From 1584b8fb2f63c9452f6b106199079ee1b4bd1d98 Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Thu, 25 Jun 2026 18:37:10 +0200 Subject: [PATCH] =?UTF-8?q?feat(bridge):=20remote-access=20obligation=20cu?= =?UTF-8?q?t=20(CRA=20Annex=20I)=20=E2=80=94=2018=20obligations?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - obligations/cra_remote_access.json: 18 (5 LEGAL_MINIMUM outcomes + 13 BEST_PRACTICE), 15 Beziehungen. Two-stage clustering 445->209 micro->27 review-units -> Opus-Synthese. Synthese vergab 14 LM -> key-free re-tier nach Auth-Regel (Mechanismen MFA/Session/VPN/ insecure-protocol/OT/Wartungs-Governance/temp/data-export/component -> BEST_PRACTICE + supports-Kante zur Eltern-LM). out_of_scope M5/M11 = physische Maschinen-Fernsteuerung (MaschinenVO 2023/1230). Anker approximativ (siehe curation.anchor_quality). - obligation_join_keys.json: 66 -> 84 (remote_access 18). - precluster.py: remote_access-Scope. Co-Authored-By: Claude Opus 4.7 --- obligations/cra_remote_access.json | 1657 ++++++++++++++++++++ obligations/obligation_join_keys.json | 156 +- scripts/obligation_discovery/precluster.py | 4 + 3 files changed, 1816 insertions(+), 1 deletion(-) create mode 100644 obligations/cra_remote_access.json diff --git a/obligations/cra_remote_access.json b/obligations/cra_remote_access.json new file mode 100644 index 00000000..266bfdff --- /dev/null +++ b/obligations/cra_remote_access.json @@ -0,0 +1,1657 @@ +{ + "schema_version": "obligation_registry_v1", + "regulation": "CRA", + "regulation_code": "CRA", + "family": "remote_access", + "theme": "Sichere Fernwartung / Remote Access (CRA Annex I)", + "generated_by": "obligation_discovery/claude-opus-4-8", + "synthesis_version": "v1", + "citation_status": "pending_span_anchor", + "curation": { + "curated_by": "obligation-registry-session 2026-06-25", + "method": "two-stage clustering (445->209 micro->27 review-units) -> Opus synthesis -> key-free re-tier", + "scope_controls": 445, + "micro_clusters": 209, + "review_units": 27, + "obligations": 18, + "tier_split": { + "LEGAL_MINIMUM": 5, + "BEST_PRACTICE": 13 + }, + "out_of_scope": [ + "M5/M11 = physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen (MaschinenVO 2023/1230)" + ], + "retier_rule": "Synthese vergab 14 LM. Kuriert nach der Auth-Regel: nur OUTCOME-Pflichten je CRA-Annex-I-Buchstabe bleiben LEGAL_MINIMUM (confidentiality/integrity, access-control/least-privilege, attack-surface-min, logging, vuln-patch); spezifische MECHANISMEN/Sub-Praktiken (MFA, Session-Timeout, VPN/TLS, insecure-protocol-block, OT-Validierung, Wartungs-Governance, temporaerer Zugriff, Daten-Export, Komponenten-Interface) -> BEST_PRACTICE + guidance_basis + supports-Kante zur Eltern-LM.", + "anchor_quality": "legal_basis-Buchstaben sind APPROXIMATIV (Opus): Verschluesselung als (b) statt (e), Logging als (g)/(k) statt (l), Attack-Surface als (a) statt (j). CRA Annex I Part I (2): (d)=Zugriffsschutz, (e)=Vertraulichkeit, (f)=Integritaet, (j)=Angriffsflaeche, (l)=Logging. Span-genaue Korrektur mit Re-Ingest. NICHT auf Buchstaben joinen.", + "borderline": [ + "remote_access_data_export_protection (evtl. LM unter (g) Datenminimierung)", + "component_remote_interface_security (ueberlappt attack_surface_min)" + ] + }, + "obligations": [ + { + "id": "remote_access_control_least_privilege", + "name": "Zugriffskontrolle und Least Privilege fuer Fernzugriff", + "description": "Fernzugriff auf Systeme ist zu konfigurieren und zu kontrollieren nach dem Prinzip der minimalen Rechtevergabe; privilegierte Befehle ueber Fernzugriff sind zu beschraenken und Zugriffsgenehmigungen pro Benutzer/Zielressource festzulegen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "access_control", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(d)", + "citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen (Authentifizierung, Identitaets- und Zugriffsmanagement)" + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 AC-3/AC-6/AC-17", + "role": "best_practice" + } + ], + "member_review_units": [ + "M0", + "M13" + ], + "member_controls": [ + "ACC-0404-A02", + "ACC-0404-A06", + "ACC-0405-A02", + "ACC-0406-A02", + "ACC-0406-A03", + "ACC-0406-A04", + "ACC-0406-A05", + "ACC-0407-A03", + "ACC-0407-A04", + "ACC-0409-A01", + "ACC-0409-A05", + "ACC-0409-A06", + "ACC-163-A24", + "ACC-584", + "ACC-584-A01", + "ACC-584-A02", + "ACC-584-A06", + "ACC-584-A07", + "ACC-584-A08", + "AI-067-A08", + "AI-067-A20", + "AI-084-A37", + "AI-099-A27", + "AI-101-A22", + "AI-117-A09", + "AI-117-A25", + "AI-118-A29", + "AI-120-A27", + "AI-126-A21", + "AI-1263", + "AI-195-A12", + "AUTH-1446-A03", + "AUTH-2338-A04", + "AUTH-2338-A09", + "AUTH-2386", + "AUTH-2386-A01", + "AUTH-2386-A02", + "AUTH-2413", + "AUTH-2413-A01", + "AUTH-2413-A02", + "AUTH-2419-A07", + "AUTH-2421-A01", + "AUTH-2421-A02", + "AUTH-2421-A03", + "AUTH-2421-A04", + "AUTH-2461", + "AUTH-2461-A01", + "AUTH-3825-A08", + "AUTH-3887-A01", + "AUTH-3928-A08", + "AUTH-3928-A09", + "AUTH-586", + "AUTH-586-A01", + "AUTH-586-A03", + "AUTH-586-A04", + "AUTH-909-A10", + "AUTH-909-A20", + "AUTH-909-A30", + "AUTH-909-A40", + "AUTH-909-A50", + "COMP-001-A81", + "COMP-043-A23", + "COMP-096-A26", + "COMP-1054-A08", + "COMP-1212-A13", + "COMP-1212-A27", + "COMP-1212-A39", + "COMP-1212-A53", + "COMP-1212-A69", + "COMP-1240-A31", + "COMP-372-A11", + "COMP-383-A07", + "COMP-383-A14", + "COMP-430-A09", + "COMP-449-A12", + "COMP-449-A25", + "COMP-498-A01", + "COMP-592-A09", + "COMP-592-A21", + "COMP-707-A15", + "COMP-711-A07", + "COMP-932-A11", + "COMP-932-A23", + "COMP-995-A13", + "COMP-995-A22", + "CRYP-127-A03", + "CRYP-127-A04", + "CRYP-127-A05", + "CRYP-127-A06", + "CRYP-1700-A01", + "CRYP-1700-A02", + "CRYP-1701-A01", + "CRYP-1725-A04", + "CRYP-1725-A05", + "CRYP-1725-A06", + "CRYP-1725-A07", + "CRYP-1726", + "CRYP-1726-A01", + "CRYP-182", + "CRYP-182-A01", + "CRYP-182-A03", + "CRYP-182-A04", + "CRYP-182-A05", + "CRYP-191-A04", + "CRYP-191-A05", + "CRYP-191-A06", + "CRYP-194-A07", + "CRYP-1988-A07", + "CRYP-210", + "CRYP-210-A01", + "CRYP-210-A02", + "CRYP-210-A03", + "CRYP-210-A04", + "CRYP-210-A05", + "CRYP-210-A09", + "CRYP-210-A10", + "CRYP-210-A11", + "CRYP-2191-A12", + "CRYP-245", + "CRYP-245-A01", + "CRYP-245-A02", + "CRYP-289", + "CRYP-289-A01", + "CRYP-289-A02", + "CRYP-289-A04", + "CRYP-289-A05", + "CRYP-289-A06", + "CRYP-289-A10", + "DATA-119-A23", + "DATA-4067-A03", + "DATA-554-A03", + "DATA-700-A12", + "FIN-101-A13", + "FIN-101-A29", + "FIN-101-A45", + "FIN-101-A62", + "FIN-101-A78", + "FIN-101-A95", + "FIN-258-A19", + "FIN-340-A11", + "FIN-340-A25", + "FIN-340-A39", + "FIN-340-A53", + "FIN-340-A67", + "GOV-0665-A07", + "GOV-0665-A18", + "GOV-0665-A25", + "GOV-0665-A37", + "GOV-191-A07", + "GOV-191-A17", + "GOV-277-A05", + "GOV-277-A06", + "GOV-3066", + "GOV-413-A05", + "GOV-413-A09", + "GOV-413-A14", + "GOV-413-A18", + "GOV-524-A04", + "GOV-524-A05", + "GOV-524-A31", + "GOV-561-A07", + "LOG-072-A22", + "LOG-1361-A01", + "LOG-1385-A02", + "LOG-1486-A06", + "LOG-1506-A03", + "LOG-1549-A10", + "LOG-1692", + "LOG-1692-A01", + "LOG-1692-A02", + "LOG-1692-A03", + "LOG-1692-A04", + "LOG-266", + "LOG-353-A07", + "LOG-353-A08", + "LOG-353-A13", + "LOG-353-A18", + "LOG-445-A06", + "LOG-445-A10", + "LOG-445-A16", + "LOG-445-A20", + "LOG-471-A01", + "LOG-471-A05", + "LOG-741-A24", + "NET-041-A07", + "NET-041-A17", + "NET-047-A05", + "NET-047-A06", + "NET-047-A15", + "NET-047-A16", + "NET-0673-A02", + "NET-0673-A05", + "NET-0673-A09", + "NET-073-A08", + "NET-073-A22", + "NET-078-A05", + "NET-078-A16", + "NET-082-A04", + "NET-091-A02", + "NET-091-A03", + "NET-091-A04", + "NET-091-A05", + "NET-091-A13", + "NET-091-A14", + "NET-091-A15", + "NET-091-A16", + "NET-093-A09", + "NET-093-A22", + "NET-1147-A10", + "NET-1243-A05", + "NET-1344-A05", + "NET-1356-A03", + "NET-1461-A03", + "NET-1626-A17", + "NET-266-A15", + "NET-277-A04", + "NET-277-A05", + "NET-277-A13", + "NET-277-A14", + "NET-326", + "NET-329-A10", + "NET-329-A22", + "NET-336-A03", + "NET-336-A12", + "NET-375", + "NET-375-A02", + "NET-375-A04", + "NET-375-A08", + "NET-375-A10", + "NET-382-A12", + "NET-382-A24", + "NET-416", + "NET-416-A14", + "NET-441-A01", + "NET-441-A06", + "NET-441-A07", + "NET-441-A12", + "NET-543-A04", + "NET-543-A77", + "SEC-049-A12", + "SEC-156-A16", + "SEC-156-A30", + "SEC-182-A07", + "SEC-182-A08", + "SEC-182-A16", + "SEC-182-A17", + "SEC-297-A09", + "SEC-297-A19", + "SEC-3193-A05", + "SEC-338-A11", + "SEC-338-A22", + "SEC-3855-A05", + "SEC-386", + "SEC-386-A01", + "SEC-386-A03", + "SEC-386-A05", + "SEC-386-A06", + "SEC-386-A07", + "SEC-386-A09", + "SEC-386-A11", + "SEC-386-A13", + "SEC-386-A14", + "SEC-386-A15", + "SEC-386-A16", + "SEC-4874-A03", + "SEC-4874-A05", + "SEC-5814", + "SEC-5843", + "SEC-6093-A01", + "SEC-6762", + "SEC-6762-A02", + "SEC-6795-A03", + "SEC-6795-A06", + "SEC-8179-A04", + "SEC-839-A19", + "SEC-8507", + "SEC-8885-A22" + ], + "member_count": 277, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.92, + "source_meta_cluster": "M0", + "cluster_size": 274, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_confidentiality_integrity", + "name": "Vertraulichkeit und Integritaet des Fernzugriffs", + "description": "Vertraulichkeit und Integritaet von Remote-Zugriffsverbindungen sind sicherzustellen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "access_control", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(b)(c)", + "citation": "Schutz der Vertraulichkeit und Integritaet von Daten und Befehlen" + } + ], + "guidance_basis": [], + "member_review_units": [ + "M0" + ], + "member_controls": [ + "ACC-0404-A02", + "ACC-0404-A06", + "ACC-0405-A02", + "ACC-0406-A02", + "ACC-0406-A03", + "ACC-0406-A04", + "ACC-0406-A05", + "ACC-0407-A03", + "ACC-0407-A04", + "ACC-0409-A01", + "ACC-0409-A05", + "ACC-0409-A06", + "ACC-163-A24", + "ACC-584", + "ACC-584-A01", + "ACC-584-A02", + "ACC-584-A06", + "ACC-584-A07", + "ACC-584-A08", + "AI-067-A08", + "AI-067-A20", + "AI-084-A37", + "AI-099-A27", + "AI-101-A22", + "AI-117-A09", + "AI-117-A25", + "AI-118-A29", + "AI-120-A27", + "AI-126-A21", + "AI-1263", + "AI-195-A12", + "AUTH-1446-A03", + "AUTH-2338-A04", + "AUTH-2338-A09", + "AUTH-2386", + "AUTH-2386-A01", + "AUTH-2386-A02", + "AUTH-2413", + "AUTH-2413-A01", + "AUTH-2413-A02", + "AUTH-2419-A07", + "AUTH-2421-A01", + "AUTH-2421-A02", + "AUTH-2421-A03", + "AUTH-2421-A04", + "AUTH-2461", + "AUTH-2461-A01", + "AUTH-3825-A08", + "AUTH-3887-A01", + "AUTH-3928-A08", + "AUTH-3928-A09", + "AUTH-586", + "AUTH-586-A01", + "AUTH-586-A03", + "AUTH-586-A04", + "AUTH-909-A10", + "AUTH-909-A20", + "AUTH-909-A30", + "AUTH-909-A40", + "AUTH-909-A50", + "COMP-001-A81", + "COMP-043-A23", + "COMP-096-A26", + "COMP-1054-A08", + "COMP-1212-A13", + "COMP-1212-A27", + "COMP-1212-A39", + "COMP-1212-A53", + "COMP-1212-A69", + "COMP-1240-A31", + "COMP-372-A11", + "COMP-383-A07", + "COMP-383-A14", + "COMP-430-A09", + "COMP-449-A12", + "COMP-449-A25", + "COMP-498-A01", + "COMP-592-A09", + "COMP-592-A21", + "COMP-707-A15", + "COMP-711-A07", + "COMP-932-A11", + "COMP-932-A23", + "COMP-995-A13", + "COMP-995-A22", + "CRYP-127-A03", + "CRYP-127-A04", + "CRYP-127-A05", + "CRYP-127-A06", + "CRYP-1700-A01", + "CRYP-1700-A02", + "CRYP-1701-A01", + "CRYP-1725-A04", + "CRYP-1725-A05", + "CRYP-1725-A06", + "CRYP-1725-A07", + "CRYP-1726", + "CRYP-1726-A01", + "CRYP-182", + "CRYP-182-A01", + "CRYP-182-A03", + "CRYP-182-A04", + "CRYP-182-A05", + "CRYP-191-A04", + "CRYP-191-A05", + "CRYP-191-A06", + "CRYP-194-A07", + "CRYP-1988-A07", + "CRYP-210", + "CRYP-210-A01", + "CRYP-210-A02", + "CRYP-210-A03", + "CRYP-210-A04", + "CRYP-210-A05", + "CRYP-210-A09", + "CRYP-210-A10", + "CRYP-210-A11", + "CRYP-2191-A12", + "CRYP-245", + "CRYP-245-A01", + "CRYP-245-A02", + "CRYP-289", + "CRYP-289-A01", + "CRYP-289-A02", + "CRYP-289-A04", + "CRYP-289-A05", + "CRYP-289-A06", + "CRYP-289-A10", + "DATA-119-A23", + "DATA-4067-A03", + "DATA-554-A03", + "DATA-700-A12", + "FIN-101-A13", + "FIN-101-A29", + "FIN-101-A45", + "FIN-101-A62", + "FIN-101-A78", + "FIN-101-A95", + "FIN-258-A19", + "FIN-340-A11", + "FIN-340-A25", + "FIN-340-A39", + "FIN-340-A53", + "FIN-340-A67", + "GOV-0665-A07", + "GOV-0665-A18", + "GOV-0665-A25", + "GOV-0665-A37", + "GOV-191-A07", + "GOV-191-A17", + "GOV-277-A05", + "GOV-277-A06", + "GOV-3066", + "GOV-413-A05", + "GOV-413-A09", + "GOV-413-A14", + "GOV-413-A18", + "GOV-524-A04", + "GOV-524-A05", + "GOV-524-A31", + "GOV-561-A07", + "LOG-072-A22", + "LOG-1361-A01", + "LOG-1385-A02", + "LOG-1486-A06", + "LOG-1506-A03", + "LOG-1549-A10", + "LOG-1692", + "LOG-1692-A01", + "LOG-1692-A02", + "LOG-1692-A03", + "LOG-1692-A04", + "LOG-266", + "LOG-353-A07", + "LOG-353-A08", + "LOG-353-A13", + "LOG-353-A18", + "LOG-445-A06", + "LOG-445-A10", + "LOG-445-A16", + "LOG-445-A20", + "LOG-471-A01", + "LOG-471-A05", + "LOG-741-A24", + "NET-041-A07", + "NET-041-A17", + "NET-047-A05", + "NET-047-A06", + "NET-047-A15", + "NET-047-A16", + "NET-0673-A02", + "NET-0673-A05", + "NET-0673-A09", + "NET-073-A08", + "NET-073-A22", + "NET-078-A05", + "NET-078-A16", + "NET-082-A04", + "NET-091-A02", + "NET-091-A03", + "NET-091-A04", + "NET-091-A05", + "NET-091-A13", + "NET-091-A14", + "NET-091-A15", + "NET-091-A16", + "NET-093-A09", + "NET-093-A22", + "NET-1243-A05", + "NET-1344-A05", + "NET-1461-A03", + "NET-1626-A17", + "NET-266-A15", + "NET-277-A04", + "NET-277-A05", + "NET-277-A13", + "NET-277-A14", + "NET-326", + "NET-329-A10", + "NET-329-A22", + "NET-336-A03", + "NET-336-A12", + "NET-375", + "NET-375-A02", + "NET-375-A04", + "NET-375-A08", + "NET-375-A10", + "NET-382-A12", + "NET-382-A24", + "NET-416", + "NET-416-A14", + "NET-441-A01", + "NET-441-A06", + "NET-441-A07", + "NET-441-A12", + "NET-543-A04", + "NET-543-A77", + "SEC-049-A12", + "SEC-156-A16", + "SEC-156-A30", + "SEC-182-A07", + "SEC-182-A08", + "SEC-182-A16", + "SEC-182-A17", + "SEC-297-A09", + "SEC-297-A19", + "SEC-338-A11", + "SEC-338-A22", + "SEC-3855-A05", + "SEC-386", + "SEC-386-A01", + "SEC-386-A03", + "SEC-386-A05", + "SEC-386-A06", + "SEC-386-A07", + "SEC-386-A09", + "SEC-386-A11", + "SEC-386-A13", + "SEC-386-A14", + "SEC-386-A15", + "SEC-386-A16", + "SEC-4874-A03", + "SEC-4874-A05", + "SEC-5814", + "SEC-5843", + "SEC-6093-A01", + "SEC-6762", + "SEC-6762-A02", + "SEC-6795-A03", + "SEC-6795-A06", + "SEC-8179-A04", + "SEC-839-A19", + "SEC-8507", + "SEC-8885-A22" + ], + "member_count": 274, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M0", + "cluster_size": 274, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_session_management", + "name": "Sitzungsmanagement und automatische Trennung", + "description": "Fernzugriffssitzungen muessen Timeouts haben und nach Abschluss bzw. Inaktivitaet automatisch getrennt werden.", + "tier": "BEST_PRACTICE", + "subdomain": "session_management", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 AC-12", + "role": "best_practice" + } + ], + "member_review_units": [ + "M1" + ], + "member_controls": [ + "AUTH-2419-A01", + "AUTH-2419-A02", + "CRYP-1700-A04", + "CRYP-1700-A05", + "CRYP-1725-A01", + "CRYP-1938-A09", + "LOG-1506-A04", + "NET-041-A06", + "NET-041-A16", + "NET-1344-A02", + "NET-1626-A01", + "NET-1626-A11", + "NET-336", + "NET-336-A09", + "NET-336-A16", + "SEC-3855-A03", + "SEC-3855-A06", + "SEC-3870-A01", + "SEC-3870-A02", + "SEC-6795-A01", + "SEC-6795-A04", + "SEC-6808-A01", + "SEC-8327-A10" + ], + "member_count": 23, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.88, + "source_meta_cluster": "M1", + "cluster_size": 23, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_mfa", + "name": "Multi-Faktor-Authentifizierung fuer Fernzugriff", + "description": "Fuer alle Fernzugriffssessions, insbesondere privilegierte Konten, ist MFA zu erzwingen.", + "tier": "BEST_PRACTICE", + "subdomain": "authentication", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 IA-2", + "role": "best_practice" + } + ], + "member_review_units": [ + "M2" + ], + "member_controls": [ + "AUTH-2461-A05", + "AUTH-3915-A07", + "AUTH-3980-A05", + "AUTH-894-A03", + "AUTH-894-A08", + "AUTH-894-A14", + "AUTH-894-A19", + "AUTH-894-A24", + "CRYP-1700", + "CRYP-1938-A02", + "NET-082-A05", + "NET-082-A17", + "NET-082-A18", + "NET-1787", + "NET-1787-A11", + "NET-375-A07", + "SEC-3870", + "SEC-6795-A02", + "SEC-8334-A06" + ], + "member_count": 19, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.93, + "source_meta_cluster": "M2", + "cluster_size": 19, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_encryption", + "name": "Verschluesselung der Fernzugriffsverbindungen", + "description": "Fernzugriffe muessen verschluesselt erfolgen (VPN/Tunnel-Modus, TLS, Client-Zertifikate).", + "tier": "BEST_PRACTICE", + "subdomain": "cryptography", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "IT-Grundschutz NET.3.3", + "role": "best_practice" + } + ], + "member_review_units": [ + "M6", + "M21", + "M23", + "M25" + ], + "member_controls": [ + "CRYP-1700-A03", + "CRYP-1701", + "CRYP-1732-A05", + "CRYP-1988-A03", + "CRYP-2191-A03", + "CRYP-2191-A04", + "NET-053-A05", + "NET-053-A13", + "NET-122-A03", + "NET-122-A11", + "NET-1461", + "NET-1461-A01", + "NET-1461-A02", + "NET-1461-A05", + "NET-266-A16", + "NET-336-A07", + "NET-336-A15", + "SEC-3220-A05", + "SEC-5858-A01", + "SEC-5858-A05", + "SEC-6712-A03", + "SEC-8327-A04", + "SEC-8334-A13" + ], + "member_count": 23, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.91, + "source_meta_cluster": "M6", + "cluster_size": 15, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "reject_insecure_remote_protocols", + "name": "Verbot unsicherer Fernzugriffsprotokolle", + "description": "Unsichere/unverschluesselte Fernzugriffsprotokolle sind zu unterlassen bzw. zu blockieren.", + "tier": "BEST_PRACTICE", + "subdomain": "cryptography", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SC-8", + "role": "best_practice" + } + ], + "member_review_units": [ + "M7", + "M12" + ], + "member_controls": [ + "CRYP-1726-A02", + "LOG-266-A10", + "NET-1461-A06", + "SEC-8593-A10" + ], + "member_count": 4, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.85, + "source_meta_cluster": "M7", + "cluster_size": 1, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_logging_audit", + "name": "Protokollierung und Audit von Fernzugriffen", + "description": "Fernwartungs- und Diagnoseaktivitaeten sind mit Zeitstempel, Benutzer und Aktion zu protokollieren und Audit-Logs aufzubewahren/zu analysieren.", + "tier": "LEGAL_MINIMUM", + "subdomain": "logging_monitoring", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(g)", + "citation": "Aufzeichnung und Ueberwachung relevanter interner Aktivitaeten (Logging)" + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 AU-2/MA-4", + "role": "best_practice" + } + ], + "member_review_units": [ + "M3", + "M18", + "M26" + ], + "member_controls": [ + "AUTH-2788-A01", + "COMP-3332-A03", + "INC-091-A07", + "LOG-1506-A05", + "LOG-1549-A02", + "LOG-1959-A07", + "LOG-1959-A11", + "LOG-353-A19", + "NET-1626-A02", + "NET-1626-A03", + "NET-1760-A05", + "SEC-3855", + "SEC-3855-A02", + "SEC-5843-A01", + "SEC-5843-A04", + "SEC-5925-A05", + "SEC-6712", + "SEC-6712-A02", + "SEC-6712-A04", + "SEC-8327-A03", + "SEC-8327-A05", + "SEC-8327-A09" + ], + "member_count": 22, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M3", + "cluster_size": 14, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access", + "cross_family_ref": "event_logging_security_events (cra_logging.json)" + }, + { + "id": "remote_access_user_validation_ot", + "name": "Identifizierung und Validierung von Fernzugriffsnutzern (ICS/OT)", + "description": "Benutzer mit Fernzugriff auf ICS/SCADA-Systeme sind zu identifizieren, zu validieren und Fernzugriffskanaele zu pruefen; OT-spezifische Absicherung.", + "tier": "BEST_PRACTICE", + "subdomain": "ics_ot", + "applicability": "domain:ics_ot", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "ICS Security Kompendium", + "role": "best_practice" + } + ], + "member_review_units": [ + "M8", + "M16" + ], + "member_controls": [ + "CRYP-1756-A03", + "CRYP-1756-A04", + "CRYP-191", + "CRYP-2191-A11", + "NET-082-A02", + "NET-082-A03", + "NET-082-A15", + "NET-082-A16", + "NET-091", + "NET-1364-A01", + "NET-991-A02", + "SEC-4140-A02", + "SEC-5025-A08", + "SEC-5787-A01", + "SEC-5877-A03" + ], + "member_count": 15, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.84, + "source_meta_cluster": "M8", + "cluster_size": 13, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_training", + "name": "Schulung zur sicheren Nutzung von Fernzugriff", + "description": "Autorisierte Nutzer sind zur sicheren Nutzung von Fernzugriff und mobilen Geraeten zu schulen.", + "tier": "BEST_PRACTICE", + "subdomain": "awareness", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "ISO/IEC 27001 A.6.3", + "role": "best_practice" + } + ], + "member_review_units": [ + "M19" + ], + "member_controls": [ + "NET-1758", + "NET-1758-A01", + "NET-1758-A03", + "NET-1809", + "NET-1809-A01", + "NET-1809-A02", + "SEC-5877", + "SEC-6795-A05", + "SEC-6802-A03", + "SEC-8873-A03" + ], + "member_count": 10, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M19", + "cluster_size": 10, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_architecture_design", + "name": "Architektur-Design fuer sicheren Fernzugriff", + "description": "Fernzugriffsarchitektur ist sicher zu konzipieren (Gateway/Agent-basiert, Zero-Trust, dedizierte isolierte Kanaele, Segmentierung).", + "tier": "BEST_PRACTICE", + "subdomain": "architecture", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-207 Zero Trust", + "role": "best_practice" + } + ], + "member_review_units": [ + "M22", + "M24", + "M25" + ], + "member_controls": [ + "NET-543-A73", + "SEC-3867-A01", + "SEC-3867-A02", + "SEC-5858-A01", + "SEC-5858-A05", + "SEC-6712-A03", + "SEC-7969", + "SEC-8327-A04", + "SEC-8334-A13" + ], + "member_count": 9, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.78, + "source_meta_cluster": "M22", + "cluster_size": 1, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_attack_surface_min", + "name": "Minimierung der Fernzugriffs-Angriffsflaeche", + "description": "Unnoetige Backdoors und Fernzugriffsschnittstellen sind zu deaktivieren; offene Ports/Schnittstellen zu inventarisieren und zu schuetzen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "hardening", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(a)", + "citation": "Bereitstellung ohne bekannte ausnutzbare Schwachstellen / minimierte Angriffsflaeche" + } + ], + "guidance_basis": [], + "member_review_units": [ + "M15", + "M20", + "M10" + ], + "member_controls": [ + "DATA-4692-A04", + "LOG-1170-A08", + "LOG-1495-A07", + "NET-1363", + "NET-1626-A10", + "NET-1855", + "NET-1855-A04", + "NET-1855-A10", + "NET-908-A02", + "NET-942", + "NET-942-A02", + "SEC-476", + "SEC-5787-A02", + "SEC-6930", + "SEC-8327", + "SEC-8327-A01", + "SEC-8327-A02", + "SEC-8327-A08", + "SEC-8507-A01" + ], + "member_count": 19, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.83, + "source_meta_cluster": "M15", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_vuln_patch_mgmt", + "name": "Schwachstellen- und Patchmanagement fuer Fernwartungssoftware", + "description": "Schwachstellen in Fernwartungssoftware sind zu beobachten und regelmaessige Patch-/Updatezyklen sicherzustellen; Penetrationstests der Fernwartungsschnittstellen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "vulnerability_management", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (2)(1)", + "citation": "Behandlung und Behebung von Schwachstellen, Sicherheitsupdates" + } + ], + "guidance_basis": [ + { + "source": "OWASP", + "anchor": "ASVS", + "role": "best_practice" + } + ], + "member_review_units": [ + "M15", + "M20", + "M14" + ], + "member_controls": [ + "NET-1237", + "NET-1343", + "NET-1363", + "NET-1364", + "NET-1855", + "NET-1855-A04", + "NET-1855-A10", + "NET-942", + "NET-942-A02", + "SEC-476", + "SEC-4872-A13", + "SEC-5787-A02", + "SEC-5858-A08", + "SEC-8327", + "SEC-8327-A01", + "SEC-8327-A02", + "SEC-8327-A08" + ], + "member_count": 17, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.82, + "source_meta_cluster": "M15", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access", + "cross_family_ref": "vuln-Familie (cra.json)" + }, + { + "id": "remote_access_threat_detection", + "name": "Erkennung von Bedrohungen bei Fernzugriff", + "description": "Erkennungsmechanismen fuer Remote Access Trojans und verdaechtige Remote-Zugriffsmuster (EDR-Logs, APT-Abwehr).", + "tier": "BEST_PRACTICE", + "subdomain": "detection", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-94", + "role": "best_practice" + } + ], + "member_review_units": [ + "M20" + ], + "member_controls": [ + "NET-1855", + "NET-1855-A04", + "NET-1855-A10", + "NET-942", + "NET-942-A02", + "SEC-5787-A02" + ], + "member_count": 6, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.79, + "source_meta_cluster": "M20", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_maintenance_governance", + "name": "Governance externer Fernwartung", + "description": "Permanente Fernwartung durch externe Dienstleister erfordert Genehmigung, Zeitbegrenzung, vertragliche Regelung und Dokumentation (inkl. Auftragsverarbeitung).", + "tier": "BEST_PRACTICE", + "subdomain": "maintenance_governance", + "applicability": "conditional:external_maintenance_provider", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "IT-Grundschutz OPS.2.3", + "role": "best_practice" + } + ], + "member_review_units": [ + "M18", + "M10", + "M9" + ], + "member_controls": [ + "DATA-4409", + "DATA-4692-A04", + "GOV-524", + "GOV-524-A12", + "LOG-1170-A08", + "LOG-1495-A07", + "NET-1626-A03", + "NET-1626-A10", + "NET-1760-A05", + "NET-908-A02", + "SEC-3855", + "SEC-3855-A02", + "SEC-6712", + "SEC-6712-A02", + "SEC-6930", + "SEC-8507-A01" + ], + "member_count": 16, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M18", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "temporary_remote_access_mgmt", + "name": "Verwaltung temporaerer Fernzugriffe", + "description": "Temporaere Fernzugriffe sind sicher zu verwalten, zeitlich zu begrenzen und nach Nutzung zu entziehen.", + "tier": "BEST_PRACTICE", + "subdomain": "access_control", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "AC-2(5)", + "role": "best_practice" + } + ], + "member_review_units": [ + "M14" + ], + "member_controls": [ + "NET-1237", + "NET-1343", + "NET-1364", + "SEC-4872-A13", + "SEC-5858-A08" + ], + "member_count": 5, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.78, + "source_meta_cluster": "M14", + "cluster_size": 5, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_data_export_protection", + "name": "Schutz von Datenexport ueber Support-Fernzugriff", + "description": "Download-/Export-Einschraenkungen bei Fernzugriff; Datenexport ueber Support-Fernzugriff technisch verhindern, insb. EU-Kundendaten.", + "tier": "BEST_PRACTICE", + "subdomain": "data_protection", + "applicability": "conditional:support_remote_access_to_customer_data", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "AC-4", + "role": "best_practice" + } + ], + "member_review_units": [ + "M17", + "M2" + ], + "member_controls": [ + "AUTH-2461-A05", + "AUTH-3915-A07", + "AUTH-3980-A05", + "AUTH-894-A03", + "AUTH-894-A08", + "AUTH-894-A14", + "AUTH-894-A19", + "AUTH-894-A24", + "CRYP-1700", + "CRYP-1938-A02", + "NET-082-A05", + "NET-082-A17", + "NET-082-A18", + "NET-1547", + "NET-1547-A01", + "NET-1547-A03", + "NET-1787", + "NET-1787-A11", + "NET-375-A07", + "SEC-3870", + "SEC-6795-A02", + "SEC-8334-A06" + ], + "member_count": 22, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.77, + "source_meta_cluster": "M17", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "component_remote_interface_security", + "name": "Sicherheit von Komponenten mit Fernzugriffsschnittstellen", + "description": "Komponenten mit Fernzugriffs- oder lokalen IT-Schnittstellen sind hinsichtlich Sicherheit zu pruefen und abzusichern.", + "tier": "BEST_PRACTICE", + "subdomain": "product_security", + "applicability": "conditional:component_with_remote_interface", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "CM-7", + "role": "best_practice" + } + ], + "member_review_units": [ + "M4" + ], + "member_controls": [ + "COMP-1727-A01", + "NET-925-A04", + "SEC-3155-A02" + ], + "member_count": 3, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.75, + "source_meta_cluster": "M4", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_fallback_concept", + "name": "Betriebskonzept mit Fallback fuer Fernzugriff", + "description": "Betriebskonzept mit Fallback-Szenarien und alternativen Kommunikationswegen bei Ausfall des Fernzugriffs.", + "tier": "BEST_PRACTICE", + "subdomain": "resilience", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "ISO/IEC 27001 A.5.30", + "role": "best_practice" + } + ], + "member_review_units": [ + "M24" + ], + "member_controls": [ + "SEC-3867-A01", + "SEC-3867-A02", + "SEC-7969" + ], + "member_count": 3, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.72, + "source_meta_cluster": "M24", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + } + ], + "relationships": [ + { + "type": "supports", + "from": "remote_access_encryption", + "to": "remote_access_confidentiality_integrity", + "note": "Verschluesselung realisiert Vertraulichkeit/Integritaet" + }, + { + "type": "supports", + "from": "remote_access_mfa", + "to": "remote_access_control_least_privilege", + "note": "MFA unterstuetzt Zugriffskontrolle" + }, + { + "type": "implements", + "from": "reject_insecure_remote_protocols", + "to": "remote_access_encryption", + "note": "Verbot unsicherer Protokolle setzt Verschluesselungspflicht durch" + }, + { + "type": "produces_evidence_for", + "from": "remote_access_logging_audit", + "to": "remote_maintenance_governance", + "note": "Logs belegen genehmigte Fernwartung" + }, + { + "type": "supports", + "from": "remote_access_threat_detection", + "to": "remote_access_logging_audit", + "note": "Detection nutzt Logdaten" + }, + { + "type": "supports", + "from": "remote_access_architecture_design", + "to": "remote_access_control_least_privilege", + "note": "Zero-Trust/Segmentierung unterstuetzt Least Privilege" + }, + { + "type": "depends_on", + "from": "temporary_remote_access_mgmt", + "to": "remote_maintenance_governance", + "note": "Temporaere Zugriffe oft fuer externe Wartung" + }, + { + "type": "supports", + "from": "remote_session_management", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "implements", + "from": "remote_access_encryption", + "to": "remote_access_confidentiality_integrity", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "reject_insecure_remote_protocols", + "to": "remote_access_confidentiality_integrity", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "remote_access_user_validation_ot", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "remote_maintenance_governance", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "temporary_remote_access_mgmt", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "remote_access_data_export_protection", + "to": "remote_access_confidentiality_integrity", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "component_remote_interface_security", + "to": "remote_access_attack_surface_min", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "out_of_scope", + "review_units": [ + "M5", + "M11" + ], + "note": "Physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen-Sicherheit (MaschinenVO 2023/1230), keine Cybersecurity-Fernwartung" + } + ] +} \ No newline at end of file diff --git a/obligations/obligation_join_keys.json b/obligations/obligation_join_keys.json index 6351aedb..54a12bee 100644 --- a/obligations/obligation_join_keys.json +++ b/obligations/obligation_join_keys.json @@ -1,7 +1,7 @@ { "schema_version": "obligation_join_keys_v1", "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).", - "count": 66, + "count": 84, "obligation_ids": [ { "obligation_id": "sbom_creation", @@ -582,6 +582,160 @@ "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_control_least_privilege", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(d)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_confidentiality_integrity", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(b)(c)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_session_management", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_mfa", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_encryption", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "reject_insecure_remote_protocols", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_logging_audit", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(g)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_user_validation_ot", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_training", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_architecture_design", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_attack_surface_min", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(a)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_vuln_patch_mgmt", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_threat_detection", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_maintenance_governance", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "temporary_remote_access_mgmt", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_data_export_protection", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "component_remote_interface_security", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_fallback_concept", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" } ] } \ No newline at end of file diff --git a/scripts/obligation_discovery/precluster.py b/scripts/obligation_discovery/precluster.py index ed81294b..8b0f1fcf 100644 --- a/scripts/obligation_discovery/precluster.py +++ b/scripts/obligation_discovery/precluster.py @@ -22,6 +22,10 @@ SCOPES = { "logging": ["%logging%", "%protokollierung%", "%audit-log%", "%audit-trail%", "%ereignisprotokoll%", "%sicherheitsprotokoll%", "%audit-protokoll%", "%log-management%", "%sicherheitsereignis%protokoll%", "%audit-trail%"], + "remote_access": ["%fernwartung%", "%fernzugriff%", "%fernzugang%", "%fernwartungs%", + "%remote access%", "%remote maintenance%", "%remote management%", + "%remote-wartung%", "%remote-zugriff%", "%remote-zugang%", + "%sichere fernwartung%", "%fernsteuerung%"], }