diff --git a/obligations/cra_updates.json b/obligations/cra_updates.json new file mode 100644 index 00000000..ee801ba3 --- /dev/null +++ b/obligations/cra_updates.json @@ -0,0 +1,1816 @@ +{ + "schema_version": "obligation_registry_v1", + "regulation": "CRA", + "regulation_code": "CRA", + "family": "updates", + "theme": "Security Updates / Patch Management (CRA Annex I (2)(c), Art 13)", + "generated_by": "obligation_discovery/claude-opus-4-8", + "synthesis_version": "v1", + "citation_status": "pending_span_anchor", + "curation": { + "curated_by": "obligation-registry-session 2026-06-25", + "method": "two-stage clustering (670->318 micro->15 review-units) -> Opus synthesis -> LIGHT review (keine Hart-Re-Tier)", + "scope_controls": 670, + "micro_clusters": 318, + "review_units": 15, + "obligations": 9, + "tier_split": { + "LEGAL_MINIMUM": 6, + "BEST_PRACTICE": 3 + }, + "out_of_scope": [ + "M4 (allg. digitale Veraenderungen)", + "M7 (TLS-Proxy-Kanalverwaltung)" + ], + "tiering_note": "Synthese DIESMAL gut kalibriert (6 LM / 3 BP) -> KEINE Hart-Kuration noetig (vs Auth 14->6, Remote-Access 14->5). LM mehrheitlich echte CRA-Update-Outcomes: provide_security_updates ((2)(c)/Art13) · support_period_maintenance (Art13(8)) · automatic_updates_optout (steht WOERTLICH in (2)(c): Auto-Updates als Default mit Opt-out) · update_risk_assessment.", + "borderline_deferred": "signed_update_integrity + trusted_update_source = OUTCOME(Integritaet/Authentizitaet)+MECHANISMUS(Signatur/Quelle)-Mischung. Tier-Linie im Cross-Domain-Review final ziehen, NICHT jetzt (User-Methodik: borderline nicht vorzeitig tiern).", + "capability_candidates": [ + "signed_update_integrity", + "trusted_update_source", + "automatic_updates_optout", + "update_rollback", + "update_testing_validation" + ], + "capability_signal": "STARKES Signal fuer die Capability-Hypothese: signed/trusted/automatic/rollback/testing sind technische FAEHIGKEITEN, die das eine LM-Outcome provide_security_updates erfuellen. Das LLM tiert sie INKONSISTENT (signed/trusted/automatic->LM, rollback/testing->BP), genau weil Outcome vs Capability nicht sauber trennbar ist (User-Diagnose). Phase 4: Regulation->Obligation->CAPABILITY->Procedure->Control->Evidence.", + "anchor_quality": "Anker approximativ (Opus): '(1)(3)(f)'/'(1)(3)(d)' entsprechen keiner exakten CRA-Annex-I-Struktur (Part I (2) hat Buchstaben a-m, kein Punkt (3)). support_period korrekt Art 13(8); provide_security_updates korrekt (2)(c). Span-genau mit Re-Ingest. NICHT auf Anker joinen." + }, + "obligations": [ + { + "id": "provide_security_updates", + "name": "Bereitstellung von Sicherheitsupdates", + "description": "Hersteller stellen wirksame Sicherheitsupdates und Patches zur Behebung von Schwachstellen ueber den gesamten Support-Zeitraum regelmaessig und kostenlos bereit, inkl. strukturiertem Patch-Management-Verfahren.", + "tier": "LEGAL_MINIMUM", + "subdomain": "patch_provisioning", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (2)(c)", + "citation": "Schwachstellen durch Sicherheitsupdates ohne Verzug behandeln, einschliesslich automatischer Updates und Benachrichtigung." + }, + { + "source": "CRA", + "anchor": "Art. 13", + "citation": "Pflicht zur Bereitstellung von Sicherheitsupdates waehrend des Support-Zeitraums." + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-40 Patch Management", + "role": "best_practice" + }, + { + "source": "BSI", + "anchor": "OPS.1.1.3 Patch- und Aenderungsmanagement", + "role": "best_practice" + } + ], + "member_review_units": [ + "M0", + "M2", + "M6", + "M14" + ], + "member_controls": [ + "ACC-605-A06", + "ACC-650-A06", + "AI-1827-A04", + "AI-462-A06", + "AI-462-A07", + "AI-462-A17", + "AI-810-A12", + "AI-810-A19", + "AUTH-101-A19", + "AUTH-101-A22", + "AUTH-1086-A02", + "AUTH-1086-A04", + "AUTH-1090-A04", + "AUTH-1520-A03", + "AUTH-1538-A02", + "AUTH-1538-A03", + "AUTH-1538-A11", + "AUTH-1630-A03", + "AUTH-1630-A07", + "AUTH-1710-A03", + "AUTH-1742", + "AUTH-1742-A02", + "AUTH-1742-A03", + "AUTH-1742-A04", + "AUTH-1742-A05", + "AUTH-1742-A06", + "AUTH-1742-A07", + "AUTH-1746", + "AUTH-182", + "AUTH-187-A05", + "AUTH-1925-A02", + "AUTH-1925-A06", + "AUTH-197-A13", + "AUTH-2480", + "AUTH-2543", + "AUTH-2563-A01", + "AUTH-2563-A02", + "AUTH-2679-A08", + "AUTH-2868", + "AUTH-2913-A08", + "AUTH-2942", + "AUTH-2942-A01", + "AUTH-2942-A06", + "AUTH-2959", + "AUTH-2998-A01", + "AUTH-2998-A04", + "AUTH-2998-A08", + "AUTH-3009-A15", + "AUTH-3169-A01", + "AUTH-3169-A07", + "AUTH-3649-A09", + "AUTH-3704-A03", + "AUTH-3704-A04", + "AUTH-3823", + "AUTH-3960", + "AUTH-3961-A01", + "AUTH-3974-A07", + "AUTH-4034", + "AUTH-4034-A01", + "AUTH-4034-A04", + "AUTH-4048-A02", + "AUTH-513", + "COMP-074-A05", + "COMP-1052", + "COMP-1123-A06", + "COMP-1261-A01", + "COMP-1907-A08", + "COMP-2768-A01", + "COMP-2969-A01", + "COMP-2969-A02", + "COMP-2969-A05", + "COMP-2969-A06", + "COMP-2969-A07", + "COMP-2970-A03", + "COMP-2970-A04", + "COMP-2970-A05", + "COMP-2991-A09", + "COMP-3030-A09", + "COMP-3360-A04", + "COMP-3411-A04", + "COMP-3411-A07", + "COMP-3548-A07", + "COMP-3990-A01", + "COMP-4063-A10", + "COMP-4119", + "COMP-652", + "COMP-652-A01", + "COMP-652-A05", + "COMP-995-A14", + "COMP-995-A15", + "CRYP-1332", + "CRYP-1332-A03", + "CRYP-1624", + "CRYP-1805-A06", + "CRYP-1805-A12", + "CRYP-1886-A03", + "CRYP-2073-A03", + "CRYP-2289-A10", + "CRYP-2359-A02", + "CRYP-2359-A07", + "CRYP-2361-A12", + "CRYP-415-A07", + "CRYP-415-A30", + "CRYP-415-A41", + "CRYP-415-A49", + "CRYP-723-A14", + "CRYP-882-A05", + "CRYP-882-A06", + "CRYP-882-A14", + "CRYP-882-A15", + "CRYP-898-A03", + "DATA-1435-A10", + "DATA-1435-A11", + "DATA-2374-A06", + "DATA-2486-A02", + "DATA-265-A07", + "DATA-3995-A04", + "DATA-4193-A01", + "DATA-4193-A07", + "DATA-4674-A07", + "DATA-4679", + "DATA-673-A05", + "DATA-673-A10", + "GOV-2281-A04", + "GOV-2540-A07", + "GOV-3106-A03", + "GOV-3108-A01", + "GOV-3108-A05", + "HLT-018-A13", + "HLT-114-A05", + "HLT-114-A41", + "HLT-372-A03", + "HLT-519-A04", + "HLT-519-A09", + "INC-241", + "LOG-1409-A04", + "LOG-1410", + "LOG-1410-A10", + "LOG-1511-A10", + "LOG-1547-A11", + "LOG-1730-A05", + "LOG-1730-A09", + "LOG-1741-A01", + "LOG-1741-A02", + "LOG-1741-A05", + "LOG-1741-A06", + "LOG-1741-A08", + "LOG-1749", + "LOG-1759-A13", + "LOG-1760", + "LOG-1760-A01", + "LOG-1760-A06", + "LOG-1770-A06", + "LOG-1774-A06", + "LOG-1774-A11", + "LOG-1838-A06", + "LOG-2074-A06", + "LOG-2074-A09", + "LOG-2075", + "LOG-2078", + "LOG-2078-A03", + "LOG-903-A06", + "LOG-904-A02", + "NET-077-A05", + "NET-077-A23", + "NET-1196-A12", + "NET-1196-A13", + "NET-125-A09", + "NET-125-A17", + "NET-1306-A04", + "NET-1317-A02", + "NET-1351-A10", + "NET-1465-A05", + "NET-1482-A12", + "NET-1494-A12", + "NET-1626-A12", + "NET-1637-A03", + "NET-1744", + "NET-1744-A01", + "NET-1841-A04", + "NET-1841-A05", + "NET-1856-A02", + "NET-1858-A02", + "NET-1864-A09", + "NET-1864-A13", + "NET-1868", + "NET-1868-A07", + "NET-248-A06", + "NET-248-A12", + "NET-373-A02", + "NET-373-A10", + "NET-476-A14", + "NET-476-A83", + "NET-892-A04", + "NET-904-A05", + "NET-981-A01", + "NET-981-A09", + "NET-981-A10", + "OPS-003", + "OPS-003-A01", + "OPS-003-A02", + "OPS-003-A05", + "OPS-003-A06", + "OPS-003-A09", + "PCM-003", + "PCM-003-A01", + "PCM-003-A02", + "SEC-1041", + "SEC-1041-A01", + "SEC-1041-A02", + "SEC-1041-A03", + "SEC-1041-A04", + "SEC-1041-A05", + "SEC-1041-A06", + "SEC-1041-A07", + "SEC-1042", + "SEC-1042-A01", + "SEC-1042-A02", + "SEC-1042-A03", + "SEC-1042-A04", + "SEC-1042-A06", + "SEC-110-A02", + "SEC-110-A03", + "SEC-110-A06", + "SEC-120-A07", + "SEC-120-A18", + "SEC-1218-A03", + "SEC-1218-A12", + "SEC-1243-A03", + "SEC-1243-A04", + "SEC-1247-A02", + "SEC-1252", + "SEC-1254-A04", + "SEC-1254-A07", + "SEC-126", + "SEC-126-A05", + "SEC-132", + "SEC-132-A05", + "SEC-132-A12", + "SEC-150", + "SEC-171-A10", + "SEC-171-A28", + "SEC-171-A41", + "SEC-179-A02", + "SEC-179-A07", + "SEC-182-A01", + "SEC-182-A12", + "SEC-195-A07", + "SEC-195-A13", + "SEC-279-A05", + "SEC-279-A10", + "SEC-295", + "SEC-3019-A01", + "SEC-3150-A02", + "SEC-3150-A03", + "SEC-3166-A01", + "SEC-3166-A05", + "SEC-3166-A06", + "SEC-3167-A01", + "SEC-3167-A02", + "SEC-3169-A03", + "SEC-3175", + "SEC-3175-A01", + "SEC-3175-A04", + "SEC-3175-A06", + "SEC-3175-A10", + "SEC-3325-A08", + "SEC-339-A08", + "SEC-339-A09", + "SEC-339-A19", + "SEC-342-A10", + "SEC-342-A26", + "SEC-349", + "SEC-3665", + "SEC-3665-A01", + "SEC-3665-A02", + "SEC-3665-A05", + "SEC-3676-A06", + "SEC-3680-A04", + "SEC-3680-A10", + "SEC-3719-A05", + "SEC-3725", + "SEC-3725-A01", + "SEC-3725-A02", + "SEC-3725-A03", + "SEC-3725-A04", + "SEC-3740-A02", + "SEC-3740-A05", + "SEC-3740-A06", + "SEC-3740-A07", + "SEC-376", + "SEC-3789-A01", + "SEC-3789-A02", + "SEC-3829-A01", + "SEC-3829-A02", + "SEC-3829-A03", + "SEC-3829-A04", + "SEC-3834-A01", + "SEC-3834-A02", + "SEC-3834-A03", + "SEC-3834-A04", + "SEC-3834-A06", + "SEC-3834-A07", + "SEC-3835-A04", + "SEC-3838-A01", + "SEC-3838-A02", + "SEC-3838-A07", + "SEC-3838-A08", + "SEC-3838-A09", + "SEC-3839-A04", + "SEC-3839-A07", + "SEC-3845-A10", + "SEC-3847", + "SEC-3847-A02", + "SEC-3847-A05", + "SEC-3858", + "SEC-3875-A05", + "SEC-3885-A01", + "SEC-3885-A02", + "SEC-3885-A04", + "SEC-3928", + "SEC-3928-A05", + "SEC-3928-A06", + "SEC-3931-A04", + "SEC-3931-A11", + "SEC-3936-A03", + "SEC-3949-A05", + "SEC-3963-A03", + "SEC-3963-A04", + "SEC-3963-A05", + "SEC-3963-A06", + "SEC-3970", + "SEC-3970-A03", + "SEC-3972-A01", + "SEC-3972-A02", + "SEC-3972-A06", + "SEC-3972-A07", + "SEC-3972-A09", + "SEC-3972-A10", + "SEC-3972-A13", + "SEC-3974-A06", + "SEC-3985-A02", + "SEC-3995", + "SEC-3995-A01", + "SEC-3995-A02", + "SEC-3995-A03", + "SEC-3995-A04", + "SEC-3995-A05", + "SEC-3999", + "SEC-3999-A01", + "SEC-3999-A03", + "SEC-4005-A01", + "SEC-4005-A02", + "SEC-4018-A03", + "SEC-4081-A02", + "SEC-4081-A03", + "SEC-4191", + "SEC-4191-A02", + "SEC-4195", + "SEC-4195-A02", + "SEC-4195-A08", + "SEC-4209-A03", + "SEC-445", + "SEC-4559-A01", + "SEC-4567-A01", + "SEC-4567-A06", + "SEC-462-A12", + "SEC-470", + "SEC-4945-A04", + "SEC-4966-A01", + "SEC-4966-A09", + "SEC-4970-A04", + "SEC-4970-A17", + "SEC-4988-A04", + "SEC-5109", + "SEC-5109-A01", + "SEC-5109-A02", + "SEC-5528", + "SEC-5528-A01", + "SEC-5532-A02", + "SEC-5541-A03", + "SEC-5640-A08", + "SEC-5640-A09", + "SEC-5748", + "SEC-5767-A02", + "SEC-5769-A05", + "SEC-5770", + "SEC-5804-A07", + "SEC-5818", + "SEC-5818-A10", + "SEC-5835", + "SEC-5835-A01", + "SEC-5835-A05", + "SEC-5850-A03", + "SEC-5850-A06", + "SEC-5851-A01", + "SEC-5851-A02", + "SEC-5851-A03", + "SEC-5851-A04", + "SEC-5851-A12", + "SEC-5908", + "SEC-5909", + "SEC-5912-A01", + "SEC-5912-A03", + "SEC-5921-A02", + "SEC-5921-A07", + "SEC-5923-A04", + "SEC-5923-A05", + "SEC-5924-A02", + "SEC-5925-A02", + "SEC-5930-A08", + "SEC-5931", + "SEC-5934-A04", + "SEC-5941-A02", + "SEC-5941-A03", + "SEC-5941-A06", + "SEC-5941-A07", + "SEC-5941-A08", + "SEC-5947-A06", + "SEC-5947-A07", + "SEC-5954-A04", + "SEC-6092-A03", + "SEC-6096-A03", + "SEC-6098", + "SEC-6105-A01", + "SEC-6105-A03", + "SEC-6105-A04", + "SEC-6105-A08", + "SEC-6105-A12", + "SEC-6224", + "SEC-6431-A07", + "SEC-6431-A08", + "SEC-6440-A02", + "SEC-6815-A03", + "SEC-6889-A01", + "SEC-6890-A01", + "SEC-691", + "SEC-6913-A02", + "SEC-6918", + "SEC-6928-A04", + "SEC-6928-A10", + "SEC-6928-A13", + "SEC-6991-A01", + "SEC-6993-A01", + "SEC-6996", + "SEC-7016", + "SEC-7018-A05", + "SEC-7024-A02", + "SEC-7026-A01", + "SEC-7026-A06", + "SEC-7037-A04", + "SEC-7037-A06", + "SEC-7044", + "SEC-7049", + "SEC-7056-A05", + "SEC-7056-A10", + "SEC-7056-A11", + "SEC-7060-A02", + "SEC-7060-A07", + "SEC-7067-A01", + "SEC-7077", + "SEC-7077-A01", + "SEC-7082-A01", + "SEC-7084", + "SEC-7097-A01", + "SEC-710", + "SEC-7100-A01", + "SEC-7109-A01", + "SEC-7109-A06", + "SEC-7110-A01", + "SEC-7113", + "SEC-7117-A02", + "SEC-7117-A08", + "SEC-7128-A07", + "SEC-7237-A03", + "SEC-7577-A02", + "SEC-7581-A01", + "SEC-7621-A04", + "SEC-7678", + "SEC-7803-A08", + "SEC-8324", + "SEC-8324-A09", + "SEC-8326", + "SEC-8326-A01", + "SEC-8326-A02", + "SEC-8326-A06", + "SEC-8326-A07", + "SEC-8327-A01", + "SEC-8334-A01", + "SEC-8334-A02", + "SEC-8334-A10", + "SEC-8801-A05", + "SEC-8801-A08", + "SEC-8801-A09", + "SEC-8801-A10", + "SEC-8806", + "SEC-8829-A03", + "SEC-8839", + "SEC-8842", + "SEC-8842-A01", + "SEC-8842-A03", + "SEC-8842-A04", + "SEC-8842-A05", + "SEC-8842-A08", + "SEC-8842-A09", + "SEC-8842-A10", + "SEC-8842-A11", + "SEC-8842-A12", + "SEC-8842-A14", + "SEC-8871", + "SEC-8871-A01", + "SEC-8871-A04", + "SEC-8871-A06", + "SEC-8871-A07", + "SEC-8871-A08", + "SEC-8871-A09", + "SEC-8880", + "SEC-8888-A01", + "SEC-8888-A11", + "SEC-8923", + "SEC-8991-A02", + "SEC-8991-A09", + "SEC-8997", + "SEC-8997-A03", + "SEC-8998-A02", + "SEC-8998-A04", + "SEC-8999", + "SEC-8999-A01", + "SEC-8999-A03", + "SEC-8999-A06", + "SEC-9002-A01", + "SEC-9002-A06", + "SEC-9003", + "SEC-9003-A01", + "SEC-9007", + "SEC-9007-A02", + "SEC-9007-A05", + "SEC-9009-A03", + "SEC-9009-A04", + "SEC-9009-A05", + "SEC-9009-A06", + "SEC-9019-A04", + "SEC-9027", + "SEC-9029", + "SEC-9033-A01", + "SEC-9033-A02", + "SEC-9033-A04", + "SEC-9033-A05", + "SEC-9033-A06", + "SEC-9035-A01", + "SEC-9035-A06", + "SEC-9036", + "SEC-9039", + "SEC-9039-A01", + "SEC-9039-A04", + "SEC-9045-A06", + "SEC-9055", + "SEC-9055-A01", + "SEC-9062-A04", + "SEC-9073-A10", + "SEC-9107", + "SEC-9107-A02", + "SEC-9107-A03", + "SEC-9110-A04", + "SEC-9115", + "SEC-9116-A01", + "SEC-9116-A02", + "SEC-9116-A03", + "SEC-9116-A04", + "SEC-9129", + "SEC-9129-A07", + "SEC-9129-A08", + "SEC-9129-A09", + "SEC-9135-A09", + "SYS-002", + "SYS-002-A05", + "VUL-001", + "VUL-001-A05" + ], + "member_count": 578, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.95, + "source_meta_cluster": "M0", + "cluster_size": 574, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + }, + { + "id": "support_period_maintenance", + "name": "Wartung waehrend des Support-Zeitraums", + "description": "Festlegung und Umsetzung von Wartungs- und Pflegemassnahmen inkl. Haeufigkeit ueber den definierten Support-Zeitraum.", + "tier": "LEGAL_MINIMUM", + "subdomain": "support_period", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Art. 13(8)", + "citation": "Bestimmung des Support-Zeitraums entsprechend der erwarteten Nutzungsdauer." + } + ], + "guidance_basis": [], + "member_review_units": [ + "M0" + ], + "member_controls": [ + "ACC-605-A06", + "ACC-650-A06", + "AI-1827-A04", + "AI-462-A06", + "AI-462-A07", + "AI-462-A17", + "AI-810-A12", + "AI-810-A19", + "AUTH-101-A19", + "AUTH-101-A22", + "AUTH-1086-A02", + "AUTH-1086-A04", + "AUTH-1090-A04", + "AUTH-1520-A03", + "AUTH-1538-A02", + "AUTH-1538-A03", + "AUTH-1538-A11", + "AUTH-1630-A03", + "AUTH-1630-A07", + "AUTH-1710-A03", + "AUTH-1742", + "AUTH-1742-A02", + "AUTH-1742-A03", + "AUTH-1742-A04", + "AUTH-1742-A05", + "AUTH-1742-A06", + "AUTH-1742-A07", + "AUTH-1746", + "AUTH-182", + "AUTH-187-A05", + "AUTH-1925-A02", + "AUTH-1925-A06", + "AUTH-197-A13", + "AUTH-2480", + "AUTH-2543", + "AUTH-2563-A01", + "AUTH-2563-A02", + "AUTH-2679-A08", + "AUTH-2913-A08", + "AUTH-2942", + "AUTH-2942-A01", + "AUTH-2942-A06", + "AUTH-2959", + "AUTH-2998-A01", + "AUTH-2998-A04", + "AUTH-2998-A08", + "AUTH-3009-A15", + "AUTH-3169-A01", + "AUTH-3169-A07", + "AUTH-3649-A09", + "AUTH-3704-A03", + "AUTH-3704-A04", + "AUTH-3823", + "AUTH-3960", + "AUTH-3961-A01", + "AUTH-3974-A07", + "AUTH-4034", + "AUTH-4034-A01", + "AUTH-4034-A04", + "AUTH-4048-A02", + "AUTH-513", + "COMP-074-A05", + "COMP-1052", + "COMP-1123-A06", + "COMP-1261-A01", + "COMP-1907-A08", + "COMP-2768-A01", + "COMP-2969-A01", + "COMP-2969-A02", + "COMP-2969-A05", + "COMP-2969-A06", + "COMP-2969-A07", + "COMP-2970-A03", + "COMP-2970-A04", + "COMP-2970-A05", + "COMP-2991-A09", + "COMP-3030-A09", + "COMP-3360-A04", + "COMP-3411-A04", + "COMP-3411-A07", + "COMP-3548-A07", + "COMP-3990-A01", + "COMP-4063-A10", + "COMP-4119", + "COMP-652", + "COMP-652-A01", + "COMP-652-A05", + "COMP-995-A14", + "COMP-995-A15", + "CRYP-1332", + "CRYP-1332-A03", + "CRYP-1805-A06", + "CRYP-1805-A12", + "CRYP-1886-A03", + "CRYP-2073-A03", + "CRYP-2289-A10", + "CRYP-2359-A02", + "CRYP-2359-A07", + "CRYP-2361-A12", + "CRYP-415-A07", + "CRYP-415-A30", + "CRYP-415-A41", + "CRYP-415-A49", + "CRYP-723-A14", + "CRYP-882-A05", + "CRYP-882-A06", + "CRYP-882-A14", + "CRYP-882-A15", + "CRYP-898-A03", + "DATA-1435-A10", + "DATA-1435-A11", + "DATA-2374-A06", + "DATA-2486-A02", + "DATA-265-A07", + "DATA-3995-A04", + "DATA-4193-A01", + "DATA-4193-A07", + "DATA-4674-A07", + "DATA-4679", + "DATA-673-A05", + "DATA-673-A10", + "GOV-2281-A04", + "GOV-2540-A07", + "GOV-3106-A03", + "GOV-3108-A01", + "GOV-3108-A05", + "HLT-018-A13", + "HLT-114-A05", + "HLT-114-A41", + "HLT-372-A03", + "HLT-519-A04", + "HLT-519-A09", + "INC-241", + "LOG-1409-A04", + "LOG-1410", + "LOG-1410-A10", + "LOG-1511-A10", + "LOG-1547-A11", + "LOG-1730-A05", + "LOG-1730-A09", + "LOG-1741-A01", + "LOG-1741-A02", + "LOG-1741-A05", + "LOG-1741-A06", + "LOG-1741-A08", + "LOG-1749", + "LOG-1759-A13", + "LOG-1760", + "LOG-1760-A01", + "LOG-1760-A06", + "LOG-1770-A06", + "LOG-1774-A06", + "LOG-1774-A11", + "LOG-1838-A06", + "LOG-2074-A06", + "LOG-2074-A09", + "LOG-2075", + "LOG-2078", + "LOG-2078-A03", + "LOG-903-A06", + "LOG-904-A02", + "NET-077-A05", + "NET-077-A23", + "NET-1196-A12", + "NET-1196-A13", + "NET-125-A09", + "NET-125-A17", + "NET-1306-A04", + "NET-1317-A02", + "NET-1351-A10", + "NET-1465-A05", + "NET-1482-A12", + "NET-1494-A12", + "NET-1626-A12", + "NET-1637-A03", + "NET-1744", + "NET-1744-A01", + "NET-1841-A04", + "NET-1841-A05", + "NET-1856-A02", + "NET-1858-A02", + "NET-1864-A09", + "NET-1864-A13", + "NET-1868", + "NET-1868-A07", + "NET-248-A06", + "NET-248-A12", + "NET-373-A02", + "NET-373-A10", + "NET-476-A14", + "NET-476-A83", + "NET-892-A04", + "NET-904-A05", + "NET-981-A01", + "NET-981-A09", + "NET-981-A10", + "OPS-003", + "OPS-003-A01", + "OPS-003-A02", + "OPS-003-A05", + "OPS-003-A06", + "OPS-003-A09", + "PCM-003", + "PCM-003-A01", + "PCM-003-A02", + "SEC-1041", + "SEC-1041-A01", + "SEC-1041-A02", + "SEC-1041-A03", + "SEC-1041-A04", + "SEC-1041-A05", + "SEC-1041-A06", + "SEC-1041-A07", + "SEC-1042", + "SEC-1042-A01", + "SEC-1042-A02", + "SEC-1042-A03", + "SEC-1042-A04", + "SEC-1042-A06", + "SEC-110-A02", + "SEC-110-A03", + "SEC-110-A06", + "SEC-120-A07", + "SEC-120-A18", + "SEC-1218-A03", + "SEC-1218-A12", + "SEC-1243-A03", + "SEC-1243-A04", + "SEC-1247-A02", + "SEC-1252", + "SEC-1254-A04", + "SEC-1254-A07", + "SEC-126", + "SEC-126-A05", + "SEC-132", + "SEC-132-A05", + "SEC-132-A12", + "SEC-150", + "SEC-171-A10", + "SEC-171-A28", + "SEC-171-A41", + "SEC-179-A02", + "SEC-179-A07", + "SEC-182-A01", + "SEC-182-A12", + "SEC-195-A07", + "SEC-195-A13", + "SEC-279-A05", + "SEC-279-A10", + "SEC-295", + "SEC-3019-A01", + "SEC-3150-A02", + "SEC-3150-A03", + "SEC-3166-A01", + "SEC-3166-A05", + "SEC-3166-A06", + "SEC-3167-A01", + "SEC-3167-A02", + "SEC-3169-A03", + "SEC-3175", + "SEC-3175-A01", + "SEC-3175-A04", + "SEC-3175-A06", + "SEC-3175-A10", + "SEC-3325-A08", + "SEC-339-A08", + "SEC-339-A09", + "SEC-339-A19", + "SEC-342-A10", + "SEC-342-A26", + "SEC-349", + "SEC-3665", + "SEC-3665-A01", + "SEC-3665-A02", + "SEC-3665-A05", + "SEC-3676-A06", + "SEC-3680-A04", + "SEC-3680-A10", + "SEC-3719-A05", + "SEC-3725", + "SEC-3725-A01", + "SEC-3725-A02", + "SEC-3725-A03", + "SEC-3725-A04", + "SEC-3740-A02", + "SEC-3740-A05", + "SEC-3740-A06", + "SEC-3740-A07", + "SEC-376", + "SEC-3789-A01", + "SEC-3789-A02", + "SEC-3829-A01", + "SEC-3829-A02", + "SEC-3829-A03", + "SEC-3829-A04", + "SEC-3834-A01", + "SEC-3834-A02", + "SEC-3834-A03", + "SEC-3834-A04", + "SEC-3834-A06", + "SEC-3834-A07", + "SEC-3835-A04", + "SEC-3838-A01", + "SEC-3838-A02", + "SEC-3838-A07", + "SEC-3838-A08", + "SEC-3838-A09", + "SEC-3839-A04", + "SEC-3839-A07", + "SEC-3845-A10", + "SEC-3847", + "SEC-3847-A02", + "SEC-3847-A05", + "SEC-3858", + "SEC-3875-A05", + "SEC-3885-A01", + "SEC-3885-A02", + "SEC-3885-A04", + "SEC-3928", + "SEC-3928-A05", + "SEC-3928-A06", + "SEC-3931-A04", + "SEC-3931-A11", + "SEC-3936-A03", + "SEC-3949-A05", + "SEC-3963-A03", + "SEC-3963-A04", + "SEC-3963-A05", + "SEC-3963-A06", + "SEC-3970", + "SEC-3970-A03", + "SEC-3972-A01", + "SEC-3972-A02", + "SEC-3972-A06", + "SEC-3972-A07", + "SEC-3972-A09", + "SEC-3972-A10", + "SEC-3972-A13", + "SEC-3974-A06", + "SEC-3985-A02", + "SEC-3995", + "SEC-3995-A01", + "SEC-3995-A02", + "SEC-3995-A03", + "SEC-3995-A04", + "SEC-3995-A05", + "SEC-3999", + "SEC-3999-A01", + "SEC-3999-A03", + "SEC-4005-A01", + "SEC-4005-A02", + "SEC-4018-A03", + "SEC-4081-A02", + "SEC-4081-A03", + "SEC-4191", + "SEC-4191-A02", + "SEC-4195", + "SEC-4195-A02", + "SEC-4195-A08", + "SEC-4209-A03", + "SEC-445", + "SEC-4559-A01", + "SEC-4567-A01", + "SEC-4567-A06", + "SEC-462-A12", + "SEC-470", + "SEC-4945-A04", + "SEC-4966-A01", + "SEC-4966-A09", + "SEC-4970-A04", + "SEC-4970-A17", + "SEC-4988-A04", + "SEC-5109", + "SEC-5109-A01", + "SEC-5109-A02", + "SEC-5528", + "SEC-5528-A01", + "SEC-5532-A02", + "SEC-5541-A03", + "SEC-5640-A08", + "SEC-5640-A09", + "SEC-5748", + "SEC-5767-A02", + "SEC-5769-A05", + "SEC-5770", + "SEC-5804-A07", + "SEC-5818", + "SEC-5818-A10", + "SEC-5835", + "SEC-5835-A01", + "SEC-5835-A05", + "SEC-5850-A03", + "SEC-5850-A06", + "SEC-5851-A01", + "SEC-5851-A02", + "SEC-5851-A03", + "SEC-5851-A04", + "SEC-5851-A12", + "SEC-5908", + "SEC-5909", + "SEC-5912-A01", + "SEC-5912-A03", + "SEC-5921-A02", + "SEC-5921-A07", + "SEC-5923-A04", + "SEC-5923-A05", + "SEC-5924-A02", + "SEC-5925-A02", + "SEC-5930-A08", + "SEC-5931", + "SEC-5934-A04", + "SEC-5941-A02", + "SEC-5941-A03", + "SEC-5941-A06", + "SEC-5941-A07", + "SEC-5941-A08", + "SEC-5947-A06", + "SEC-5947-A07", + "SEC-5954-A04", + "SEC-6092-A03", + "SEC-6096-A03", + "SEC-6098", + "SEC-6105-A01", + "SEC-6105-A03", + "SEC-6105-A04", + "SEC-6105-A08", + "SEC-6105-A12", + "SEC-6224", + "SEC-6431-A07", + "SEC-6431-A08", + "SEC-6440-A02", + "SEC-6815-A03", + "SEC-6889-A01", + "SEC-6890-A01", + "SEC-691", + "SEC-6913-A02", + "SEC-6928-A04", + "SEC-6928-A10", + "SEC-6928-A13", + "SEC-6991-A01", + "SEC-6993-A01", + "SEC-6996", + "SEC-7016", + "SEC-7018-A05", + "SEC-7024-A02", + "SEC-7026-A01", + "SEC-7026-A06", + "SEC-7037-A04", + "SEC-7037-A06", + "SEC-7044", + "SEC-7049", + "SEC-7056-A05", + "SEC-7056-A10", + "SEC-7056-A11", + "SEC-7060-A02", + "SEC-7060-A07", + "SEC-7067-A01", + "SEC-7077", + "SEC-7077-A01", + "SEC-7082-A01", + "SEC-7084", + "SEC-7097-A01", + "SEC-710", + "SEC-7100-A01", + "SEC-7109-A01", + "SEC-7109-A06", + "SEC-7110-A01", + "SEC-7113", + "SEC-7117-A02", + "SEC-7117-A08", + "SEC-7128-A07", + "SEC-7237-A03", + "SEC-7577-A02", + "SEC-7581-A01", + "SEC-7621-A04", + "SEC-7678", + "SEC-7803-A08", + "SEC-8324", + "SEC-8324-A09", + "SEC-8326", + "SEC-8326-A01", + "SEC-8326-A02", + "SEC-8326-A06", + "SEC-8326-A07", + "SEC-8327-A01", + "SEC-8334-A01", + "SEC-8334-A02", + "SEC-8334-A10", + "SEC-8801-A05", + "SEC-8801-A08", + "SEC-8801-A09", + "SEC-8801-A10", + "SEC-8806", + "SEC-8829-A03", + "SEC-8839", + "SEC-8842", + "SEC-8842-A01", + "SEC-8842-A03", + "SEC-8842-A04", + "SEC-8842-A05", + "SEC-8842-A08", + "SEC-8842-A09", + "SEC-8842-A10", + "SEC-8842-A11", + "SEC-8842-A12", + "SEC-8842-A14", + "SEC-8871", + "SEC-8871-A01", + "SEC-8871-A04", + "SEC-8871-A06", + "SEC-8871-A07", + "SEC-8871-A08", + "SEC-8871-A09", + "SEC-8880", + "SEC-8888-A01", + "SEC-8888-A11", + "SEC-8923", + "SEC-8991-A02", + "SEC-8991-A09", + "SEC-8997", + "SEC-8997-A03", + "SEC-8998-A02", + "SEC-8998-A04", + "SEC-8999", + "SEC-8999-A01", + "SEC-8999-A03", + "SEC-8999-A06", + "SEC-9002-A01", + "SEC-9002-A06", + "SEC-9003", + "SEC-9003-A01", + "SEC-9007", + "SEC-9007-A02", + "SEC-9007-A05", + "SEC-9009-A03", + "SEC-9009-A04", + "SEC-9009-A05", + "SEC-9009-A06", + "SEC-9019-A04", + "SEC-9029", + "SEC-9033-A01", + "SEC-9033-A02", + "SEC-9033-A04", + "SEC-9033-A05", + "SEC-9033-A06", + "SEC-9035-A01", + "SEC-9035-A06", + "SEC-9036", + "SEC-9039", + "SEC-9039-A01", + "SEC-9039-A04", + "SEC-9045-A06", + "SEC-9055", + "SEC-9055-A01", + "SEC-9062-A04", + "SEC-9073-A10", + "SEC-9107", + "SEC-9107-A02", + "SEC-9107-A03", + "SEC-9110-A04", + "SEC-9115", + "SEC-9116-A01", + "SEC-9116-A02", + "SEC-9116-A03", + "SEC-9116-A04", + "SEC-9129", + "SEC-9129-A07", + "SEC-9129-A08", + "SEC-9129-A09", + "SEC-9135-A09", + "SYS-002", + "SYS-002-A05", + "VUL-001", + "VUL-001-A05" + ], + "member_count": 574, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.85, + "source_meta_cluster": "M0", + "cluster_size": 574, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + }, + { + "id": "signed_update_integrity", + "name": "Signierte und integritaetsgeschuetzte Update-Pakete", + "description": "Update-Pakete werden digital signiert; Integritaet und Authentizitaet (inkl. Boot-/Firmware) werden vor der Installation verifiziert; unsignierte oder manipulierte Updates werden abgelehnt.", + "tier": "LEGAL_MINIMUM", + "subdomain": "update_integrity", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(3)(f)", + "citation": "Schutz der Integritaet von Daten, Befehlen und Konfigurationen vor Manipulation." + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-147 BIOS Protection", + "role": "best_practice" + } + ], + "member_review_units": [ + "M8", + "M5", + "M11", + "M13" + ], + "member_controls": [ + "CRYP-127-A10", + "FWU-003", + "FWU-003-A01", + "FWU-003-A04", + "LOG-1782-A02", + "NET-981-A07", + "SEC-1083-A01", + "SEC-1083-A04", + "SEC-1083-A06", + "SEC-1083-A09", + "SEC-1083-A10", + "SEC-1170-A02", + "SEC-1170-A12", + "SEC-1170-A18", + "SEC-1170-A28", + "SEC-1170-A34", + "SEC-1170-A44", + "SEC-1170-A50", + "SEC-1170-A60", + "SEC-1170-A66", + "SEC-3150-A04", + "SEC-3169", + "SEC-3175-A07", + "SEC-3740-A01", + "SEC-3740-A03", + "SEC-3740-A04", + "SEC-3740-A08", + "SEC-3740-A09", + "SEC-3834", + "SEC-3838", + "SEC-3838-A10", + "SEC-3838-A11", + "SEC-3839", + "SEC-3854", + "SEC-3885", + "SEC-3885-A05", + "SEC-3933-A01", + "SEC-3936", + "SEC-3936-A01", + "SEC-3936-A02", + "SEC-3937-A01", + "SEC-3963", + "SEC-3963-A01", + "SEC-3972-A05", + "SEC-3972-A12", + "SEC-3999-A04", + "SEC-4005", + "SEC-4018-A02", + "SEC-6993-A02", + "SEC-7077-A03", + "SEC-7109", + "SEC-7109-A02", + "SEC-7621-A08", + "SEC-8998-A01", + "SEC-9002-A10", + "SEC-9007-A01", + "SEC-9007-A04", + "UPD-004-A07" + ], + "member_count": 58, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M8", + "cluster_size": 37, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "trusted_update_source", + "name": "Vertrauenswuerdige und zugriffsbeschraenkte Update-Quelle", + "description": "Firmware-/Software-Updates werden nur aus vertrauenswuerdigen Quellen bezogen; der Update-Bereitstellungskanal und die Quelle sind zugriffsbeschraenkt und abgesichert; Versions-Downgrades werden verhindert.", + "tier": "LEGAL_MINIMUM", + "subdomain": "update_channel_security", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(3)(d)", + "citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen." + } + ], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "SYS.4.4 IoT", + "role": "best_practice" + } + ], + "member_review_units": [ + "M8", + "M13" + ], + "member_controls": [ + "FWU-003", + "FWU-003-A01", + "FWU-003-A04", + "LOG-1782-A02", + "SEC-1083-A01", + "SEC-1083-A04", + "SEC-1083-A06", + "SEC-1083-A09", + "SEC-1083-A10", + "SEC-3150-A04", + "SEC-3169", + "SEC-3175-A07", + "SEC-3740-A01", + "SEC-3740-A03", + "SEC-3740-A04", + "SEC-3740-A08", + "SEC-3740-A09", + "SEC-3834", + "SEC-3838", + "SEC-3838-A10", + "SEC-3838-A11", + "SEC-3839", + "SEC-3885", + "SEC-3885-A05", + "SEC-3933-A01", + "SEC-3936", + "SEC-3936-A01", + "SEC-3936-A02", + "SEC-3937-A01", + "SEC-3963", + "SEC-3963-A01", + "SEC-3972-A05", + "SEC-3972-A12", + "SEC-4005", + "SEC-6993-A02", + "SEC-7109-A02", + "SEC-7621-A08", + "SEC-8998-A01", + "SEC-9002-A10", + "SEC-9007-A01", + "SEC-9007-A04", + "UPD-004-A07" + ], + "member_count": 42, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.85, + "source_meta_cluster": "M8", + "cluster_size": 37, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "update_testing_validation", + "name": "Test und Validierung von Updates", + "description": "Updates werden vor Verteilung in isolierten Testumgebungen getestet und validiert; manipulierte und unvollstaendige Update-Pakete werden in Tests erkannt; Funktionsfaehigkeit nach Update wird geprueft.", + "tier": "BEST_PRACTICE", + "subdomain": "update_testing", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-40 Test before deploy", + "role": "best_practice" + }, + { + "source": "ISO", + "anchor": "ISO/IEC 27001 A.8.32", + "role": "best_practice" + } + ], + "member_review_units": [ + "M1", + "M13" + ], + "member_controls": [ + "AUTH-1742-A10", + "COMP-2768-A06", + "COMP-2768-A07", + "CRYP-1332-A08", + "CRYP-504-A07", + "CRYP-504-A17", + "CRYP-504-A24", + "GOV-2540-A08", + "HSM-003-A01", + "HSM-003-A08", + "ROT-005-A01", + "SEC-3665-A06", + "SEC-3847-A03", + "SEC-3885-A03", + "SEC-3928-A01", + "SEC-3970-A09", + "SEC-3972", + "SEC-430-A29", + "SEC-7067-A11", + "SEC-7621-A08", + "SEC-8998-A01", + "SEC-9002-A10", + "SEC-9007-A01", + "SEC-9019-A06", + "UPD-004-A07" + ], + "member_count": 25, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M1", + "cluster_size": 20, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "update_rollback", + "name": "Rollback-Prozess fuer Updates", + "description": "Dokumentierter und getesteter Rollback-Prozess fuer fehlerhafte Firmware-/Software-Updates; unvollstaendige Updates werden blockiert und Update-Ereignisse explizit bestaetigt.", + "tier": "BEST_PRACTICE", + "subdomain": "update_rollback", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-40 Rollback", + "role": "best_practice" + } + ], + "member_review_units": [ + "M1", + "M11" + ], + "member_controls": [ + "AUTH-1742-A10", + "COMP-2768-A06", + "COMP-2768-A07", + "CRYP-1332-A08", + "CRYP-504-A07", + "CRYP-504-A17", + "CRYP-504-A24", + "GOV-2540-A08", + "HSM-003-A01", + "HSM-003-A08", + "ROT-005-A01", + "SEC-3665-A06", + "SEC-3847-A03", + "SEC-3885-A03", + "SEC-3928-A01", + "SEC-3970-A09", + "SEC-3972", + "SEC-3999-A04", + "SEC-4018-A02", + "SEC-430-A29", + "SEC-7067-A11", + "SEC-7077-A03", + "SEC-9019-A06" + ], + "member_count": 23, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.75, + "source_meta_cluster": "M1", + "cluster_size": 20, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "automatic_updates_optout", + "name": "Automatische Updates mit Standardaktivierung und Opt-out", + "description": "Automatische Sicherheitsupdates sind standardmaessig aktiviert mit sicherer Standardkonfiguration; eine Funktion zur Deaktivierung (Opt-out) wird bereitgestellt.", + "tier": "LEGAL_MINIMUM", + "subdomain": "automatic_updates", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (2)(c)", + "citation": "Sicherheitsupdates werden, soweit moeglich, automatisch installiert mit Opt-out-Moeglichkeit des Nutzers." + } + ], + "guidance_basis": [], + "member_review_units": [ + "M12", + "M9" + ], + "member_controls": [ + "SEC-1494-A02", + "SEC-4195-A01", + "SEC-4984-A03", + "SEC-580", + "SEC-9025", + "SEC-9110-A01" + ], + "member_count": 6, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M12", + "cluster_size": 5, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "update_risk_assessment", + "name": "Risikobeurteilung der Update-Pflicht", + "description": "Risikobeurteilung des Herstellers zur Bestimmung notwendiger Sicherheitsupdates, einschliesslich Behandlung von Software ohne Sicherheitsupdates.", + "tier": "LEGAL_MINIMUM", + "subdomain": "risk_assessment", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)", + "citation": "Cybersicherheits-Risikobeurteilung als Grundlage fuer Schwachstellenbehandlung." + } + ], + "guidance_basis": [], + "member_review_units": [ + "M3" + ], + "member_controls": [ + "COMP-745", + "NET-790-A02" + ], + "member_count": 2, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M3", + "cluster_size": 2, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + }, + { + "id": "secure_modification_control", + "name": "Kontrolle sicherheitsrelevanter Updates an Lifecycle-Objekten", + "description": "Schreibzugriff auf sicherheitskritische Lifecycle-Objekte (z.B. EF.SecModLifeCycle) ist nur im Rahmen validierter Firmware-Updates moeglich; Schreibzugriff ohne Update wird abgelehnt.", + "tier": "BEST_PRACTICE", + "subdomain": "lifecycle_access_control", + "applicability": "conditional:secure_element_or_smartcard", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "IMPLEMENTATION", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "TR-03110 / SecMod Lifecycle", + "role": "best_practice" + } + ], + "member_review_units": [ + "M10" + ], + "member_controls": [ + "SEC-3738-A03", + "SEC-3738-A08", + "SEC-3738-A09" + ], + "member_count": 3, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.7, + "source_meta_cluster": "M10", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + } + ], + "relationships": [ + { + "type": "supports", + "from": "signed_update_integrity", + "to": "provide_security_updates", + "note": "Integritaetsschutz sichert die Update-Bereitstellung ab." + }, + { + "type": "supports", + "from": "trusted_update_source", + "to": "provide_security_updates", + "note": "Vertrauenswuerdige Quelle als Voraussetzung sicherer Updates." + }, + { + "type": "produces_evidence_for", + "from": "update_testing_validation", + "to": "provide_security_updates", + "note": "Testnachweise belegen Wirksamkeit der Updates." + }, + { + "type": "supports", + "from": "update_rollback", + "to": "provide_security_updates", + "note": "Rollback sichert Update-Prozess gegen Fehler ab." + }, + { + "type": "implements", + "from": "automatic_updates_optout", + "to": "provide_security_updates", + "note": "Automatische Installation konkretisiert Bereitstellungspflicht." + }, + { + "type": "depends_on", + "from": "provide_security_updates", + "to": "update_risk_assessment", + "note": "Updatebedarf folgt aus Risikobeurteilung." + }, + { + "type": "depends_on", + "from": "support_period_maintenance", + "to": "provide_security_updates", + "note": "Wartung definiert den Bereitstellungszeitraum." + }, + { + "type": "derived_from", + "from": "secure_modification_control", + "to": "signed_update_integrity", + "note": "Spezialfall validierter Schreibzugriff via Firmware-Update." + }, + { + "type": "out_of_scope", + "review_units": [ + "M4", + "M7" + ], + "note": "M4 (digitale Veraenderungen allgemein) und M7 (TLS-Proxy-Kanalverwaltung) betreffen Konfigurations-/Netzwerkmanagement, nicht die Update-/Patch-Pflicht im engeren Sinne." + } + ] +} \ No newline at end of file diff --git a/obligations/obligation_join_keys.json b/obligations/obligation_join_keys.json index 54a12bee..7a5d5bec 100644 --- a/obligations/obligation_join_keys.json +++ b/obligations/obligation_join_keys.json @@ -1,7 +1,7 @@ { "schema_version": "obligation_join_keys_v1", "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).", - "count": 84, + "count": 93, "obligation_ids": [ { "obligation_id": "sbom_creation", @@ -736,6 +736,91 @@ "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" + }, + { + "obligation_id": "provide_security_updates", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(c)", + "Art. 13" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "support_period_maintenance", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Art. 13(8)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "signed_update_integrity", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(3)(f)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "trusted_update_source", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(3)(d)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "update_testing_validation", + "regulation": "CRA", + "family": "updates", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "update_rollback", + "regulation": "CRA", + "family": "updates", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "automatic_updates_optout", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(c)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "update_risk_assessment", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "secure_modification_control", + "regulation": "CRA", + "family": "updates", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "IMPLEMENTATION" } ] } \ No newline at end of file diff --git a/scripts/obligation_discovery/precluster.py b/scripts/obligation_discovery/precluster.py index 8b0f1fcf..f4b09dd8 100644 --- a/scripts/obligation_discovery/precluster.py +++ b/scripts/obligation_discovery/precluster.py @@ -26,6 +26,13 @@ SCOPES = { "%remote access%", "%remote maintenance%", "%remote management%", "%remote-wartung%", "%remote-zugriff%", "%remote-zugang%", "%sichere fernwartung%", "%fernsteuerung%"], + "updates": ["%sicherheitsupdate%", "%security update%", "%sicherheits-update%", + "%security patch%", "%sicherheitspatch%", "%patch-management%", + "%patchmanagement%", "%patch management%", "%firmware-update%", + "%firmware update%", "%software-update%", "%software update%", + "%automatische aktualisierung%", "%update-mechanismus%", + "%update-bereitstellung%", "%bereitstellung von updates%", + "%sichere aktualisierung%", "%signierte update%", "%update-paket%"], }