diff --git a/obligations/cra.json b/obligations/cra.json new file mode 100644 index 00000000..8a6eeabf --- /dev/null +++ b/obligations/cra.json @@ -0,0 +1,1495 @@ +{ + "schema_version": "obligation_registry_v1", + "regulation": "CRA", + "regulation_code": "eu_2024_2847", + "generated_by": "obl_registry_build/claude-opus-4-8", + "citation_status": "pending_span_anchor", + "obligations": [ + { + "id": "sbom_creation", + "name": "SBOM erstellen", + "description": "Hersteller von Produkten mit digitalen Elementen müssen eine Software Bill of Materials erstellen.", + "tier": "LEGAL_MINIMUM", + "family": "sbom", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (1)", + "citation": "SBOM in gängigem maschinenlesbarem Format, mind. Top-Level-Abhängigkeiten" + } + ], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "TR-03183", + "role": "implementation_guidance" + }, + { + "source": "ENISA", + "anchor": "", + "role": "best_practice" + } + ], + "member_controls": [ + "AI-1246", + "AI-1246-A01", + "AI-528-A06", + "AI-528-A13", + "AUTH-006-A10", + "AUTH-2111-A08", + "AUTH-2962-A05", + "AUTH-3664-A07", + "AUTH-4033-A02", + "AUTH-4042-A03", + "AUTH-4061-A04", + "COMP-2335-A05", + "COMP-2782-A06", + "COMP-3363-A07", + "COMP-4052", + "COMP-511-A04", + "COMP-511-A10", + "COMP-705-A11", + "CRYP-030-A04", + "GOV-306-A02", + "GOV-306-A08", + "GOV-356-A02", + "GOV-3850", + "GOV-3850-A01", + "HLT-062", + "INC-066-A21", + "LOG-1185", + "LOG-1185-A02", + "LOG-1191-A05", + "LOG-1208-A03", + "LOG-1759-A08", + "LOG-2075-A03", + "LOG-2076-A01", + "LOG-2076-A02", + "LOG-2079", + "LOG-2079-A01", + "LOG-2079-A02", + "LOG-211", + "LOG-211-A01", + "LOG-211-A03", + "LOG-211-A09", + "LOG-211-A10", + "LOG-211-A11", + "LOG-543-A03", + "LOG-543-A08", + "NET-246-A03", + "NET-246-A09", + "SEC-020-A06", + "SEC-020-A15", + "SEC-020-A28", + "SEC-027", + "SEC-027-A02", + "SEC-027-A03", + "SEC-027-A11", + "SEC-027-A23", + "SEC-027-A24", + "SEC-096-A02", + "SEC-096-A10", + "SEC-347", + "SEC-347-A01", + "SEC-347-A02", + "SEC-347-A11", + "SEC-347-A12", + "SEC-430-A20", + "SEC-430-A21", + "SEC-481-A01", + "SEC-4981-A01", + "SEC-4981-A02", + "SEC-5516", + "SEC-5516-A04", + "SEC-5897-A01", + "SEC-5906", + "SEC-669", + "SEC-669-A02", + "SEC-669-A07", + "SEC-669-A08", + "SEC-708-A13", + "SEC-7117-A01", + "SEC-7128-A04", + "SEC-7128-A12", + "SEC-9045-A04", + "SEC-9107-A05", + "SUP-001-A06", + "SUP-001-A11", + "SUP-001-A12" + ], + "member_count": 85, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_dependency_coverage", + "name": "Abhängigkeiten in SBOM abdecken", + "description": "Die SBOM muss direkte und (kritische) indirekte/transitive Abhängigkeiten samt Metadaten dokumentieren.", + "tier": "LEGAL_MINIMUM", + "family": "sbom", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Art. 3(36) i.V.m. Annex I Part II (1)", + "citation": "SBOM-Definition: formale Aufzeichnung enthaltener Komponenten und Abhängigkeiten" + } + ], + "guidance_basis": [ + { + "source": "OWASP", + "anchor": "CycloneDX", + "role": "implementation_guidance" + } + ], + "member_controls": [ + "AI-1246-A02", + "AI-1246-A03", + "AI-1246-A04", + "AI-1246-A05", + "AUTH-4033-A06", + "AUTH-4062-A01", + "COMP-4072-A03", + "COMP-705-A03", + "GOV-3108-A11", + "GOV-3850-A02", + "LOG-1185-A03", + "LOG-1191-A08", + "LOG-1191-A09", + "SEC-100-A02", + "SEC-100-A03", + "SEC-100-A14", + "SEC-100-A15", + "SEC-340-A03", + "SEC-340-A12", + "SEC-481", + "SEC-5897-A03", + "SEC-7067-A12", + "SEC-9027-A07", + "SEC-9027-A08" + ], + "member_count": 24, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_format_standard", + "name": "SBOM-Format nach anerkannten Standards", + "description": "Die SBOM muss in einem maschinenlesbaren Format gemäß anerkannten internationalen/EU-Normen (CycloneDX, SPDX) erstellt werden.", + "tier": "LEGAL_MINIMUM", + "family": "sbom", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (1)", + "citation": "gängiges, maschinenlesbares Format" + } + ], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "TR-03183 Abschnitt 5", + "role": "implementation_guidance" + }, + { + "source": "OWASP", + "anchor": "CycloneDX/SPDX", + "role": "implementation_guidance" + } + ], + "member_controls": [ + "AUTH-4033-A01", + "AUTH-4033-A09", + "COMP-2342", + "COMP-4072", + "COMP-4072-A01", + "COMP-4072-A02", + "COMP-4072-A04", + "GOV-3850-A04", + "GOV-3850-A10", + "LOG-1191-A06", + "LOG-1208-A04", + "LOG-1208-A05", + "LOG-2076-A04", + "SEC-347-A03", + "SEC-347-A13", + "SEC-669-A09", + "SEC-9027-A04", + "SEC-9027-A06", + "SEC-9047-A01" + ], + "member_count": 19, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_maintenance_update", + "name": "SBOM pflegen und aktualisieren", + "description": "Die SBOM muss bei Versionen, Patches und Dependency-Änderungen aktualisiert und mit der Produktversion synchron gehalten werden.", + "tier": "LEGAL_MINIMUM", + "family": "sbom", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (1)", + "citation": "SBOM während Support-Zeitraum führen" + } + ], + "guidance_basis": [ + { + "source": "NIST SSDF", + "anchor": "PS.3", + "role": "best_practice" + } + ], + "member_controls": [ + "AI-1050-A07", + "AI-1246-A06", + "AI-929-A29", + "AI-929-A30", + "AI-929-A40", + "AI-929-A41", + "AI-929-A51", + "AI-929-A52", + "AUTH-3664-A08", + "AUTH-4033-A04", + "AUTH-4033-A07", + "GOV-3850-A05", + "GOV-3850-A11", + "INC-066-A22", + "LOG-2076-A05", + "NET-246-A04", + "NET-246-A10", + "SEC-020-A07", + "SEC-020-A16", + "SEC-020-A29", + "SEC-027-A20", + "SEC-304-A06", + "SEC-304-A16", + "SEC-347-A10", + "SEC-5516-A03", + "SEC-5897-A06", + "SEC-5897-A09", + "SEC-669-A12", + "SEC-7067-A05", + "SEC-9027-A02", + "SEC-9027-A10" + ], + "member_count": 31, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_completeness_verification", + "name": "SBOM-Vollständigkeit verifizieren", + "description": "Die Vollständigkeit und Aktualität der SBOM ist gegen tatsächlich eingesetzte Komponenten zu prüfen und zu auditieren.", + "tier": "BEST_PRACTICE", + "family": "sbom", + "applicability": "conditional:sbom_creation", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "OWASP", + "anchor": "Dependency-Check", + "role": "implementation_guidance" + }, + { + "source": "NIST SSDF", + "anchor": "PS.3.2", + "role": "best_practice" + } + ], + "member_controls": [ + "AUTH-2603-A09", + "AUTH-2924-A06", + "AUTH-2924-A07", + "AUTH-4033-A03", + "AUTH-4033-A10", + "GOV-3850-A07", + "GOV-3850-A08", + "LOG-2079-A04", + "LOG-211-A08", + "LOG-211-A16", + "NET-470-A20", + "NET-470-A31", + "SEC-1170-A10", + "SEC-1170-A26", + "SEC-1170-A42", + "SEC-1170-A58", + "SEC-1252-A04", + "SEC-5516-A05", + "SEC-5897-A07", + "SEC-9027-A05", + "SEC-9049-A05" + ], + "member_count": 21, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_tooling_automation", + "name": "SBOM-Tooling in Build-Pipeline", + "description": "SBOM-Generierung wird automatisiert in die Build-/Toolchain integriert und die Tools selbst werden auf Schwachstellen gescannt.", + "tier": "BEST_PRACTICE", + "family": "sbom", + "applicability": "conditional:sbom_creation", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "IMPLEMENTATION", + "legal_basis": [], + "guidance_basis": [ + { + "source": "OWASP", + "anchor": "CycloneDX Tooling", + "role": "implementation_guidance" + }, + { + "source": "NIST SSDF", + "anchor": "PO.3", + "role": "implementation_guidance" + } + ], + "member_controls": [ + "AUTH-2924-A02", + "AUTH-3667-A08", + "NET-1487-A14", + "SEC-7078-A09", + "SEC-7114-A01", + "SEC-7114-A02" + ], + "member_count": 6, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_access_provision", + "name": "SBOM zugänglich machen", + "description": "Die SBOM muss für Kunden/Stakeholder über definierte Kanäle zugänglich gemacht und der Zugriffspfad dokumentiert werden.", + "tier": "BEST_PRACTICE", + "family": "sbom", + "applicability": "conditional:sbom_creation", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "ENISA", + "anchor": "", + "role": "best_practice" + } + ], + "member_controls": [ + "AI-1246-A07", + "AUTH-4033-A05", + "AUTH-4033-A08", + "GOV-3850-A12", + "LOG-1191-A07", + "NET-1842-A02", + "SEC-027-A09", + "SEC-027-A18", + "SEC-027-A21", + "SEC-1252-A05", + "SEC-212-A10", + "SEC-212-A17", + "SEC-347-A04", + "SEC-347-A14", + "SEC-5897-A02", + "SEC-5897-A08" + ], + "member_count": 16, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_authority_provision", + "name": "SBOM an Marktüberwachungsbehörde bereitstellen", + "description": "Die SBOM muss auf begründetes Verlangen der Marktüberwachungsbehörde vertraulich vorgelegt werden.", + "tier": "LEGAL_MINIMUM", + "family": "sbom", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Art. 31 / Annex I Part II (1)", + "citation": "Vorlage der SBOM auf begründetes Verlangen der Marktüberwachungsbehörde" + } + ], + "guidance_basis": [], + "member_controls": [ + "AUTH-006-A28", + "AUTH-4061-A01", + "LOG-1185-A01", + "LOG-2076-A03", + "LOG-2079-A03", + "LOG-543-A04", + "LOG-543-A09", + "SEC-669-A10" + ], + "member_count": 8, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_confidentiality", + "name": "Vertraulichkeit der SBOM schützen", + "description": "SBOM-Daten und Abhängigkeitsinformationen sind vertraulich zu behandeln und durch Zugriffskontrollen zu schützen.", + "tier": "LEGAL_MINIMUM", + "family": "sbom", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Art. 31(4)", + "citation": "Marktüberwachungsbehörden wahren Vertraulichkeit der erhaltenen Informationen" + } + ], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "ISO/IEC 27001", + "role": "best_practice" + } + ], + "member_controls": [ + "LOG-1185-A06", + "LOG-211-A05", + "LOG-211-A13", + "LOG-543", + "LOG-543-A01", + "LOG-543-A05", + "LOG-543-A06", + "LOG-543-A10", + "SEC-1126-A13", + "SEC-1126-A31" + ], + "member_count": 10, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_supply_chain_contracts", + "name": "SBOM-Anforderungen in Lieferantenmanagement", + "description": "SBOM-Anforderungen werden vertraglich in Lieferanten-/Kundenverträgen und im Supplier-Onboarding verankert.", + "tier": "BEST_PRACTICE", + "family": "sbom", + "applicability": "conditional:third_party_software_used", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST SSDF", + "anchor": "PW.4 / PO.1", + "role": "best_practice" + }, + { + "source": "ENISA", + "anchor": "Supply Chain", + "role": "best_practice" + } + ], + "member_controls": [ + "DATA-4672-A04", + "GOV-3850-A03", + "GOV-3850-A06", + "GOV-3850-A09", + "SEC-8994-A03", + "SEC-8994-A09" + ], + "member_count": 6, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "sbom_technical_documentation", + "name": "SBOM in technischer Dokumentation/Konformitätsbewertung", + "description": "Die SBOM ist Teil der technischen Dokumentation und der Konformitätsbewertung (inkl. EUCC/ST-Nachweise).", + "tier": "LEGAL_MINIMUM", + "family": "sbom", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": false, + "capability": false, + "evidence": true + }, + "source_role": "EVIDENCE", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Art. 31 i.V.m. Annex VII", + "citation": "technische Dokumentation muss SBOM-relevante Nachweise enthalten" + } + ], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "EUCC ALC_SBM", + "role": "implementation_guidance" + } + ], + "member_controls": [ + "AUTH-004", + "AUTH-006", + "AUTH-154-A02", + "AUTH-154-A08", + "AUTH-4042", + "AUTH-4042-A05", + "AUTH-4061-A02", + "AUTH-4061-A03", + "AUTH-4062", + "NET-1842-A03", + "SEC-9027-A03", + "SEC-9047", + "SEC-9049" + ], + "member_count": 13, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "vuln_identification_inventory", + "name": "Schwachstellen identifizieren & Komponenten erfassen", + "description": "Hersteller müssen Schwachstellen in Produkten und enthaltenen (Dritt-)Komponenten kontinuierlich identifizieren und über ein SBOM/Asset-Inventar nachvollziehbar erfassen.", + "tier": "LEGAL_MINIMUM", + "family": "vuln", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (1)", + "citation": "Komponenten identifizieren und dokumentieren, einschl. SBOM" + } + ], + "guidance_basis": [ + { + "source": "NIST SSDF", + "anchor": "PW.4 / RV.1", + "role": "implementation_guidance" + }, + { + "source": "ISO", + "anchor": "ISO/IEC 27002:2022 8.8", + "role": "best_practice" + } + ], + "member_controls": [ + "AI-012-A14", + "AI-012-A28", + "AI-1214-A11", + "AUTH-154", + "AUTH-458-A04", + "AUTH-725-A10", + "COMP-418-A03", + "COMP-705-A04", + "COMP-707-A08", + "COMP-917-A10", + "COMP-917-A20", + "CRYP-031-A06", + "DATA-4697", + "GOV-206-A04", + "GOV-206-A13", + "INC-016-A02", + "INC-016-A42", + "LOG-029-A13", + "LOG-1509-A06", + "LOG-2028-A10", + "LOG-2076", + "NET-246", + "NET-246-A01", + "NET-246-A07", + "NET-551-A04", + "SEC-027", + "SEC-027-A17", + "SEC-027-A19", + "SEC-027-A30", + "SEC-100", + "SEC-195-A06", + "SEC-195-A12", + "SEC-238-A03", + "SEC-238-A14", + "SEC-298-A18", + "SEC-298-A19", + "SEC-298-A46", + "SEC-298-A47", + "SEC-347", + "SEC-443", + "SEC-5516", + "SEC-615", + "SEC-6229", + "SEC-708", + "SEC-9045-A04", + "SEC-9080", + "SEC-9080-A01", + "SEC-994-A06" + ], + "member_count": 48, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "vuln_assessment_prioritization", + "name": "Schwachstellen bewerten & priorisieren", + "description": "Identifizierte Schwachstellen müssen anhand standardisierter Kriterien (Schweregrad, Ausnutzbarkeit, Impact) bewertet und für die Behebung priorisiert werden.", + "tier": "LEGAL_MINIMUM", + "family": "vuln", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (1)", + "citation": "Schwachstellen behandeln und beheben" + } + ], + "guidance_basis": [ + { + "source": "OWASP", + "anchor": "CVSS / Risk Rating", + "role": "best_practice" + }, + { + "source": "NIST SSDF", + "anchor": "RV.2", + "role": "implementation_guidance" + } + ], + "member_controls": [ + "ACC-261-A08", + "ACC-261-A19", + "ACC-588-A05", + "AUTH-2172-A02", + "AUTH-2187-A03", + "AUTH-4018", + "AUTH-4018-A01", + "COMP-1131-A10", + "COMP-1131-A11", + "COMP-1557-A05", + "COMP-705-A04", + "CRYP-1586-A03", + "CRYP-1586-A04", + "DATA-4697-A08", + "DATA-703-A06", + "HLT-109-A44", + "INC-013-A07", + "INC-013-A18", + "LOG-1470-A04", + "LOG-1547-A03", + "LOG-510-A03", + "LOG-510-A09", + "NET-0738-A10", + "NET-0738-A22", + "NET-1834-A01", + "NET-551-A04", + "SEC-001-A03", + "SEC-005-A02", + "SEC-005-A09", + "SEC-005-A31", + "SEC-100-A05", + "SEC-100-A17", + "SEC-194-A18", + "SEC-295-A02", + "SEC-295-A17", + "SEC-302-A01", + "SEC-302-A10", + "SEC-302-A20", + "SEC-302-A21", + "SEC-417-A18", + "SEC-4558-A03", + "SEC-465", + "SEC-517", + "SEC-5269-A10", + "SEC-5283-A03", + "SEC-5532-A01", + "SEC-5889-A01", + "SEC-5930-A03", + "SEC-5988-A01", + "SEC-6058-A04", + "SEC-6213", + "SEC-6213-A01", + "SEC-6213-A02", + "SEC-6233-A01", + "SEC-640-A07", + "SEC-8387-A02", + "SEC-8580-A06", + "SEC-9063", + "SEC-9148-A01", + "VUL-002-A02", + "VUL-002-A07" + ], + "member_count": 61, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "vuln_remediation_patching", + "name": "Schwachstellen beheben & Sicherheitsupdates bereitstellen", + "description": "Schwachstellen müssen unverzüglich, risikobasiert und innerhalb des Unterstützungszeitraums durch Patches oder Gegenmaßnahmen behoben werden.", + "tier": "LEGAL_MINIMUM", + "family": "vuln", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (2) & (8)", + "citation": "Schwachstellen unverzüglich beheben, kostenlose Sicherheitsupdates" + } + ], + "guidance_basis": [ + { + "source": "NIST SSDF", + "anchor": "RV.3", + "role": "implementation_guidance" + } + ], + "member_controls": [ + "ACC-099-A16", + "ACC-218-A08", + "ACC-218-A16", + "ACC-218-A24", + "ACC-218-A32", + "ACC-218-A40", + "AI-054-A15", + "AI-248-A13", + "AI-748-A06", + "AI-748-A16", + "AI-748-A32", + "AI-748-A49", + "AI-773-A36", + "AI-773-A45", + "AI-778-A14", + "AI-778-A23", + "AI-799-A08", + "AI-799-A19", + "AUTH-130-A02", + "AUTH-132", + "AUTH-183", + "AUTH-480-A05", + "AUTH-524-A04", + "AUTH-632-A05", + "AUTH-647-A08", + "AUTH-718-A08", + "AUTH-725-A10", + "AUTH-831-A08", + "AUTH-831-A17", + "AUTH-871-A26", + "COMP-001-A59", + "COMP-1107-A03", + "COMP-1107-A12", + "COMP-1107-A22", + "COMP-1107-A31", + "COMP-1107-A43", + "COMP-1107-A48", + "COMP-1135-A03", + "COMP-150-A08", + "COMP-4063-A04", + "COMP-996-A02", + "CRYP-024-A08", + "CRYP-031-A07", + "CRYP-035-A04", + "CRYP-087-A06", + "CRYP-409-A06", + "CRYP-431-A67", + "CRYP-438-A39", + "DATA-874-A04", + "DATA-874-A09", + "DATA-874-A19", + "FIN-092-A05", + "FIN-092-A19", + "FIN-092-A32", + "FIN-092-A46", + "FIN-092-A60", + "FIN-092-A73", + "GOV-385-A12", + "INC-013-A20", + "INC-016-A27", + "INC-044-A02", + "INC-071-A16", + "INC-092-A17", + "INC-227-A59", + "LOG-359-A12", + "LOG-600-A05", + "LOG-681-A02", + "LOG-845-A13", + "LOG-845-A23", + "LOG-845-A39", + "LOG-845-A50", + "NET-072-A08", + "NET-072-A10", + "NET-122-A09", + "NET-122-A17", + "NET-1266", + "NET-294-A05", + "SEC-005-A04", + "SEC-005-A05", + "SEC-1136-A04", + "SEC-1136-A12", + "SEC-1136-A20", + "SEC-1136-A28", + "SEC-1158-A05", + "SEC-1158-A14", + "SEC-1158-A23", + "SEC-1158-A32", + "SEC-1158-A41", + "SEC-1158-A48", + "SEC-132", + "SEC-132-A02", + "SEC-132-A09", + "SEC-195-A07", + "SEC-195-A13", + "SEC-256-A09", + "SEC-289-A06", + "SEC-289-A18", + "SEC-298-A02", + "SEC-298-A30", + "SEC-342-A14", + "SEC-342-A30", + "SEC-349-A03", + "SEC-349-A15", + "SEC-393-A13", + "SEC-393-A14", + "SEC-554-A08", + "SEC-554-A24", + "SEC-5930-A04", + "SEC-708-A15", + "SEC-994-A06" + ], + "member_count": 110, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "vuln_handling_process", + "name": "Schwachstellenbehandlungsverfahren dokumentieren & etablieren", + "description": "Ein dokumentierter Vulnerability-Handling-Prozess mit definierten Rollen, Schritten und Zeithorizonten muss etabliert und über die technische Dokumentation nachweisbar sein.", + "tier": "LEGAL_MINIMUM", + "family": "vuln", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Article 13(8) & Annex VII", + "citation": "Schwachstellenbehandlungsprozesse einrichten und in technischer Doku belegen" + } + ], + "guidance_basis": [ + { + "source": "NIST SSDF", + "anchor": "RV", + "role": "implementation_guidance" + }, + { + "source": "ISO", + "anchor": "ISO/IEC 30111", + "role": "best_practice" + } + ], + "member_controls": [ + "AI-010-A17", + "AI-748-A04", + "AI-748-A14", + "AI-748-A30", + "AI-748-A47", + "AI-773-A25", + "AI-773-A34", + "AI-773-A43", + "AI-778-A12", + "AI-778-A21", + "AI-799-A06", + "AI-799-A17", + "AUTH-076-A22", + "AUTH-132-A09", + "AUTH-143-A02", + "AUTH-154", + "AUTH-154-A02", + "AUTH-154-A08", + "AUTH-183-A09", + "AUTH-2105-A02", + "AUTH-2112-A04", + "AUTH-2113-A05", + "AUTH-2117-A03", + "AUTH-2117-A04", + "AUTH-2117-A07", + "AUTH-2298-A06", + "AUTH-3473-A08", + "AUTH-4026-A02", + "AUTH-4115", + "AUTH-718-A06", + "AUTH-871-A24", + "COMP-001-A57", + "COMP-150-A06", + "COMP-4114-A08", + "COMP-4114-A09", + "COMP-910", + "COMP-910-A01", + "COMP-910-A02", + "CRYP-031-A05", + "CRYP-760-A02", + "GOV-2632-A09", + "INC-092-A15", + "LOG-2075-A02", + "LOG-222-A02", + "LOG-222-A08", + "LOG-222-A11", + "LOG-222-A12", + "NET-1196-A11", + "NET-240-A06", + "NET-240-A07", + "NET-240-A13", + "NET-240-A14", + "SDL-009", + "SDL-009-A01", + "SDL-009-A06", + "SEC-027-A07", + "SEC-027-A15", + "SEC-027-A28", + "SEC-1158-A03", + "SEC-1158-A04", + "SEC-1158-A12", + "SEC-1158-A13", + "SEC-1158-A21", + "SEC-1158-A22", + "SEC-1158-A30", + "SEC-1158-A31", + "SEC-1158-A39", + "SEC-1158-A40", + "SEC-1158-A46", + "SEC-1158-A47", + "SEC-118-A04", + "SEC-118-A08", + "SEC-132-A03", + "SEC-132-A04", + "SEC-132-A10", + "SEC-132-A11", + "SEC-171-A11", + "SEC-171-A29", + "SEC-171-A42", + "SEC-194-A17", + "SEC-279", + "SEC-279-A01", + "SEC-279-A06", + "SEC-443-A08", + "SEC-443-A09", + "SEC-492", + "SEC-4944-A04", + "SEC-4944-A05", + "SEC-4953-A02", + "SEC-4953-A03", + "SEC-4957-A06", + "SEC-4970-A14", + "SEC-5952", + "SEC-5958-A04", + "SEC-655-A11", + "SEC-691-A01", + "SEC-8566-A02", + "SEC-8789-A07", + "SEC-8968-A01", + "SEC-8987-A05", + "SEC-9045-A01", + "SEC-9046-A01", + "SEC-925-A01", + "SEC-994", + "SEC-994-A02" + ], + "member_count": 105, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "coordinated_vulnerability_disclosure", + "name": "Coordinated Vulnerability Disclosure Policy & Meldekanal", + "description": "Eine öffentliche CVD-Richtlinie und ein zugänglicher, vertraulicher Meldekanal für externe Schwachstellenmeldungen müssen bereitgestellt werden.", + "tier": "LEGAL_MINIMUM", + "family": "vuln", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (5)", + "citation": "Coordinated Vulnerability Disclosure Policy einrichten" + } + ], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "ISO/IEC 29147", + "role": "best_practice" + }, + { + "source": "ENISA", + "anchor": "CVD Good Practice Guide", + "role": "best_practice" + } + ], + "member_controls": [ + "AUTH-2298-A07", + "AUTH-241-A02", + "AUTH-4018-A05", + "AUTH-4019-A01", + "AUTH-4026-A01", + "COMP-3615-A10", + "CRYP-2322-A06", + "CRYP-2323-A02", + "CRYP-2325-A01", + "CRYP-2325-A02", + "DATA-4673", + "DATA-4674-A02", + "DATA-4697-A01", + "GOV-3493", + "GOV-3847", + "GOV-3847-A01", + "GOV-3847-A02", + "GOV-3851", + "INC-063-A01", + "INC-063-A08", + "INC-063-A09", + "INC-063-A10", + "LOG-1527-A05", + "LOG-2068-A11", + "LOG-2075-A01", + "LOG-623-A04", + "LOG-623-A05", + "NET-1824", + "SEC-027-A04", + "SEC-027-A08", + "SEC-027-A12", + "SEC-027-A16", + "SEC-027-A25", + "SEC-027-A29", + "SEC-132-A06", + "SEC-132-A13", + "SEC-277-A04", + "SEC-277-A13", + "SEC-347-A08", + "SEC-347-A18", + "SEC-446", + "SEC-4995-A03", + "SEC-4995-A08", + "SEC-4996-A02", + "SEC-4996-A08", + "SEC-5969-A09", + "SEC-8938-A01", + "SEC-8943-A15", + "SEC-8948-A06", + "SEC-8948-A07", + "SEC-8950-A01", + "SEC-8950-A02", + "SEC-8950-A07", + "SEC-8950-A09", + "SEC-8950-A10", + "SEC-8951-A01", + "SEC-8959-A01", + "SEC-8963", + "SEC-8963-A02", + "SEC-8963-A06", + "SEC-8963-A10", + "SEC-8967-A02", + "SEC-8971-A13", + "SEC-8973-A01", + "SEC-8974", + "SEC-8974-A13", + "SEC-8974-A14", + "SEC-8974-A16", + "SEC-8976", + "SEC-8983-A05", + "SEC-8984-A08", + "SEC-9003-A03", + "SEC-9006-A01", + "SEC-9006-A04", + "SEC-9045-A02", + "SEC-9107-A07", + "SEC-925-A03", + "SEC-938-A09" + ], + "member_count": 78, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "exploited_vuln_reporting_authorities", + "name": "Meldung aktiv ausgenutzter Schwachstellen an CSIRT/ENISA", + "description": "Aktiv ausgenutzte Schwachstellen müssen fristgerecht (Frühwarnung 24h, vollständige Meldung 72h) an das koordinierende CSIRT und ENISA über die Single-Reporting-Plattform gemeldet werden.", + "tier": "LEGAL_MINIMUM", + "family": "vuln", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Article 14 & Article 16", + "citation": "Meldepflicht aktiv ausgenutzter Schwachstellen über Single Reporting Platform" + } + ], + "guidance_basis": [], + "member_controls": [ + "AUTH-186", + "COMP-1243-A08", + "COMP-1243-A14", + "COMP-1243-A20", + "COMP-1243-A26", + "COMP-1243-A32", + "LOG-510-A06", + "LOG-510-A07", + "LOG-510-A12", + "NET-023-A07", + "NET-023-A20", + "SEC-112", + "SEC-112-A01", + "SEC-118-A01", + "SEC-118-A05", + "SEC-124-A02", + "SEC-142-A01", + "SEC-142-A03", + "SEC-142-A09", + "SEC-142-A11", + "SEC-142-A19", + "SEC-168", + "SEC-171-A14", + "SEC-171-A32", + "SEC-195-A11", + "SEC-195-A20", + "SEC-273-A02", + "SEC-273-A10", + "SEC-4991-A03", + "SEC-603-A08", + "SEC-9148-A01" + ], + "member_count": 31, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + }, + { + "id": "vuln_info_dissemination_users", + "name": "Nutzerinformation über behobene Schwachstellen", + "description": "Nach Behebung müssen Nutzer über die Schwachstelle, das Sicherheitsupdate und ggf. CVE-Einträge transparent informiert werden.", + "tier": "LEGAL_MINIMUM", + "family": "vuln", + "applicability": "domain:products_with_digital_elements", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "regulation_code": "eu_2024_2847", + "anchor": "Annex I Part II (4) & (6)", + "citation": "Informationen über behobene Schwachstellen teilen und offenlegen" + } + ], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "ISO/IEC 29147 (Disclosure)", + "role": "best_practice" + } + ], + "member_controls": [ + "CRYP-031-A01", + "CRYP-031-A04", + "NET-1829-A05", + "SEC-349-A04", + "SEC-349-A16" + ], + "member_count": 5, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft" + } + ], + "relationships": [ + { + "type": "depends_on", + "from": "sbom_dependency_coverage", + "to": "sbom_creation", + "note": "Inhaltsanforderung setzt SBOM-Erstellung voraus" + }, + { + "type": "depends_on", + "from": "sbom_format_standard", + "to": "sbom_creation", + "note": "Format gilt für die erstellte SBOM" + }, + { + "type": "supports", + "from": "sbom_tooling_automation", + "to": "sbom_creation", + "note": "Tooling automatisiert Erstellung" + }, + { + "type": "produces_evidence_for", + "from": "sbom_completeness_verification", + "to": "sbom_dependency_coverage", + "note": "Verifikation belegt Vollständigkeit" + }, + { + "type": "produces_evidence_for", + "from": "sbom_technical_documentation", + "to": "sbom_creation", + "note": "Doku als Konformitätsnachweis" + }, + { + "type": "supports", + "from": "sbom_access_provision", + "to": "sbom_authority_provision", + "note": "Zugänglichkeit unterstützt Behördenvorlage" + }, + { + "type": "depends_on", + "from": "sbom_supply_chain_contracts", + "to": "sbom_dependency_coverage", + "note": "Third-Party-Daten via Verträge beschaffen" + }, + { + "type": "out_of_scope", + "clusters": [ + 10, + 11, + 19, + 35, + 32, + 37, + 76 + ], + "note": "Material-/Batterie-Stücklisten, CO₂-/Energiemix-Berechnung und Sicherheitskomponentenlisten (Türverriegelung) sind keine Software-SBOM, sondern Ökodesign/Maschinenrichtlinie/Batterieverordnung" + }, + { + "type": "supports", + "from": "vuln_identification_inventory", + "to": "vuln_assessment_prioritization", + "note": "Inventar liefert Basis für Bewertung" + }, + { + "type": "depends_on", + "from": "vuln_remediation_patching", + "to": "vuln_assessment_prioritization", + "note": "Priorisierung steuert Behebungsreihenfolge" + }, + { + "type": "produces_evidence_for", + "from": "vuln_handling_process", + "to": "vuln_remediation_patching", + "note": "Prozessdoku belegt Behebung" + }, + { + "type": "supports", + "from": "coordinated_vulnerability_disclosure", + "to": "exploited_vuln_reporting_authorities", + "note": "Meldungseingang speist Behörden-Reporting" + }, + { + "type": "produces_evidence_for", + "from": "vuln_remediation_patching", + "to": "vuln_info_dissemination_users", + "note": "Behebung Voraussetzung für Nutzerinfo" + }, + { + "type": "out_of_scope", + "clusters": [ + 5, + 22, + 24, + 25, + 26, + 31, + 33, + 35, + 36, + 43, + 50, + 53, + 54, + 61, + 64, + 65, + 74, + 83, + 87, + 88, + 92, + 97, + 98, + 100, + 101, + 102, + 106, + 107, + 110, + 117, + 118, + 121, + 126, + 127, + 131, + 134, + 135, + 136, + 139, + 140, + 141, + 145, + 146, + 151, + 153, + 154, + 156, + 163, + 164, + 165, + 166, + 168, + 169, + 170, + 171, + 175, + 176, + 177, + 187, + 190, + 194, + 197, + 198 + ], + "note": "Adressieren NIS2-Einrichtungspflichten, CSIRT/ENISA-Behördenaufgaben, Konformitätsbewertungsstellen/EUCC-Zertifizierung, Distributor/Importeur-Pflichten, nationale Strategien, Secure-by-Design/Tooling oder Interoperabilität — keine herstellerseitige Vulnerability-Handling-Pflicht nach CRA Art. 13(8)/Annex I Part II" + } + ] +} \ No newline at end of file