Hey there you're not missing anything. ServiceNow does not publish an official count of OOTB risk statements for the NIST CSF Use Case Accelerator anywhere in their public documentation or Store listing that I’m aware of. This is a known gap that trips up a lot of practitioners during implementation planning.

Here's what I can share from hands-on experience:

The most reliable way to get a count is to install the plugin on a Personal Developer Instance (PDI), ensure the accelerator is installed, then navigate to the Risk Statements list, and see what’s there. That's the only way to get a number you can actually plan around, because the content can vary depending on your version.

Version matters a lot here. The accelerator historically shipped with NIST CSF v1.1 content. NIST CSF 2.0 content was added in version 19.x (Washington DC release), but there's been community confusion around whether control objectives were updated vs. added as net-new records, so if you're targeting CSF 2.0, make sure you verify which version you're actually working with post-install.

One structural thing to be aware of before you start planning: the OOTB content is policy-dependent. The policy record is the binding link between your control objectives, citations, and risk statements. If you remove or scope out any OOTB policies, the relationships break, which can make it harder to isolate just the risk statements you need. Plan to triage the OOTB policies before deleting anything.

Bottom line on planning: most orgs find the OOTB risk statements give you a solid framework-aligned starting point, but they're rarely sufficient on their own. Budget for custom risk statement development on top of whatever baseline the accelerator provides.

Hope that helps you move forward, happy to answer any follow-up questions!