NIST 800-53 r5 ↔ OWASP ASVS 5.0
A two-way mapping between NIST 800-53 r5 and
OWASP ASVS 5.0: 627 related pairs, 1254 directional
rows, LLM-authored (covers · covers) and human-QA’d
(cohort bulk_after_review_2026_06_08 where applicable).
← all releases
What we add (no authoritative mapping exists)
No standards body publishes a NIST 800-53 r5 ↔ OWASP ASVS 5.0 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.
Reliability
| NIST 800-53 r5 → OWASP ASVS 5.0 | OWASP ASVS 5.0 → NIST 800-53 r5 | |
|---|---|---|
| Completeness (full + mostly) | 43.7% | 3.0% |
| Scope — no counterpart (none) | 65.7% | 8.8% |
| Counterpart coverage | 108 of 324 (33.3%) | 273 of 345 (79.1%) |
| Reverse-presence (bidirectionality) | 74.4% |
|---|---|
| Extent-rank correlation (forward vs reverse) | -0.054 |
Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.
Abstraction
| NIST 800-53 r5 | OWASP ASVS 5.0 | |
|---|---|---|
| Breadth (avg counterparts per entity) | 2.72 | 2.2 |
| Depth (avg coverage strength, 0–3) | 1.86 | 1.03 |
Verdict: NIST 800-53 r5 sits at a higher level of abstraction (fans out more).
800-53 entities: 97 controls, 11 enhancements
Raw data
Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX
JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.