Cyber Resilience

NIST 800-53 r5 — cumulative coverage

Our cross-walks give NIST 800-53 r5 at least partial inbound coverage on 63.9% of its 324 base controls, mostly or better on 31.8%. Each control's verdict is the strongest single inbound mapping; the bar shows the spread and the row shows how many sources (and from which frameworks) contribute. Authoritative mappings only.

← All cross-walks

Identification and Authentication
13/13 · 100.0% ≥partial · 76.9% ≥mostly
IA-5.1Password-based AuthenticationFull12 src · OWASP ASVS 5.0 10, OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1
IA-5Authenticator ManagementMostly54 src · OWASP ASVS 5.0 47, NIST CSF 2.0 6, OWASP Web Top 10 (2025) 1
IA-13Identity Providers and Authorization ServersMostly38 src · OWASP ASVS 5.0 32, NIST CSF 2.0 4, OWASP Web Top 10 (2025) 2
IA-2Identification and Authentication (Organizational Users)Mostly16 src · OWASP ASVS 5.0 14, NIST CSF 2.0 2
IA-10Adaptive AuthenticationMostly11 src · OWASP ASVS 5.0 10, NIST CSF 2.0 1
IA-4Identifier ManagementMostly7 src · OWASP ASVS 5.0 6, NIST CSF 2.0 1
IA-9Service Identification and AuthenticationMostly6 src · OWASP ASVS 5.0 4, NIST CSF 2.0 2
IA-12Identity ProofingMostly5 src · OWASP ASVS 5.0 4, NIST CSF 2.0 1
IA-11Re-authenticationMostly4 src · OWASP ASVS 5.0 3, NIST CSF 2.0 1
IA-8Identification and Authentication (Non-organizational Users)Mostly4 src · NIST CSF 2.0 2, OWASP ASVS 5.0 2
IA-13.3Token ManagementMostly3 src · OWASP ASVS 5.0 3
IA-3Device Identification and AuthenticationMostly2 src · NIST CSF 2.0 2
IA-2.5Individual Authentication with Group AuthenticationMostly1 src · NIST CSF 2.0 1
IA-1Policy and ProceduresPartial22 src · OWASP ASVS 5.0 19, NIST CSF 2.0 3
IA-13.1Protection of Cryptographic KeysPartial2 src · OWASP ASVS 5.0 2
IA-2.6Access to Accounts —separate DevicePartial2 src · OWASP ASVS 5.0 2
IA-5.2Public Key-based AuthenticationPartial2 src · OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
IA-7Cryptographic Module AuthenticationPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1
IA-6Authentication FeedbackPartial1 src · OWASP ASVS 5.0 1
Supply Chain Risk Management
9/12 · 75.0% ≥partial · 58.3% ≥mostly
SR-6Supplier Assessments and ReviewsFull10 src · NIST CSF 2.0 10
SR-2Supply Chain Risk Management PlanMostly13 src · NIST CSF 2.0 13
SR-3Supply Chain Controls and ProcessesMostly10 src · NIST CSF 2.0 9, OWASP Web Top 10 (2025) 1
SR-1Policy and ProceduresMostly9 src · NIST CSF 2.0 9
SR-5Acquisition Strategies, Tools, and MethodsMostly8 src · NIST CSF 2.0 8
SR-8Notification AgreementsMostly6 src · NIST CSF 2.0 6
SR-12Component DisposalMostly1 src · NIST CSF 2.0 1
SR-11Component AuthenticityPartial2 src · OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1
SR-10Inspection of Systems or ComponentsPartial1 src · NIST CSF 2.0 1
Configuration Management
14/14 · 100.0% ≥partial · 57.1% ≥mostly
CM-7Least FunctionalityFull4 src · NIST CSF 2.0 2, OWASP ASVS 5.0 2
CM-7.2Prevent Program ExecutionFull1 src · NIST CSF 2.0 1
CM-6Configuration SettingsMostly24 src · OWASP ASVS 5.0 19, NIST CSF 2.0 4, OWASP Web Top 10 (2025) 1
CM-9Configuration Management PlanMostly16 src · OWASP ASVS 5.0 14, NIST CSF 2.0 2
CM-3Configuration Change ControlMostly11 src · NIST CSF 2.0 5, OWASP ASVS 5.0 5, OWASP Web Top 10 (2025) 1
CM-2Baseline ConfigurationMostly7 src · OWASP ASVS 5.0 6, NIST CSF 2.0 1
CM-11User-installed SoftwareMostly4 src · NIST CSF 2.0 4
CM-8System Component InventoryMostly4 src · NIST CSF 2.0 3, OWASP ASVS 5.0 1
CM-4Impact AnalysesMostly3 src · NIST CSF 2.0 3
CM-7.4Unauthorized Software — Deny-by-exceptionMostly1 src · NIST CSF 2.0 1
CM-7.5Authorized Software — Allow-by-exceptionMostly1 src · NIST CSF 2.0 1
CM-1Policy and ProceduresPartial9 src · OWASP ASVS 5.0 6, NIST CSF 2.0 3
CM-12Information LocationPartial3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1
CM-10Software Usage RestrictionsPartial2 src · NIST CSF 2.0 2
CM-5Access Restrictions for ChangePartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1
CM-13Data Action MappingPartial1 src · NIST CSF 2.0 1
CM-14Signed ComponentsPartial1 src · OWASP Web Top 10 (2025) 1
Risk Assessment
8/10 · 80.0% ≥partial · 50.0% ≥mostly
RA-3Risk AssessmentMostly23 src · NIST CSF 2.0 23
RA-1Policy and ProceduresMostly11 src · NIST CSF 2.0 11
RA-7Risk ResponseMostly8 src · NIST CSF 2.0 8
RA-5Vulnerability Monitoring and ScanningMostly7 src · NIST CSF 2.0 7
RA-9Criticality AnalysisMostly4 src · NIST CSF 2.0 4
RA-3.3Dynamic Threat AwarenessMostly1 src · NIST CSF 2.0 1
RA-2Security CategorizationPartial3 src · NIST CSF 2.0 3
RA-10Threat HuntingPartial1 src · NIST CSF 2.0 1
RA-8Privacy Impact AssessmentsPartial1 src · NIST CSF 2.0 1
Physical and Environmental Protection
16/23 · 69.6% ≥partial · 43.5% ≥mostly
PE-3Physical Access ControlMostly2 src · NIST CSF 2.0 2
PE-6Monitoring Physical AccessMostly2 src · NIST CSF 2.0 2
PE-13Fire ProtectionMostly1 src · NIST CSF 2.0 1
PE-14Environmental ControlsMostly1 src · NIST CSF 2.0 1
PE-2Physical Access AuthorizationsMostly1 src · NIST CSF 2.0 1
PE-20Asset Monitoring and TrackingMostly1 src · NIST CSF 2.0 1
PE-23Facility LocationMostly1 src · NIST CSF 2.0 1
PE-4Access Control for TransmissionMostly1 src · NIST CSF 2.0 1
PE-8Visitor Access RecordsMostly1 src · NIST CSF 2.0 1
PE-9Power Equipment and CablingMostly1 src · NIST CSF 2.0 1
PE-1Policy and ProceduresPartial2 src · NIST CSF 2.0 2
PE-18Location of System ComponentsPartial2 src · NIST CSF 2.0 2
PE-10Emergency ShutoffPartial1 src · NIST CSF 2.0 1
PE-11Emergency PowerPartial1 src · NIST CSF 2.0 1
PE-15Water Damage ProtectionPartial1 src · NIST CSF 2.0 1
PE-5Access Control for Output DevicesPartial1 src · NIST CSF 2.0 1
Contingency Planning
7/13 · 53.8% ≥partial · 38.5% ≥mostly
CP-2Contingency PlanMostly10 src · NIST CSF 2.0 10
CP-10System Recovery and ReconstitutionMostly4 src · NIST CSF 2.0 4
CP-9System BackupMostly2 src · NIST CSF 2.0 2
CP-2.8Identify Critical AssetsMostly1 src · NIST CSF 2.0 1
CP-4Contingency Plan TestingMostly1 src · NIST CSF 2.0 1
CP-6Alternate Storage SiteMostly1 src · NIST CSF 2.0 1
CP-9.3Separate Storage for Critical InformationMostly1 src · NIST CSF 2.0 1
CP-1Policy and ProceduresPartial4 src · NIST CSF 2.0 4
CP-3Contingency TrainingPartial2 src · NIST CSF 2.0 2
CP-2.5Continue Mission and Business FunctionsPartial1 src · NIST CSF 2.0 1
Access Control
18/25 · 72.0% ≥partial · 36.0% ≥mostly
AC-6Least PrivilegeFull12 src · OWASP ASVS 5.0 10, NIST CSF 2.0 2
AC-19.5Full Device or Container-based EncryptionFull1 src · NIST CSF 2.0 1
AC-5Separation of DutiesFull1 src · NIST CSF 2.0 1
AC-2Account ManagementMostly24 src · OWASP ASVS 5.0 18, NIST CSF 2.0 6
AC-1Policy and ProceduresMostly13 src · OWASP ASVS 5.0 8, NIST CSF 2.0 5
AC-3Access EnforcementMostly9 src · OWASP ASVS 5.0 6, NIST CSF 2.0 3
AC-24Access Control DecisionsMostly8 src · OWASP ASVS 5.0 6, NIST CSF 2.0 1, OWASP Web Top 10 (2025) 1
AC-17Remote AccessMostly5 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2
AC-4Information Flow EnforcementMostly3 src · NIST CSF 2.0 3
AC-19Access Control for Mobile DevicesMostly2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1
AC-16Security and Privacy AttributesPartial18 src · OWASP ASVS 5.0 17, NIST CSF 2.0 1
AC-25Reference MonitorPartial9 src · OWASP ASVS 5.0 9
AC-3.3Mandatory Access ControlPartial7 src · OWASP ASVS 5.0 6, OWASP Web Top 10 (2025) 1
AC-12Session TerminationPartial5 src · OWASP ASVS 5.0 4, NIST CSF 2.0 1
AC-10Concurrent Session ControlPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1
AC-11Device LockPartial2 src · OWASP ASVS 5.0 2
AC-18Wireless AccessPartial2 src · NIST CSF 2.0 2
AC-20Use of External SystemsPartial2 src · NIST CSF 2.0 2
AC-3.4Discretionary Access ControlPartial2 src · OWASP ASVS 5.0 2
AC-14Permitted Actions Without Identification or AuthenticationPartial1 src · OWASP ASVS 5.0 1
AC-4.27Redundant/Independent Filtering MechanismsPartial1 src · OWASP ASVS 5.0 1
AC-8System Use NotificationPartial1 src · OWASP ASVS 5.0 1
Awareness and Training
2/6 · 33.3% ≥partial · 33.3% ≥mostly
AT-2Literacy Training and AwarenessMostly2 src · NIST CSF 2.0 2
AT-3Role-based TrainingMostly2 src · NIST CSF 2.0 2
Assessment, Authorization, and Monitoring
7/9 · 77.8% ≥partial · 33.3% ≥mostly
CA-1Policy and ProceduresMostly5 src · NIST CSF 2.0 5
CA-5Plan of Action and MilestonesMostly4 src · NIST CSF 2.0 4
CA-2Control AssessmentsMostly3 src · NIST CSF 2.0 3
CA-7Continuous MonitoringPartial11 src · NIST CSF 2.0 11
CA-3Information ExchangePartial3 src · NIST CSF 2.0 3
CA-8Penetration TestingPartial1 src · NIST CSF 2.0 1
CA-9Internal System ConnectionsPartial1 src · NIST CSF 2.0 1
System and Services Acquisition
13/24 · 54.2% ≥partial · 33.3% ≥mostly
SA-15Development Process, Standards, and ToolsMostly22 src · OWASP ASVS 5.0 21, NIST CSF 2.0 1
SA-4Acquisition ProcessMostly15 src · NIST CSF 2.0 7, OWASP ASVS 5.0 7, OWASP Web Top 10 (2025) 1
SA-3System Development Life CycleMostly13 src · OWASP ASVS 5.0 10, NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1
SA-11Developer Testing and EvaluationMostly7 src · OWASP ASVS 5.0 5, NIST CSF 2.0 2
SA-9External System ServicesMostly7 src · NIST CSF 2.0 7
SA-8Security and Privacy Engineering PrinciplesMostly6 src · NIST CSF 2.0 3, OWASP Web Top 10 (2025) 2, OWASP ASVS 5.0 1
SA-10Developer Configuration ManagementMostly4 src · OWASP ASVS 5.0 3, NIST CSF 2.0 1
SA-22Unsupported System ComponentsMostly4 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1, OWASP Web Top 10 (2025) 1
SA-11.2Threat Modeling and Vulnerability AnalysesMostly1 src · NIST CSF 2.0 1
SA-17Developer Security and Privacy Architecture and DesignPartial12 src · OWASP ASVS 5.0 9, OWASP Web Top 10 (2025) 2, NIST CSF 2.0 1
SA-24Design For Cyber ResiliencyPartial6 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1
SA-1Policy and ProceduresPartial5 src · NIST CSF 2.0 3, OWASP ASVS 5.0 2
SA-5System DocumentationPartial4 src · OWASP ASVS 5.0 4
SA-15.7Automated Vulnerability AnalysisPartial1 src · NIST CSF 2.0 1
SA-23SpecializationPartial1 src · OWASP ASVS 5.0 1
Audit and Accountability
12/16 · 75.0% ≥partial · 31.2% ≥mostly
AU-3Content of Audit RecordsFull9 src · OWASP ASVS 5.0 7, NIST CSF 2.0 2
AU-9Protection of Audit InformationFull5 src · NIST CSF 2.0 3, OWASP ASVS 5.0 2
AU-12Audit Record GenerationMostly15 src · OWASP ASVS 5.0 8, NIST CSF 2.0 6, OWASP Web Top 10 (2025) 1
AU-6Audit Record Review, Analysis, and ReportingMostly10 src · NIST CSF 2.0 10
AU-13Monitoring for Information DisclosureMostly3 src · NIST CSF 2.0 3
AU-2Event LoggingPartial12 src · OWASP ASVS 5.0 6, NIST CSF 2.0 5, OWASP Web Top 10 (2025) 1
AU-10Non-repudiationPartial5 src · OWASP ASVS 5.0 4, NIST CSF 2.0 1
AU-1Policy and ProceduresPartial4 src · NIST CSF 2.0 3, OWASP ASVS 5.0 1
AU-8Time StampsPartial3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1
AU-7Audit Record Reduction and Report GenerationPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1
AU-11Audit Record RetentionPartial1 src · NIST CSF 2.0 1
AU-5Response to Audit Logging Process FailuresPartial1 src · OWASP Web Top 10 (2025) 1
Program Management
23/32 · 71.9% ≥partial · 31.2% ≥mostly
PM-5System InventoryFull2 src · NIST CSF 2.0 2
PM-30Supply Chain Risk Management StrategyMostly15 src · NIST CSF 2.0 15
PM-4Plan of Action and Milestones ProcessMostly10 src · NIST CSF 2.0 10
PM-14Testing, Training, and MonitoringMostly7 src · NIST CSF 2.0 7
PM-10Authorization ProcessMostly5 src · NIST CSF 2.0 5
PM-11Mission and Business Process DefinitionMostly4 src · NIST CSF 2.0 4
PM-16Threat Awareness ProgramMostly4 src · NIST CSF 2.0 4
PM-2Information Security Program Leadership RoleMostly2 src · NIST CSF 2.0 2
PM-29Risk Management Program Leadership RolesMostly2 src · NIST CSF 2.0 2
PM-3Information Security and Privacy ResourcesMostly1 src · NIST CSF 2.0 1
PM-30.1Suppliers of Critical or Mission-essential ItemsMostly1 src · NIST CSF 2.0 1
PM-9Risk Management StrategyPartial18 src · NIST CSF 2.0 18
PM-1Information Security Program PlanPartial16 src · NIST CSF 2.0 16
PM-18Privacy Program PlanPartial5 src · NIST CSF 2.0 5
PM-28Risk FramingPartial4 src · NIST CSF 2.0 4
PM-17Protecting Controlled Unclassified Information on External SystemsPartial2 src · NIST CSF 2.0 2
PM-31Continuous Monitoring StrategyPartial2 src · NIST CSF 2.0 2
PM-12Insider Threat ProgramPartial1 src · NIST CSF 2.0 1
PM-13Security and Privacy WorkforcePartial1 src · NIST CSF 2.0 1
PM-15Security and Privacy Groups and AssociationsPartial1 src · NIST CSF 2.0 1
PM-19Privacy Program Leadership RolePartial1 src · NIST CSF 2.0 1
PM-23Data Governance BodyPartial1 src · NIST CSF 2.0 1
PM-6Measures of PerformancePartial1 src · NIST CSF 2.0 1
PM-8Critical Infrastructure PlanPartial1 src · NIST CSF 2.0 1
Incident Response
7/10 · 70.0% ≥partial · 30.0% ≥mostly
IR-8Incident Response PlanMostly8 src · NIST CSF 2.0 8
IR-6Incident ReportingMostly5 src · NIST CSF 2.0 5
IR-7Incident Response AssistanceMostly1 src · NIST CSF 2.0 1
IR-4Incident HandlingPartial26 src · NIST CSF 2.0 26
IR-5Incident MonitoringPartial4 src · NIST CSF 2.0 4
IR-9Information Spillage ResponsePartial4 src · NIST CSF 2.0 4
IR-1Policy and ProceduresPartial2 src · NIST CSF 2.0 2
IR-4.8Correlation with External OrganizationsPartial1 src · NIST CSF 2.0 1
IR-8.1BreachesPartial1 src · NIST CSF 2.0 1
System and Communications Protection
27/51 · 52.9% ≥partial · 25.5% ≥mostly
SC-8Transmission Confidentiality and IntegrityFull2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1
SC-12Cryptographic Key Establishment and ManagementMostly18 src · OWASP ASVS 5.0 14, NIST CSF 2.0 3, OWASP Web Top 10 (2025) 1
SC-7Boundary ProtectionMostly14 src · OWASP ASVS 5.0 11, NIST CSF 2.0 3
SC-13Cryptographic ProtectionMostly13 src · OWASP ASVS 5.0 11, NIST CSF 2.0 2
SC-17Public Key Infrastructure CertificatesMostly7 src · OWASP ASVS 5.0 7
SC-35External Malicious Code IdentificationMostly3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1
SC-24Fail in Known StateMostly2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1
SC-36Distributed Processing and StorageMostly2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1
SC-18Mobile CodeMostly1 src · OWASP ASVS 5.0 1
SC-28Protection of Information at RestMostly1 src · NIST CSF 2.0 1
SC-38Operations SecurityMostly1 src · NIST CSF 2.0 1
SC-39Process IsolationMostly1 src · NIST CSF 2.0 1
SC-4Information in Shared System ResourcesMostly1 src · NIST CSF 2.0 1
SC-1Policy and ProceduresPartial15 src · OWASP ASVS 5.0 11, NIST CSF 2.0 4
SC-11Trusted PathPartial5 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2
SC-43Usage RestrictionsPartial4 src · OWASP ASVS 5.0 2, NIST CSF 2.0 2
SC-14Public Access ProtectionsPartial3 src · OWASP ASVS 5.0 3
SC-23Session AuthenticityPartial3 src · OWASP ASVS 5.0 3
SC-5Denial-of-service ProtectionPartial3 src · NIST CSF 2.0 2, OWASP ASVS 5.0 1
SC-6Resource AvailabilityPartial3 src · NIST CSF 2.0 2, OWASP ASVS 5.0 1
SC-7.4External Telecommunications ServicesPartial3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1
SC-46Cross Domain Policy EnforcementPartial2 src · OWASP ASVS 5.0 2
SC-12.2Symmetric KeysPartial1 src · OWASP ASVS 5.0 1
SC-20Secure Name/Address Resolution Service (Authoritative Source)Partial1 src · NIST CSF 2.0 1
SC-25Thin NodesPartial1 src · OWASP ASVS 5.0 1
SC-32System PartitioningPartial1 src · OWASP ASVS 5.0 1
SC-39.1Hardware SeparationPartial1 src · NIST CSF 2.0 1
SC-40Wireless Link ProtectionPartial1 src · NIST CSF 2.0 1
SC-45System Time SynchronizationPartial1 src · OWASP ASVS 5.0 1
SC-49Hardware-enforced Separation and Policy EnforcementPartial1 src · NIST CSF 2.0 1
System and Information Integrity
15/23 · 65.2% ≥partial · 17.4% ≥mostly
SI-10Information Input ValidationMostly27 src · OWASP ASVS 5.0 27
SI-4System MonitoringMostly11 src · NIST CSF 2.0 10, OWASP ASVS 5.0 1
SI-2Flaw RemediationMostly6 src · NIST CSF 2.0 3, OWASP Web Top 10 (2025) 3
SI-7Software, Firmware, and Information IntegrityMostly5 src · NIST CSF 2.0 4, OWASP Web Top 10 (2025) 1
SI-15Information Output FilteringPartial21 src · OWASP ASVS 5.0 21
SI-1Policy and ProceduresPartial10 src · OWASP ASVS 5.0 7, NIST CSF 2.0 3
SI-9Information Input RestrictionsPartial6 src · OWASP ASVS 5.0 6
SI-3Malicious Code ProtectionPartial5 src · OWASP ASVS 5.0 3, OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1
SI-11Error HandlingPartial3 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1
SI-5Security Alerts, Advisories, and DirectivesPartial3 src · NIST CSF 2.0 3
SI-18Personally Identifiable Information Quality OperationsPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1
SI-10.6Injection PreventionPartial1 src · OWASP ASVS 5.0 1
SI-12Information Management and RetentionPartial1 src · NIST CSF 2.0 1
SI-13Predictable Failure PreventionPartial1 src · NIST CSF 2.0 1
SI-16Memory ProtectionPartial1 src · NIST CSF 2.0 1
SI-17Fail-safe ProceduresPartial1 src · OWASP ASVS 5.0 1
SI-2.7Root Cause AnalysisPartial1 src · NIST CSF 2.0 1
SI-4.15Wireless to Wireline CommunicationsPartial1 src · NIST CSF 2.0 1
Maintenance
3/7 · 42.9% ≥partial · 14.3% ≥mostly
MA-2Controlled MaintenanceMostly1 src · NIST CSF 2.0 1
MA-1Policy and ProceduresPartial3 src · NIST CSF 2.0 3
MA-3.6Software Updates and PatchesPartial1 src · NIST CSF 2.0 1
MA-6Timely MaintenancePartial1 src · NIST CSF 2.0 1
Media Protection
6/8 · 75.0% ≥partial · 0.0% ≥mostly
MP-1Policy and ProceduresPartial5 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2
MP-6Media SanitizationPartial4 src · OWASP ASVS 5.0 3, NIST CSF 2.0 1
MP-4Media StoragePartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1
MP-2Media AccessPartial1 src · OWASP ASVS 5.0 1
MP-5Media TransportPartial1 src · NIST CSF 2.0 1
MP-8Media DowngradingPartial1 src · OWASP ASVS 5.0 1
Planning
3/11 · 27.3% ≥partial · 0.0% ≥mostly
PL-2System Security and Privacy PlansPartial9 src · NIST CSF 2.0 9
PL-1Policy and ProceduresPartial7 src · NIST CSF 2.0 7
PL-8Security and Privacy ArchitecturesPartial5 src · NIST CSF 2.0 4, OWASP Web Top 10 (2025) 1
Personnel Security
3/9 · 33.3% ≥partial · 0.0% ≥mostly
PS-1Policy and ProceduresPartial2 src · NIST CSF 2.0 2
PS-7External Personnel SecurityPartial1 src · NIST CSF 2.0 1
PS-9Position DescriptionsPartial1 src · NIST CSF 2.0 1
Personally Identifiable Information Processing and Transparency
1/8 · 12.5% ≥partial · 0.0% ≥mostly
PT-1Policy and ProceduresPartial4 src · NIST CSF 2.0 4

"Cumulative" here means breadth of corroboration, not summed coverage: overlapping partial mappings are NOT added up into "full". The headline per control is the best-attested single mapping, shown alongside the count and source frameworks behind it.