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX
JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.