Cyber Resilience

Cross-walk release · 10 June 2026

NIST 800-53 r5 ↔ OWASP Top 10 Web 2025

A two-way mapping between NIST 800-53 r5 and OWASP Top 10 Web 2025: 41 related pairs, 82 directional rows, LLM-authored (prevents · is prevented by) and human-QA’d (cohort bulk_after_review_2026_06_08 where applicable). ← all releases

What we add (no authoritative mapping exists)

No standards body publishes a NIST 800-53 r5 ↔ OWASP Top 10 Web 2025 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.

Reliability

NIST 800-53 r5 → OWASP Top 10 Web 2025OWASP Top 10 Web 2025 → NIST 800-53 r5
Completeness (full + mostly) 47.5% 3.2%
Scope — no counterpart (none) 2.4% 24.4%
Counterpart coverage 33 of 324 (10.2%) 10 of 10 (100.0%)
Reverse-presence (bidirectionality) 77.5%
Extent-rank correlation (forward vs reverse) 0.57

Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.

Abstraction

NIST 800-53 r5OWASP Top 10 Web 2025
Breadth (avg counterparts per entity) 1.213.44
Depth (avg coverage strength, 0–3) 1.481.03

Verdict: OWASP Top 10 Web 2025 sits at a higher level of abstraction (fans out more).

800-53 entities: 30 controls, 3 enhancements

Raw data

Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX

JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.