NIST 800-53 r5 — cumulative coverage
Our cross-walks give NIST 800-53 r5 at least partial inbound coverage on 63.9% of its 324 base controls, mostly or better on 31.8%. Each control's verdict is the strongest single inbound
mapping; the bar shows the spread and the row shows how many sources (and from which frameworks)
contribute. Authoritative mappings only.
← All cross-walks
Identification and Authentication
13/13 · 100.0% ≥partial · 76.9% ≥mostly
IA-5.1Password-based AuthenticationFull12 src · OWASP ASVS 5.0 10, OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1 IA-5Authenticator ManagementMostly54 src · OWASP ASVS 5.0 47, NIST CSF 2.0 6, OWASP Web Top 10 (2025) 1 IA-13Identity Providers and Authorization ServersMostly38 src · OWASP ASVS 5.0 32, NIST CSF 2.0 4, OWASP Web Top 10 (2025) 2 IA-2Identification and Authentication (Organizational Users)Mostly16 src · OWASP ASVS 5.0 14, NIST CSF 2.0 2 IA-10Adaptive AuthenticationMostly11 src · OWASP ASVS 5.0 10, NIST CSF 2.0 1 IA-4Identifier ManagementMostly7 src · OWASP ASVS 5.0 6, NIST CSF 2.0 1 IA-9Service Identification and AuthenticationMostly6 src · OWASP ASVS 5.0 4, NIST CSF 2.0 2 IA-12Identity ProofingMostly5 src · OWASP ASVS 5.0 4, NIST CSF 2.0 1 IA-11Re-authenticationMostly4 src · OWASP ASVS 5.0 3, NIST CSF 2.0 1 IA-8Identification and Authentication (Non-organizational Users)Mostly4 src · NIST CSF 2.0 2, OWASP ASVS 5.0 2 IA-13.3Token ManagementMostly3 src · OWASP ASVS 5.0 3 IA-3Device Identification and AuthenticationMostly2 src · NIST CSF 2.0 2 IA-2.5Individual Authentication with Group AuthenticationMostly1 src · NIST CSF 2.0 1 IA-1Policy and ProceduresPartial22 src · OWASP ASVS 5.0 19, NIST CSF 2.0 3 IA-13.1Protection of Cryptographic KeysPartial2 src · OWASP ASVS 5.0 2 IA-2.6Access to Accounts —separate DevicePartial2 src · OWASP ASVS 5.0 2 IA-5.2Public Key-based AuthenticationPartial2 src · OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1 IA-7Cryptographic Module AuthenticationPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1 IA-6Authentication FeedbackPartial1 src · OWASP ASVS 5.0 1 Supply Chain Risk Management
9/12 · 75.0% ≥partial · 58.3% ≥mostly
SR-6Supplier Assessments and ReviewsFull10 src · NIST CSF 2.0 10 SR-2Supply Chain Risk Management PlanMostly13 src · NIST CSF 2.0 13 SR-3Supply Chain Controls and ProcessesMostly10 src · NIST CSF 2.0 9, OWASP Web Top 10 (2025) 1 SR-1Policy and ProceduresMostly9 src · NIST CSF 2.0 9 SR-5Acquisition Strategies, Tools, and MethodsMostly8 src · NIST CSF 2.0 8 SR-8Notification AgreementsMostly6 src · NIST CSF 2.0 6 SR-12Component DisposalMostly1 src · NIST CSF 2.0 1 SR-11Component AuthenticityPartial2 src · OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1 SR-10Inspection of Systems or ComponentsPartial1 src · NIST CSF 2.0 1 Configuration Management
14/14 · 100.0% ≥partial · 57.1% ≥mostly
CM-7Least FunctionalityFull4 src · NIST CSF 2.0 2, OWASP ASVS 5.0 2 CM-7.2Prevent Program ExecutionFull1 src · NIST CSF 2.0 1 CM-6Configuration SettingsMostly24 src · OWASP ASVS 5.0 19, NIST CSF 2.0 4, OWASP Web Top 10 (2025) 1 CM-9Configuration Management PlanMostly16 src · OWASP ASVS 5.0 14, NIST CSF 2.0 2 CM-3Configuration Change ControlMostly11 src · NIST CSF 2.0 5, OWASP ASVS 5.0 5, OWASP Web Top 10 (2025) 1 CM-2Baseline ConfigurationMostly7 src · OWASP ASVS 5.0 6, NIST CSF 2.0 1 CM-11User-installed SoftwareMostly4 src · NIST CSF 2.0 4 CM-8System Component InventoryMostly4 src · NIST CSF 2.0 3, OWASP ASVS 5.0 1 CM-4Impact AnalysesMostly3 src · NIST CSF 2.0 3 CM-7.4Unauthorized Software — Deny-by-exceptionMostly1 src · NIST CSF 2.0 1 CM-7.5Authorized Software — Allow-by-exceptionMostly1 src · NIST CSF 2.0 1 CM-1Policy and ProceduresPartial9 src · OWASP ASVS 5.0 6, NIST CSF 2.0 3 CM-12Information LocationPartial3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1 CM-10Software Usage RestrictionsPartial2 src · NIST CSF 2.0 2 CM-5Access Restrictions for ChangePartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1 CM-13Data Action MappingPartial1 src · NIST CSF 2.0 1 CM-14Signed ComponentsPartial1 src · OWASP Web Top 10 (2025) 1 Risk Assessment
8/10 · 80.0% ≥partial · 50.0% ≥mostly
RA-3Risk AssessmentMostly23 src · NIST CSF 2.0 23 RA-1Policy and ProceduresMostly11 src · NIST CSF 2.0 11 RA-7Risk ResponseMostly8 src · NIST CSF 2.0 8 RA-5Vulnerability Monitoring and ScanningMostly7 src · NIST CSF 2.0 7 RA-9Criticality AnalysisMostly4 src · NIST CSF 2.0 4 RA-3.3Dynamic Threat AwarenessMostly1 src · NIST CSF 2.0 1 RA-2Security CategorizationPartial3 src · NIST CSF 2.0 3 RA-10Threat HuntingPartial1 src · NIST CSF 2.0 1 RA-8Privacy Impact AssessmentsPartial1 src · NIST CSF 2.0 1 Physical and Environmental Protection
16/23 · 69.6% ≥partial · 43.5% ≥mostly
PE-3Physical Access ControlMostly2 src · NIST CSF 2.0 2 PE-6Monitoring Physical AccessMostly2 src · NIST CSF 2.0 2 PE-13Fire ProtectionMostly1 src · NIST CSF 2.0 1 PE-14Environmental ControlsMostly1 src · NIST CSF 2.0 1 PE-2Physical Access AuthorizationsMostly1 src · NIST CSF 2.0 1 PE-20Asset Monitoring and TrackingMostly1 src · NIST CSF 2.0 1 PE-23Facility LocationMostly1 src · NIST CSF 2.0 1 PE-4Access Control for TransmissionMostly1 src · NIST CSF 2.0 1 PE-8Visitor Access RecordsMostly1 src · NIST CSF 2.0 1 PE-9Power Equipment and CablingMostly1 src · NIST CSF 2.0 1 PE-1Policy and ProceduresPartial2 src · NIST CSF 2.0 2 PE-18Location of System ComponentsPartial2 src · NIST CSF 2.0 2 PE-10Emergency ShutoffPartial1 src · NIST CSF 2.0 1 PE-11Emergency PowerPartial1 src · NIST CSF 2.0 1 PE-15Water Damage ProtectionPartial1 src · NIST CSF 2.0 1 PE-5Access Control for Output DevicesPartial1 src · NIST CSF 2.0 1 Contingency Planning
7/13 · 53.8% ≥partial · 38.5% ≥mostly
CP-2Contingency PlanMostly10 src · NIST CSF 2.0 10 CP-10System Recovery and ReconstitutionMostly4 src · NIST CSF 2.0 4 CP-9System BackupMostly2 src · NIST CSF 2.0 2 CP-2.8Identify Critical AssetsMostly1 src · NIST CSF 2.0 1 CP-4Contingency Plan TestingMostly1 src · NIST CSF 2.0 1 CP-6Alternate Storage SiteMostly1 src · NIST CSF 2.0 1 CP-9.3Separate Storage for Critical InformationMostly1 src · NIST CSF 2.0 1 CP-1Policy and ProceduresPartial4 src · NIST CSF 2.0 4 CP-3Contingency TrainingPartial2 src · NIST CSF 2.0 2 CP-2.5Continue Mission and Business FunctionsPartial1 src · NIST CSF 2.0 1 Access Control
18/25 · 72.0% ≥partial · 36.0% ≥mostly
AC-6Least PrivilegeFull12 src · OWASP ASVS 5.0 10, NIST CSF 2.0 2 AC-19.5Full Device or Container-based EncryptionFull1 src · NIST CSF 2.0 1 AC-5Separation of DutiesFull1 src · NIST CSF 2.0 1 AC-2Account ManagementMostly24 src · OWASP ASVS 5.0 18, NIST CSF 2.0 6 AC-1Policy and ProceduresMostly13 src · OWASP ASVS 5.0 8, NIST CSF 2.0 5 AC-3Access EnforcementMostly9 src · OWASP ASVS 5.0 6, NIST CSF 2.0 3 AC-24Access Control DecisionsMostly8 src · OWASP ASVS 5.0 6, NIST CSF 2.0 1, OWASP Web Top 10 (2025) 1 AC-17Remote AccessMostly5 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2 AC-4Information Flow EnforcementMostly3 src · NIST CSF 2.0 3 AC-19Access Control for Mobile DevicesMostly2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1 AC-16Security and Privacy AttributesPartial18 src · OWASP ASVS 5.0 17, NIST CSF 2.0 1 AC-25Reference MonitorPartial9 src · OWASP ASVS 5.0 9 AC-3.3Mandatory Access ControlPartial7 src · OWASP ASVS 5.0 6, OWASP Web Top 10 (2025) 1 AC-12Session TerminationPartial5 src · OWASP ASVS 5.0 4, NIST CSF 2.0 1 AC-10Concurrent Session ControlPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1 AC-11Device LockPartial2 src · OWASP ASVS 5.0 2 AC-18Wireless AccessPartial2 src · NIST CSF 2.0 2 AC-20Use of External SystemsPartial2 src · NIST CSF 2.0 2 AC-3.4Discretionary Access ControlPartial2 src · OWASP ASVS 5.0 2 AC-14Permitted Actions Without Identification or AuthenticationPartial1 src · OWASP ASVS 5.0 1 AC-4.27Redundant/Independent Filtering MechanismsPartial1 src · OWASP ASVS 5.0 1 AC-8System Use NotificationPartial1 src · OWASP ASVS 5.0 1 Awareness and Training
2/6 · 33.3% ≥partial · 33.3% ≥mostly
AT-2Literacy Training and AwarenessMostly2 src · NIST CSF 2.0 2 AT-3Role-based TrainingMostly2 src · NIST CSF 2.0 2 Assessment, Authorization, and Monitoring
7/9 · 77.8% ≥partial · 33.3% ≥mostly
CA-1Policy and ProceduresMostly5 src · NIST CSF 2.0 5 CA-5Plan of Action and MilestonesMostly4 src · NIST CSF 2.0 4 CA-2Control AssessmentsMostly3 src · NIST CSF 2.0 3 CA-7Continuous MonitoringPartial11 src · NIST CSF 2.0 11 CA-3Information ExchangePartial3 src · NIST CSF 2.0 3 CA-8Penetration TestingPartial1 src · NIST CSF 2.0 1 CA-9Internal System ConnectionsPartial1 src · NIST CSF 2.0 1 System and Services Acquisition
13/24 · 54.2% ≥partial · 33.3% ≥mostly
SA-15Development Process, Standards, and ToolsMostly22 src · OWASP ASVS 5.0 21, NIST CSF 2.0 1 SA-4Acquisition ProcessMostly15 src · NIST CSF 2.0 7, OWASP ASVS 5.0 7, OWASP Web Top 10 (2025) 1 SA-3System Development Life CycleMostly13 src · OWASP ASVS 5.0 10, NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1 SA-11Developer Testing and EvaluationMostly7 src · OWASP ASVS 5.0 5, NIST CSF 2.0 2 SA-9External System ServicesMostly7 src · NIST CSF 2.0 7 SA-8Security and Privacy Engineering PrinciplesMostly6 src · NIST CSF 2.0 3, OWASP Web Top 10 (2025) 2, OWASP ASVS 5.0 1 SA-10Developer Configuration ManagementMostly4 src · OWASP ASVS 5.0 3, NIST CSF 2.0 1 SA-22Unsupported System ComponentsMostly4 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1, OWASP Web Top 10 (2025) 1 SA-11.2Threat Modeling and Vulnerability AnalysesMostly1 src · NIST CSF 2.0 1 SA-17Developer Security and Privacy Architecture and DesignPartial12 src · OWASP ASVS 5.0 9, OWASP Web Top 10 (2025) 2, NIST CSF 2.0 1 SA-24Design For Cyber ResiliencyPartial6 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1 SA-1Policy and ProceduresPartial5 src · NIST CSF 2.0 3, OWASP ASVS 5.0 2 SA-5System DocumentationPartial4 src · OWASP ASVS 5.0 4 SA-15.7Automated Vulnerability AnalysisPartial1 src · NIST CSF 2.0 1 SA-23SpecializationPartial1 src · OWASP ASVS 5.0 1 Audit and Accountability
12/16 · 75.0% ≥partial · 31.2% ≥mostly
AU-3Content of Audit RecordsFull9 src · OWASP ASVS 5.0 7, NIST CSF 2.0 2 AU-9Protection of Audit InformationFull5 src · NIST CSF 2.0 3, OWASP ASVS 5.0 2 AU-12Audit Record GenerationMostly15 src · OWASP ASVS 5.0 8, NIST CSF 2.0 6, OWASP Web Top 10 (2025) 1 AU-6Audit Record Review, Analysis, and ReportingMostly10 src · NIST CSF 2.0 10 AU-13Monitoring for Information DisclosureMostly3 src · NIST CSF 2.0 3 AU-2Event LoggingPartial12 src · OWASP ASVS 5.0 6, NIST CSF 2.0 5, OWASP Web Top 10 (2025) 1 AU-10Non-repudiationPartial5 src · OWASP ASVS 5.0 4, NIST CSF 2.0 1 AU-1Policy and ProceduresPartial4 src · NIST CSF 2.0 3, OWASP ASVS 5.0 1 AU-8Time StampsPartial3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1 AU-7Audit Record Reduction and Report GenerationPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1 AU-11Audit Record RetentionPartial1 src · NIST CSF 2.0 1 AU-5Response to Audit Logging Process FailuresPartial1 src · OWASP Web Top 10 (2025) 1 Program Management
23/32 · 71.9% ≥partial · 31.2% ≥mostly
PM-5System InventoryFull2 src · NIST CSF 2.0 2 PM-30Supply Chain Risk Management StrategyMostly15 src · NIST CSF 2.0 15 PM-4Plan of Action and Milestones ProcessMostly10 src · NIST CSF 2.0 10 PM-14Testing, Training, and MonitoringMostly7 src · NIST CSF 2.0 7 PM-10Authorization ProcessMostly5 src · NIST CSF 2.0 5 PM-11Mission and Business Process DefinitionMostly4 src · NIST CSF 2.0 4 PM-16Threat Awareness ProgramMostly4 src · NIST CSF 2.0 4 PM-2Information Security Program Leadership RoleMostly2 src · NIST CSF 2.0 2 PM-29Risk Management Program Leadership RolesMostly2 src · NIST CSF 2.0 2 PM-3Information Security and Privacy ResourcesMostly1 src · NIST CSF 2.0 1 PM-30.1Suppliers of Critical or Mission-essential ItemsMostly1 src · NIST CSF 2.0 1 PM-9Risk Management StrategyPartial18 src · NIST CSF 2.0 18 PM-1Information Security Program PlanPartial16 src · NIST CSF 2.0 16 PM-18Privacy Program PlanPartial5 src · NIST CSF 2.0 5 PM-28Risk FramingPartial4 src · NIST CSF 2.0 4 PM-17Protecting Controlled Unclassified Information on External SystemsPartial2 src · NIST CSF 2.0 2 PM-31Continuous Monitoring StrategyPartial2 src · NIST CSF 2.0 2 PM-12Insider Threat ProgramPartial1 src · NIST CSF 2.0 1 PM-13Security and Privacy WorkforcePartial1 src · NIST CSF 2.0 1 PM-15Security and Privacy Groups and AssociationsPartial1 src · NIST CSF 2.0 1 PM-19Privacy Program Leadership RolePartial1 src · NIST CSF 2.0 1 PM-23Data Governance BodyPartial1 src · NIST CSF 2.0 1 PM-6Measures of PerformancePartial1 src · NIST CSF 2.0 1 PM-8Critical Infrastructure PlanPartial1 src · NIST CSF 2.0 1 Incident Response
7/10 · 70.0% ≥partial · 30.0% ≥mostly
IR-8Incident Response PlanMostly8 src · NIST CSF 2.0 8 IR-6Incident ReportingMostly5 src · NIST CSF 2.0 5 IR-7Incident Response AssistanceMostly1 src · NIST CSF 2.0 1 IR-4Incident HandlingPartial26 src · NIST CSF 2.0 26 IR-5Incident MonitoringPartial4 src · NIST CSF 2.0 4 IR-9Information Spillage ResponsePartial4 src · NIST CSF 2.0 4 IR-1Policy and ProceduresPartial2 src · NIST CSF 2.0 2 IR-4.8Correlation with External OrganizationsPartial1 src · NIST CSF 2.0 1 IR-8.1BreachesPartial1 src · NIST CSF 2.0 1 System and Communications Protection
27/51 · 52.9% ≥partial · 25.5% ≥mostly
SC-8Transmission Confidentiality and IntegrityFull2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1 SC-12Cryptographic Key Establishment and ManagementMostly18 src · OWASP ASVS 5.0 14, NIST CSF 2.0 3, OWASP Web Top 10 (2025) 1 SC-7Boundary ProtectionMostly14 src · OWASP ASVS 5.0 11, NIST CSF 2.0 3 SC-13Cryptographic ProtectionMostly13 src · OWASP ASVS 5.0 11, NIST CSF 2.0 2 SC-17Public Key Infrastructure CertificatesMostly7 src · OWASP ASVS 5.0 7 SC-35External Malicious Code IdentificationMostly3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1 SC-24Fail in Known StateMostly2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1 SC-36Distributed Processing and StorageMostly2 src · NIST CSF 2.0 1, OWASP ASVS 5.0 1 SC-18Mobile CodeMostly1 src · OWASP ASVS 5.0 1 SC-28Protection of Information at RestMostly1 src · NIST CSF 2.0 1 SC-38Operations SecurityMostly1 src · NIST CSF 2.0 1 SC-39Process IsolationMostly1 src · NIST CSF 2.0 1 SC-4Information in Shared System ResourcesMostly1 src · NIST CSF 2.0 1 SC-1Policy and ProceduresPartial15 src · OWASP ASVS 5.0 11, NIST CSF 2.0 4 SC-11Trusted PathPartial5 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2 SC-43Usage RestrictionsPartial4 src · OWASP ASVS 5.0 2, NIST CSF 2.0 2 SC-14Public Access ProtectionsPartial3 src · OWASP ASVS 5.0 3 SC-23Session AuthenticityPartial3 src · OWASP ASVS 5.0 3 SC-5Denial-of-service ProtectionPartial3 src · NIST CSF 2.0 2, OWASP ASVS 5.0 1 SC-6Resource AvailabilityPartial3 src · NIST CSF 2.0 2, OWASP ASVS 5.0 1 SC-7.4External Telecommunications ServicesPartial3 src · OWASP ASVS 5.0 2, NIST CSF 2.0 1 SC-46Cross Domain Policy EnforcementPartial2 src · OWASP ASVS 5.0 2 SC-12.2Symmetric KeysPartial1 src · OWASP ASVS 5.0 1 SC-20Secure Name/Address Resolution Service (Authoritative Source)Partial1 src · NIST CSF 2.0 1 SC-25Thin NodesPartial1 src · OWASP ASVS 5.0 1 SC-32System PartitioningPartial1 src · OWASP ASVS 5.0 1 SC-39.1Hardware SeparationPartial1 src · NIST CSF 2.0 1 SC-40Wireless Link ProtectionPartial1 src · NIST CSF 2.0 1 SC-45System Time SynchronizationPartial1 src · OWASP ASVS 5.0 1 SC-49Hardware-enforced Separation and Policy EnforcementPartial1 src · NIST CSF 2.0 1 System and Information Integrity
15/23 · 65.2% ≥partial · 17.4% ≥mostly
SI-10Information Input ValidationMostly27 src · OWASP ASVS 5.0 27 SI-4System MonitoringMostly11 src · NIST CSF 2.0 10, OWASP ASVS 5.0 1 SI-2Flaw RemediationMostly6 src · NIST CSF 2.0 3, OWASP Web Top 10 (2025) 3 SI-7Software, Firmware, and Information IntegrityMostly5 src · NIST CSF 2.0 4, OWASP Web Top 10 (2025) 1 SI-15Information Output FilteringPartial21 src · OWASP ASVS 5.0 21 SI-1Policy and ProceduresPartial10 src · OWASP ASVS 5.0 7, NIST CSF 2.0 3 SI-9Information Input RestrictionsPartial6 src · OWASP ASVS 5.0 6 SI-3Malicious Code ProtectionPartial5 src · OWASP ASVS 5.0 3, OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1 SI-11Error HandlingPartial3 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1 SI-5Security Alerts, Advisories, and DirectivesPartial3 src · NIST CSF 2.0 3 SI-18Personally Identifiable Information Quality OperationsPartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1 SI-10.6Injection PreventionPartial1 src · OWASP ASVS 5.0 1 SI-12Information Management and RetentionPartial1 src · NIST CSF 2.0 1 SI-13Predictable Failure PreventionPartial1 src · NIST CSF 2.0 1 SI-16Memory ProtectionPartial1 src · NIST CSF 2.0 1 SI-17Fail-safe ProceduresPartial1 src · OWASP ASVS 5.0 1 SI-2.7Root Cause AnalysisPartial1 src · NIST CSF 2.0 1 SI-4.15Wireless to Wireline CommunicationsPartial1 src · NIST CSF 2.0 1 Maintenance
3/7 · 42.9% ≥partial · 14.3% ≥mostly
MA-2Controlled MaintenanceMostly1 src · NIST CSF 2.0 1 MA-1Policy and ProceduresPartial3 src · NIST CSF 2.0 3 MA-3.6Software Updates and PatchesPartial1 src · NIST CSF 2.0 1 MA-6Timely MaintenancePartial1 src · NIST CSF 2.0 1 Media Protection
6/8 · 75.0% ≥partial · 0.0% ≥mostly
MP-1Policy and ProceduresPartial5 src · OWASP ASVS 5.0 3, NIST CSF 2.0 2 MP-6Media SanitizationPartial4 src · OWASP ASVS 5.0 3, NIST CSF 2.0 1 MP-4Media StoragePartial2 src · OWASP ASVS 5.0 1, NIST CSF 2.0 1 MP-2Media AccessPartial1 src · OWASP ASVS 5.0 1 MP-5Media TransportPartial1 src · NIST CSF 2.0 1 MP-8Media DowngradingPartial1 src · OWASP ASVS 5.0 1 Planning
3/11 · 27.3% ≥partial · 0.0% ≥mostly
PL-2System Security and Privacy PlansPartial9 src · NIST CSF 2.0 9 PL-1Policy and ProceduresPartial7 src · NIST CSF 2.0 7 PL-8Security and Privacy ArchitecturesPartial5 src · NIST CSF 2.0 4, OWASP Web Top 10 (2025) 1 Personnel Security
3/9 · 33.3% ≥partial · 0.0% ≥mostly
PS-1Policy and ProceduresPartial2 src · NIST CSF 2.0 2 PS-7External Personnel SecurityPartial1 src · NIST CSF 2.0 1 PS-9Position DescriptionsPartial1 src · NIST CSF 2.0 1 Personally Identifiable Information Processing and Transparency
1/8 · 12.5% ≥partial · 0.0% ≥mostly
PT-1Policy and ProceduresPartial4 src · NIST CSF 2.0 4
"Cumulative" here means breadth of corroboration, not summed coverage: overlapping
partial mappings are NOT added up into "full". The headline per control is the best-attested single
mapping, shown alongside the count and source frameworks behind it.