NIST 800-53 r5 ↔ OWASP Top 10 Web 2025
A two-way mapping between NIST 800-53 r5 and
OWASP Top 10 Web 2025: 41 related pairs, 82 directional
rows, LLM-authored (prevents · is prevented by) and human-QA’d
(cohort bulk_after_review_2026_06_08 where applicable).
← all releases
What we add (no authoritative mapping exists)
No standards body publishes a NIST 800-53 r5 ↔ OWASP Top 10 Web 2025 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.
Reliability
| NIST 800-53 r5 → OWASP Top 10 Web 2025 | OWASP Top 10 Web 2025 → NIST 800-53 r5 | |
|---|---|---|
| Completeness (full + mostly) | 47.5% | 3.2% |
| Scope — no counterpart (none) | 2.4% | 24.4% |
| Counterpart coverage | 33 of 324 (10.2%) | 10 of 10 (100.0%) |
| Reverse-presence (bidirectionality) | 77.5% |
|---|---|
| Extent-rank correlation (forward vs reverse) | 0.57 |
Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.
Abstraction
| NIST 800-53 r5 | OWASP Top 10 Web 2025 | |
|---|---|---|
| Breadth (avg counterparts per entity) | 1.21 | 3.44 |
| Depth (avg coverage strength, 0–3) | 1.48 | 1.03 |
Verdict: OWASP Top 10 Web 2025 sits at a higher level of abstraction (fans out more).
800-53 entities: 30 controls, 3 enhancements
Raw data
Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX
JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.