Cyber Resilience

Cross-walk release · 10 June 2026

NIST 800-53 r5 ↔ OWASP ASVS 5.0

A two-way mapping between NIST 800-53 r5 and OWASP ASVS 5.0: 627 related pairs, 1254 directional rows, LLM-authored (covers · covers) and human-QA’d (cohort bulk_after_review_2026_06_08 where applicable). ← all releases

What we add (no authoritative mapping exists)

No standards body publishes a NIST 800-53 r5 ↔ OWASP ASVS 5.0 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.

Reliability

NIST 800-53 r5 → OWASP ASVS 5.0OWASP ASVS 5.0 → NIST 800-53 r5
Completeness (full + mostly) 43.7% 3.0%
Scope — no counterpart (none) 65.7% 8.8%
Counterpart coverage 108 of 324 (33.3%) 273 of 345 (79.1%)
Reverse-presence (bidirectionality) 74.4%
Extent-rank correlation (forward vs reverse) -0.054

Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.

Abstraction

NIST 800-53 r5OWASP ASVS 5.0
Breadth (avg counterparts per entity) 2.722.2
Depth (avg coverage strength, 0–3) 1.861.03

Verdict: NIST 800-53 r5 sits at a higher level of abstraction (fans out more).

800-53 entities: 97 controls, 11 enhancements

Raw data

Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX

JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.