diff --git a/obligations/controls_for_obligation_mapping.json b/obligations/controls_for_obligation_mapping.json index 28449ae9..f2e03563 100644 --- a/obligations/controls_for_obligation_mapping.json +++ b/obligations/controls_for_obligation_mapping.json @@ -1,11 +1,12 @@ { "schema_version": "controls_for_obligation_mapping_v1", - "purpose": "Accepted CRA->OWASP controls (Compliance Execution Graph) for the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join. Fill proposed_obligation_id per control, then we adopt it into control_mapping.obligation_id.", - "source": "ai-compliance-sdk control_mappings, mapping_status=accepted, reviewed_by=benjamin 2026-06-25", - "filled_by": "obligation-registry-session 2026-06-25 (alle 7/7: 4 auth/crypto + 3 logging via cra_logging.json)", + "purpose": "Accepted CRA->Framework controls (Compliance Execution Graph) for the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join. Fill proposed_obligation_id per control, then we adopt it into control_mapping.obligation_id.", + "source": "ai-compliance-sdk control_mappings, mapping_status=accepted, reviewed_by=benjamin 2026-06-25. OWASP ASVS (7, gefuellt) + NIST SP 800-53 (3, pending).", + "filled_by": "obligation-registry-session 2026-06-25 (OWASP 7/7: 4 auth/crypto + 3 logging). NIST 3 NEU + pending: SI-7/SI-2/CM-7. Notes auf updates-Familie (join_keys 93) ausgerichtet: SI-2->provide_security_updates (stark), SI-7->signed_update_integrity (partiell, SI-7 breiter), CM-7->remote_access_attack_surface_min (partiell, CM-7 breiter).", "join_principle": "SEMANTISCH via obligation_id, NICHT via citation_unit/legal_basis-Anker. Die CRA-Anker sind im Registry teils approximativ (siehe anchor_quality_note) — daher ist obligation_id der stabile Primaerschluessel, nicht der Anker.", "anchor_quality_note": "Registry-legal_basis-Anker sind teils CRA-Part-I-fehlzugeordnet (Opus-Synthese): user_authentication_required steht auf (2)(d) statt (2)(c); Crypto-Obligations auf (2)(e) statt (2)(d). CRA Annex I Part I: (2)(c)=Zugriffsschutz, (2)(d)=Vertraulichkeit, (2)(e)=Integritaet. Korrektur kommt mit dem zitierfaehigen Re-Ingest (span-genau). Deshalb: NICHT auf Anker joinen. ABER: der Logging-Cut (V16.*) ist korrekt auf (2)(k) verankert (echte Logging-Subsektion, kein Fehl-Anker).", - "count": 7, + "mapping_type_note": "NEU: mapping_type=primary_implementation = die kanonische Primaer-Control einer Anforderung (genau eine), staerker als implements/supports. related-Controls (SC-3(3), RA-5, AC-6, SI-16, SA-10, ...) folgen separat als supports. Eine Obligation kann mehrere Controls haben, aber genau einen primary_implementation-Einstieg.", + "count": 10, "controls": [ { "framework": "OWASP ASVS", "control": "V6.3.1", @@ -62,6 +63,30 @@ "proposed_obligation_id": "event_logging_security_events", "mapping_method": "semantic", "mapping_note": "V16.1 = allgemeine Logging-Anforderung -> Umbrella-LM event_logging_security_events. Hohe Konfidenz." + }, + { + "framework": "NIST SP 800-53", "control": "SI-7", + "source_norm": "CRA Annex I Part I (2)(e) — Integritaet", + "citation_unit": "Annex I (2)(e)", "family": "integrity", "mapping_type": "primary_implementation", + "proposed_obligation_id": "", + "mapping_method": "semantic", + "mapping_note": "NIST SI-7 = Software/Firmware/Information Integrity (Signaturpruefung, Manipulationserkennung, Secure Boot, Runtime-Integritaet). Naechster vorhandener Treffer (93-Stand): signed_update_integrity (updates-Familie, Annex I (1)(3)(f)) — deckt aber NUR Update-Signatur. SI-7 ist BREITER (gesamte Produkt-Integritaet). Falls keine generische Integritaets-Obligation existiert: neue noetig (Vorschlag software_integrity_protection); sonst SI-7 primary_implementation fuer signed_update_integrity (update-scoped) + supports fuers Breitere. NICHT log_integrity_immutability (Audit-Log-Schutz, andere Ebene)." + }, + { + "framework": "NIST SP 800-53", "control": "SI-2", + "source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates", + "citation_unit": "Annex I (2)(l)", "family": "update", "mapping_type": "primary_implementation", + "proposed_obligation_id": "", + "mapping_method": "semantic", + "mapping_note": "NIST SI-2 = Flaw Remediation. STARKER Treffer in eurer NEUEN updates-Familie (93-Stand): provide_security_updates (LEGAL_MINIMUM, Annex I (2)(c) + Art. 13) = DAS sichere-Update-LM. -> SI-2 primary_implementation = provide_security_updates. Verwandt (supports): vuln_remediation_patching (Part II Remediations-PROZESS), support_period_maintenance, update_testing_validation, update_rollback. Mein source_norm-Anker (2)(l) ist approximativ -> bitte (2)(c)/Art.13 via provide_security_updates nutzen." + }, + { + "framework": "NIST SP 800-53", "control": "CM-7", + "source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren", + "citation_unit": "Annex I (2)(i)", "family": "attack_surface", "mapping_type": "primary_implementation", + "proposed_obligation_id": "", + "mapping_method": "semantic", + "mapping_note": "NIST CM-7 = Least Functionality (deaktivierte Ports/Dienste/Funktionen, GESAMTE Angriffsflaeche). Naechster vorhandener Treffer (93-Stand): remote_access_attack_surface_min (remote_access-Familie) — deckt aber NUR Remote-Access-Flaeche. CM-7 ist BREITER. Vermutlich generische Obligation noetig (Vorschlag attack_surface_minimization); sonst CM-7 supports fuer remote_access_attack_surface_min. related (supports): SC-3(3)/AC-6/SI-16." } ] } diff --git a/obligations/cra_remote_access.json b/obligations/cra_remote_access.json new file mode 100644 index 00000000..266bfdff --- /dev/null +++ b/obligations/cra_remote_access.json @@ -0,0 +1,1657 @@ +{ + "schema_version": "obligation_registry_v1", + "regulation": "CRA", + "regulation_code": "CRA", + "family": "remote_access", + "theme": "Sichere Fernwartung / Remote Access (CRA Annex I)", + "generated_by": "obligation_discovery/claude-opus-4-8", + "synthesis_version": "v1", + "citation_status": "pending_span_anchor", + "curation": { + "curated_by": "obligation-registry-session 2026-06-25", + "method": "two-stage clustering (445->209 micro->27 review-units) -> Opus synthesis -> key-free re-tier", + "scope_controls": 445, + "micro_clusters": 209, + "review_units": 27, + "obligations": 18, + "tier_split": { + "LEGAL_MINIMUM": 5, + "BEST_PRACTICE": 13 + }, + "out_of_scope": [ + "M5/M11 = physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen (MaschinenVO 2023/1230)" + ], + "retier_rule": "Synthese vergab 14 LM. Kuriert nach der Auth-Regel: nur OUTCOME-Pflichten je CRA-Annex-I-Buchstabe bleiben LEGAL_MINIMUM (confidentiality/integrity, access-control/least-privilege, attack-surface-min, logging, vuln-patch); spezifische MECHANISMEN/Sub-Praktiken (MFA, Session-Timeout, VPN/TLS, insecure-protocol-block, OT-Validierung, Wartungs-Governance, temporaerer Zugriff, Daten-Export, Komponenten-Interface) -> BEST_PRACTICE + guidance_basis + supports-Kante zur Eltern-LM.", + "anchor_quality": "legal_basis-Buchstaben sind APPROXIMATIV (Opus): Verschluesselung als (b) statt (e), Logging als (g)/(k) statt (l), Attack-Surface als (a) statt (j). CRA Annex I Part I (2): (d)=Zugriffsschutz, (e)=Vertraulichkeit, (f)=Integritaet, (j)=Angriffsflaeche, (l)=Logging. Span-genaue Korrektur mit Re-Ingest. NICHT auf Buchstaben joinen.", + "borderline": [ + "remote_access_data_export_protection (evtl. LM unter (g) Datenminimierung)", + "component_remote_interface_security (ueberlappt attack_surface_min)" + ] + }, + "obligations": [ + { + "id": "remote_access_control_least_privilege", + "name": "Zugriffskontrolle und Least Privilege fuer Fernzugriff", + "description": "Fernzugriff auf Systeme ist zu konfigurieren und zu kontrollieren nach dem Prinzip der minimalen Rechtevergabe; privilegierte Befehle ueber Fernzugriff sind zu beschraenken und Zugriffsgenehmigungen pro Benutzer/Zielressource festzulegen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "access_control", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(d)", + "citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen (Authentifizierung, Identitaets- und Zugriffsmanagement)" + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 AC-3/AC-6/AC-17", + "role": "best_practice" + } + ], + "member_review_units": [ + "M0", + "M13" + ], + "member_controls": [ + "ACC-0404-A02", + "ACC-0404-A06", + "ACC-0405-A02", + "ACC-0406-A02", + "ACC-0406-A03", + "ACC-0406-A04", + "ACC-0406-A05", + "ACC-0407-A03", + "ACC-0407-A04", + "ACC-0409-A01", + "ACC-0409-A05", + "ACC-0409-A06", + "ACC-163-A24", + "ACC-584", + "ACC-584-A01", + "ACC-584-A02", + "ACC-584-A06", + "ACC-584-A07", + "ACC-584-A08", + "AI-067-A08", + "AI-067-A20", + "AI-084-A37", + "AI-099-A27", + "AI-101-A22", + "AI-117-A09", + "AI-117-A25", + "AI-118-A29", + "AI-120-A27", + "AI-126-A21", + "AI-1263", + "AI-195-A12", + "AUTH-1446-A03", + "AUTH-2338-A04", + "AUTH-2338-A09", + "AUTH-2386", + "AUTH-2386-A01", + "AUTH-2386-A02", + "AUTH-2413", + "AUTH-2413-A01", + "AUTH-2413-A02", + "AUTH-2419-A07", + "AUTH-2421-A01", + "AUTH-2421-A02", + "AUTH-2421-A03", + "AUTH-2421-A04", + "AUTH-2461", + "AUTH-2461-A01", + "AUTH-3825-A08", + "AUTH-3887-A01", + "AUTH-3928-A08", + "AUTH-3928-A09", + "AUTH-586", + "AUTH-586-A01", + "AUTH-586-A03", + "AUTH-586-A04", + "AUTH-909-A10", + "AUTH-909-A20", + "AUTH-909-A30", + "AUTH-909-A40", + "AUTH-909-A50", + "COMP-001-A81", + "COMP-043-A23", + "COMP-096-A26", + "COMP-1054-A08", + "COMP-1212-A13", + "COMP-1212-A27", + "COMP-1212-A39", + "COMP-1212-A53", + "COMP-1212-A69", + "COMP-1240-A31", + "COMP-372-A11", + "COMP-383-A07", + "COMP-383-A14", + "COMP-430-A09", + "COMP-449-A12", + "COMP-449-A25", + "COMP-498-A01", + "COMP-592-A09", + "COMP-592-A21", + "COMP-707-A15", + "COMP-711-A07", + "COMP-932-A11", + "COMP-932-A23", + "COMP-995-A13", + "COMP-995-A22", + "CRYP-127-A03", + "CRYP-127-A04", + "CRYP-127-A05", + "CRYP-127-A06", + "CRYP-1700-A01", + "CRYP-1700-A02", + "CRYP-1701-A01", + "CRYP-1725-A04", + "CRYP-1725-A05", + "CRYP-1725-A06", + "CRYP-1725-A07", + "CRYP-1726", + "CRYP-1726-A01", + "CRYP-182", + "CRYP-182-A01", + "CRYP-182-A03", + "CRYP-182-A04", + "CRYP-182-A05", + "CRYP-191-A04", + "CRYP-191-A05", + "CRYP-191-A06", + "CRYP-194-A07", + "CRYP-1988-A07", + "CRYP-210", + "CRYP-210-A01", + "CRYP-210-A02", + "CRYP-210-A03", + "CRYP-210-A04", + "CRYP-210-A05", + "CRYP-210-A09", + "CRYP-210-A10", + "CRYP-210-A11", + "CRYP-2191-A12", + "CRYP-245", + "CRYP-245-A01", + "CRYP-245-A02", + "CRYP-289", + "CRYP-289-A01", + "CRYP-289-A02", + "CRYP-289-A04", + "CRYP-289-A05", + "CRYP-289-A06", + "CRYP-289-A10", + "DATA-119-A23", + "DATA-4067-A03", + "DATA-554-A03", + "DATA-700-A12", + "FIN-101-A13", + "FIN-101-A29", + "FIN-101-A45", + "FIN-101-A62", + "FIN-101-A78", + "FIN-101-A95", + "FIN-258-A19", + "FIN-340-A11", + "FIN-340-A25", + "FIN-340-A39", + "FIN-340-A53", + "FIN-340-A67", + "GOV-0665-A07", + "GOV-0665-A18", + "GOV-0665-A25", + "GOV-0665-A37", + "GOV-191-A07", + "GOV-191-A17", + "GOV-277-A05", + "GOV-277-A06", + "GOV-3066", + "GOV-413-A05", + "GOV-413-A09", + "GOV-413-A14", + "GOV-413-A18", + "GOV-524-A04", + "GOV-524-A05", + "GOV-524-A31", + "GOV-561-A07", + "LOG-072-A22", + "LOG-1361-A01", + "LOG-1385-A02", + "LOG-1486-A06", + "LOG-1506-A03", + "LOG-1549-A10", + "LOG-1692", + "LOG-1692-A01", + "LOG-1692-A02", + "LOG-1692-A03", + "LOG-1692-A04", + "LOG-266", + "LOG-353-A07", + "LOG-353-A08", + "LOG-353-A13", + "LOG-353-A18", + "LOG-445-A06", + "LOG-445-A10", + "LOG-445-A16", + "LOG-445-A20", + "LOG-471-A01", + "LOG-471-A05", + "LOG-741-A24", + "NET-041-A07", + "NET-041-A17", + "NET-047-A05", + "NET-047-A06", + "NET-047-A15", + "NET-047-A16", + "NET-0673-A02", + "NET-0673-A05", + "NET-0673-A09", + "NET-073-A08", + "NET-073-A22", + "NET-078-A05", + "NET-078-A16", + "NET-082-A04", + "NET-091-A02", + "NET-091-A03", + "NET-091-A04", + "NET-091-A05", + "NET-091-A13", + "NET-091-A14", + "NET-091-A15", + "NET-091-A16", + "NET-093-A09", + "NET-093-A22", + "NET-1147-A10", + "NET-1243-A05", + "NET-1344-A05", + "NET-1356-A03", + "NET-1461-A03", + "NET-1626-A17", + "NET-266-A15", + "NET-277-A04", + "NET-277-A05", + "NET-277-A13", + "NET-277-A14", + "NET-326", + "NET-329-A10", + "NET-329-A22", + "NET-336-A03", + "NET-336-A12", + "NET-375", + "NET-375-A02", + "NET-375-A04", + "NET-375-A08", + "NET-375-A10", + "NET-382-A12", + "NET-382-A24", + "NET-416", + "NET-416-A14", + "NET-441-A01", + "NET-441-A06", + "NET-441-A07", + "NET-441-A12", + "NET-543-A04", + "NET-543-A77", + "SEC-049-A12", + "SEC-156-A16", + "SEC-156-A30", + "SEC-182-A07", + "SEC-182-A08", + "SEC-182-A16", + "SEC-182-A17", + "SEC-297-A09", + "SEC-297-A19", + "SEC-3193-A05", + "SEC-338-A11", + "SEC-338-A22", + "SEC-3855-A05", + "SEC-386", + "SEC-386-A01", + "SEC-386-A03", + "SEC-386-A05", + "SEC-386-A06", + "SEC-386-A07", + "SEC-386-A09", + "SEC-386-A11", + "SEC-386-A13", + "SEC-386-A14", + "SEC-386-A15", + "SEC-386-A16", + "SEC-4874-A03", + "SEC-4874-A05", + "SEC-5814", + "SEC-5843", + "SEC-6093-A01", + "SEC-6762", + "SEC-6762-A02", + "SEC-6795-A03", + "SEC-6795-A06", + "SEC-8179-A04", + "SEC-839-A19", + "SEC-8507", + "SEC-8885-A22" + ], + "member_count": 277, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.92, + "source_meta_cluster": "M0", + "cluster_size": 274, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_confidentiality_integrity", + "name": "Vertraulichkeit und Integritaet des Fernzugriffs", + "description": "Vertraulichkeit und Integritaet von Remote-Zugriffsverbindungen sind sicherzustellen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "access_control", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(b)(c)", + "citation": "Schutz der Vertraulichkeit und Integritaet von Daten und Befehlen" + } + ], + "guidance_basis": [], + "member_review_units": [ + "M0" + ], + "member_controls": [ + "ACC-0404-A02", + "ACC-0404-A06", + "ACC-0405-A02", + "ACC-0406-A02", + "ACC-0406-A03", + "ACC-0406-A04", + "ACC-0406-A05", + "ACC-0407-A03", + "ACC-0407-A04", + "ACC-0409-A01", + "ACC-0409-A05", + "ACC-0409-A06", + "ACC-163-A24", + "ACC-584", + "ACC-584-A01", + "ACC-584-A02", + "ACC-584-A06", + "ACC-584-A07", + "ACC-584-A08", + "AI-067-A08", + "AI-067-A20", + "AI-084-A37", + "AI-099-A27", + "AI-101-A22", + "AI-117-A09", + "AI-117-A25", + "AI-118-A29", + "AI-120-A27", + "AI-126-A21", + "AI-1263", + "AI-195-A12", + "AUTH-1446-A03", + "AUTH-2338-A04", + "AUTH-2338-A09", + "AUTH-2386", + "AUTH-2386-A01", + "AUTH-2386-A02", + "AUTH-2413", + "AUTH-2413-A01", + "AUTH-2413-A02", + "AUTH-2419-A07", + "AUTH-2421-A01", + "AUTH-2421-A02", + "AUTH-2421-A03", + "AUTH-2421-A04", + "AUTH-2461", + "AUTH-2461-A01", + "AUTH-3825-A08", + "AUTH-3887-A01", + "AUTH-3928-A08", + "AUTH-3928-A09", + "AUTH-586", + "AUTH-586-A01", + "AUTH-586-A03", + "AUTH-586-A04", + "AUTH-909-A10", + "AUTH-909-A20", + "AUTH-909-A30", + "AUTH-909-A40", + "AUTH-909-A50", + "COMP-001-A81", + "COMP-043-A23", + "COMP-096-A26", + "COMP-1054-A08", + "COMP-1212-A13", + "COMP-1212-A27", + "COMP-1212-A39", + "COMP-1212-A53", + "COMP-1212-A69", + "COMP-1240-A31", + "COMP-372-A11", + "COMP-383-A07", + "COMP-383-A14", + "COMP-430-A09", + "COMP-449-A12", + "COMP-449-A25", + "COMP-498-A01", + "COMP-592-A09", + "COMP-592-A21", + "COMP-707-A15", + "COMP-711-A07", + "COMP-932-A11", + "COMP-932-A23", + "COMP-995-A13", + "COMP-995-A22", + "CRYP-127-A03", + "CRYP-127-A04", + "CRYP-127-A05", + "CRYP-127-A06", + "CRYP-1700-A01", + "CRYP-1700-A02", + "CRYP-1701-A01", + "CRYP-1725-A04", + "CRYP-1725-A05", + "CRYP-1725-A06", + "CRYP-1725-A07", + "CRYP-1726", + "CRYP-1726-A01", + "CRYP-182", + "CRYP-182-A01", + "CRYP-182-A03", + "CRYP-182-A04", + "CRYP-182-A05", + "CRYP-191-A04", + "CRYP-191-A05", + "CRYP-191-A06", + "CRYP-194-A07", + "CRYP-1988-A07", + "CRYP-210", + "CRYP-210-A01", + "CRYP-210-A02", + "CRYP-210-A03", + "CRYP-210-A04", + "CRYP-210-A05", + "CRYP-210-A09", + "CRYP-210-A10", + "CRYP-210-A11", + "CRYP-2191-A12", + "CRYP-245", + "CRYP-245-A01", + "CRYP-245-A02", + "CRYP-289", + "CRYP-289-A01", + "CRYP-289-A02", + "CRYP-289-A04", + "CRYP-289-A05", + "CRYP-289-A06", + "CRYP-289-A10", + "DATA-119-A23", + "DATA-4067-A03", + "DATA-554-A03", + "DATA-700-A12", + "FIN-101-A13", + "FIN-101-A29", + "FIN-101-A45", + "FIN-101-A62", + "FIN-101-A78", + "FIN-101-A95", + "FIN-258-A19", + "FIN-340-A11", + "FIN-340-A25", + "FIN-340-A39", + "FIN-340-A53", + "FIN-340-A67", + "GOV-0665-A07", + "GOV-0665-A18", + "GOV-0665-A25", + "GOV-0665-A37", + "GOV-191-A07", + "GOV-191-A17", + "GOV-277-A05", + "GOV-277-A06", + "GOV-3066", + "GOV-413-A05", + "GOV-413-A09", + "GOV-413-A14", + "GOV-413-A18", + "GOV-524-A04", + "GOV-524-A05", + "GOV-524-A31", + "GOV-561-A07", + "LOG-072-A22", + "LOG-1361-A01", + "LOG-1385-A02", + "LOG-1486-A06", + "LOG-1506-A03", + "LOG-1549-A10", + "LOG-1692", + "LOG-1692-A01", + "LOG-1692-A02", + "LOG-1692-A03", + "LOG-1692-A04", + "LOG-266", + "LOG-353-A07", + "LOG-353-A08", + "LOG-353-A13", + "LOG-353-A18", + "LOG-445-A06", + "LOG-445-A10", + "LOG-445-A16", + "LOG-445-A20", + "LOG-471-A01", + "LOG-471-A05", + "LOG-741-A24", + "NET-041-A07", + "NET-041-A17", + "NET-047-A05", + "NET-047-A06", + "NET-047-A15", + "NET-047-A16", + "NET-0673-A02", + "NET-0673-A05", + "NET-0673-A09", + "NET-073-A08", + "NET-073-A22", + "NET-078-A05", + "NET-078-A16", + "NET-082-A04", + "NET-091-A02", + "NET-091-A03", + "NET-091-A04", + "NET-091-A05", + "NET-091-A13", + "NET-091-A14", + "NET-091-A15", + "NET-091-A16", + "NET-093-A09", + "NET-093-A22", + "NET-1243-A05", + "NET-1344-A05", + "NET-1461-A03", + "NET-1626-A17", + "NET-266-A15", + "NET-277-A04", + "NET-277-A05", + "NET-277-A13", + "NET-277-A14", + "NET-326", + "NET-329-A10", + "NET-329-A22", + "NET-336-A03", + "NET-336-A12", + "NET-375", + "NET-375-A02", + "NET-375-A04", + "NET-375-A08", + "NET-375-A10", + "NET-382-A12", + "NET-382-A24", + "NET-416", + "NET-416-A14", + "NET-441-A01", + "NET-441-A06", + "NET-441-A07", + "NET-441-A12", + "NET-543-A04", + "NET-543-A77", + "SEC-049-A12", + "SEC-156-A16", + "SEC-156-A30", + "SEC-182-A07", + "SEC-182-A08", + "SEC-182-A16", + "SEC-182-A17", + "SEC-297-A09", + "SEC-297-A19", + "SEC-338-A11", + "SEC-338-A22", + "SEC-3855-A05", + "SEC-386", + "SEC-386-A01", + "SEC-386-A03", + "SEC-386-A05", + "SEC-386-A06", + "SEC-386-A07", + "SEC-386-A09", + "SEC-386-A11", + "SEC-386-A13", + "SEC-386-A14", + "SEC-386-A15", + "SEC-386-A16", + "SEC-4874-A03", + "SEC-4874-A05", + "SEC-5814", + "SEC-5843", + "SEC-6093-A01", + "SEC-6762", + "SEC-6762-A02", + "SEC-6795-A03", + "SEC-6795-A06", + "SEC-8179-A04", + "SEC-839-A19", + "SEC-8507", + "SEC-8885-A22" + ], + "member_count": 274, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M0", + "cluster_size": 274, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_session_management", + "name": "Sitzungsmanagement und automatische Trennung", + "description": "Fernzugriffssitzungen muessen Timeouts haben und nach Abschluss bzw. Inaktivitaet automatisch getrennt werden.", + "tier": "BEST_PRACTICE", + "subdomain": "session_management", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 AC-12", + "role": "best_practice" + } + ], + "member_review_units": [ + "M1" + ], + "member_controls": [ + "AUTH-2419-A01", + "AUTH-2419-A02", + "CRYP-1700-A04", + "CRYP-1700-A05", + "CRYP-1725-A01", + "CRYP-1938-A09", + "LOG-1506-A04", + "NET-041-A06", + "NET-041-A16", + "NET-1344-A02", + "NET-1626-A01", + "NET-1626-A11", + "NET-336", + "NET-336-A09", + "NET-336-A16", + "SEC-3855-A03", + "SEC-3855-A06", + "SEC-3870-A01", + "SEC-3870-A02", + "SEC-6795-A01", + "SEC-6795-A04", + "SEC-6808-A01", + "SEC-8327-A10" + ], + "member_count": 23, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.88, + "source_meta_cluster": "M1", + "cluster_size": 23, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_mfa", + "name": "Multi-Faktor-Authentifizierung fuer Fernzugriff", + "description": "Fuer alle Fernzugriffssessions, insbesondere privilegierte Konten, ist MFA zu erzwingen.", + "tier": "BEST_PRACTICE", + "subdomain": "authentication", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 IA-2", + "role": "best_practice" + } + ], + "member_review_units": [ + "M2" + ], + "member_controls": [ + "AUTH-2461-A05", + "AUTH-3915-A07", + "AUTH-3980-A05", + "AUTH-894-A03", + "AUTH-894-A08", + "AUTH-894-A14", + "AUTH-894-A19", + "AUTH-894-A24", + "CRYP-1700", + "CRYP-1938-A02", + "NET-082-A05", + "NET-082-A17", + "NET-082-A18", + "NET-1787", + "NET-1787-A11", + "NET-375-A07", + "SEC-3870", + "SEC-6795-A02", + "SEC-8334-A06" + ], + "member_count": 19, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.93, + "source_meta_cluster": "M2", + "cluster_size": 19, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_encryption", + "name": "Verschluesselung der Fernzugriffsverbindungen", + "description": "Fernzugriffe muessen verschluesselt erfolgen (VPN/Tunnel-Modus, TLS, Client-Zertifikate).", + "tier": "BEST_PRACTICE", + "subdomain": "cryptography", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "IT-Grundschutz NET.3.3", + "role": "best_practice" + } + ], + "member_review_units": [ + "M6", + "M21", + "M23", + "M25" + ], + "member_controls": [ + "CRYP-1700-A03", + "CRYP-1701", + "CRYP-1732-A05", + "CRYP-1988-A03", + "CRYP-2191-A03", + "CRYP-2191-A04", + "NET-053-A05", + "NET-053-A13", + "NET-122-A03", + "NET-122-A11", + "NET-1461", + "NET-1461-A01", + "NET-1461-A02", + "NET-1461-A05", + "NET-266-A16", + "NET-336-A07", + "NET-336-A15", + "SEC-3220-A05", + "SEC-5858-A01", + "SEC-5858-A05", + "SEC-6712-A03", + "SEC-8327-A04", + "SEC-8334-A13" + ], + "member_count": 23, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.91, + "source_meta_cluster": "M6", + "cluster_size": 15, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "reject_insecure_remote_protocols", + "name": "Verbot unsicherer Fernzugriffsprotokolle", + "description": "Unsichere/unverschluesselte Fernzugriffsprotokolle sind zu unterlassen bzw. zu blockieren.", + "tier": "BEST_PRACTICE", + "subdomain": "cryptography", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SC-8", + "role": "best_practice" + } + ], + "member_review_units": [ + "M7", + "M12" + ], + "member_controls": [ + "CRYP-1726-A02", + "LOG-266-A10", + "NET-1461-A06", + "SEC-8593-A10" + ], + "member_count": 4, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.85, + "source_meta_cluster": "M7", + "cluster_size": 1, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_logging_audit", + "name": "Protokollierung und Audit von Fernzugriffen", + "description": "Fernwartungs- und Diagnoseaktivitaeten sind mit Zeitstempel, Benutzer und Aktion zu protokollieren und Audit-Logs aufzubewahren/zu analysieren.", + "tier": "LEGAL_MINIMUM", + "subdomain": "logging_monitoring", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(g)", + "citation": "Aufzeichnung und Ueberwachung relevanter interner Aktivitaeten (Logging)" + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-53 AU-2/MA-4", + "role": "best_practice" + } + ], + "member_review_units": [ + "M3", + "M18", + "M26" + ], + "member_controls": [ + "AUTH-2788-A01", + "COMP-3332-A03", + "INC-091-A07", + "LOG-1506-A05", + "LOG-1549-A02", + "LOG-1959-A07", + "LOG-1959-A11", + "LOG-353-A19", + "NET-1626-A02", + "NET-1626-A03", + "NET-1760-A05", + "SEC-3855", + "SEC-3855-A02", + "SEC-5843-A01", + "SEC-5843-A04", + "SEC-5925-A05", + "SEC-6712", + "SEC-6712-A02", + "SEC-6712-A04", + "SEC-8327-A03", + "SEC-8327-A05", + "SEC-8327-A09" + ], + "member_count": 22, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M3", + "cluster_size": 14, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access", + "cross_family_ref": "event_logging_security_events (cra_logging.json)" + }, + { + "id": "remote_access_user_validation_ot", + "name": "Identifizierung und Validierung von Fernzugriffsnutzern (ICS/OT)", + "description": "Benutzer mit Fernzugriff auf ICS/SCADA-Systeme sind zu identifizieren, zu validieren und Fernzugriffskanaele zu pruefen; OT-spezifische Absicherung.", + "tier": "BEST_PRACTICE", + "subdomain": "ics_ot", + "applicability": "domain:ics_ot", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "ICS Security Kompendium", + "role": "best_practice" + } + ], + "member_review_units": [ + "M8", + "M16" + ], + "member_controls": [ + "CRYP-1756-A03", + "CRYP-1756-A04", + "CRYP-191", + "CRYP-2191-A11", + "NET-082-A02", + "NET-082-A03", + "NET-082-A15", + "NET-082-A16", + "NET-091", + "NET-1364-A01", + "NET-991-A02", + "SEC-4140-A02", + "SEC-5025-A08", + "SEC-5787-A01", + "SEC-5877-A03" + ], + "member_count": 15, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.84, + "source_meta_cluster": "M8", + "cluster_size": 13, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_training", + "name": "Schulung zur sicheren Nutzung von Fernzugriff", + "description": "Autorisierte Nutzer sind zur sicheren Nutzung von Fernzugriff und mobilen Geraeten zu schulen.", + "tier": "BEST_PRACTICE", + "subdomain": "awareness", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "ISO/IEC 27001 A.6.3", + "role": "best_practice" + } + ], + "member_review_units": [ + "M19" + ], + "member_controls": [ + "NET-1758", + "NET-1758-A01", + "NET-1758-A03", + "NET-1809", + "NET-1809-A01", + "NET-1809-A02", + "SEC-5877", + "SEC-6795-A05", + "SEC-6802-A03", + "SEC-8873-A03" + ], + "member_count": 10, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M19", + "cluster_size": 10, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_architecture_design", + "name": "Architektur-Design fuer sicheren Fernzugriff", + "description": "Fernzugriffsarchitektur ist sicher zu konzipieren (Gateway/Agent-basiert, Zero-Trust, dedizierte isolierte Kanaele, Segmentierung).", + "tier": "BEST_PRACTICE", + "subdomain": "architecture", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-207 Zero Trust", + "role": "best_practice" + } + ], + "member_review_units": [ + "M22", + "M24", + "M25" + ], + "member_controls": [ + "NET-543-A73", + "SEC-3867-A01", + "SEC-3867-A02", + "SEC-5858-A01", + "SEC-5858-A05", + "SEC-6712-A03", + "SEC-7969", + "SEC-8327-A04", + "SEC-8334-A13" + ], + "member_count": 9, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.78, + "source_meta_cluster": "M22", + "cluster_size": 1, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_attack_surface_min", + "name": "Minimierung der Fernzugriffs-Angriffsflaeche", + "description": "Unnoetige Backdoors und Fernzugriffsschnittstellen sind zu deaktivieren; offene Ports/Schnittstellen zu inventarisieren und zu schuetzen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "hardening", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)(a)", + "citation": "Bereitstellung ohne bekannte ausnutzbare Schwachstellen / minimierte Angriffsflaeche" + } + ], + "guidance_basis": [], + "member_review_units": [ + "M15", + "M20", + "M10" + ], + "member_controls": [ + "DATA-4692-A04", + "LOG-1170-A08", + "LOG-1495-A07", + "NET-1363", + "NET-1626-A10", + "NET-1855", + "NET-1855-A04", + "NET-1855-A10", + "NET-908-A02", + "NET-942", + "NET-942-A02", + "SEC-476", + "SEC-5787-A02", + "SEC-6930", + "SEC-8327", + "SEC-8327-A01", + "SEC-8327-A02", + "SEC-8327-A08", + "SEC-8507-A01" + ], + "member_count": 19, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.83, + "source_meta_cluster": "M15", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_vuln_patch_mgmt", + "name": "Schwachstellen- und Patchmanagement fuer Fernwartungssoftware", + "description": "Schwachstellen in Fernwartungssoftware sind zu beobachten und regelmaessige Patch-/Updatezyklen sicherzustellen; Penetrationstests der Fernwartungsschnittstellen.", + "tier": "LEGAL_MINIMUM", + "subdomain": "vulnerability_management", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (2)(1)", + "citation": "Behandlung und Behebung von Schwachstellen, Sicherheitsupdates" + } + ], + "guidance_basis": [ + { + "source": "OWASP", + "anchor": "ASVS", + "role": "best_practice" + } + ], + "member_review_units": [ + "M15", + "M20", + "M14" + ], + "member_controls": [ + "NET-1237", + "NET-1343", + "NET-1363", + "NET-1364", + "NET-1855", + "NET-1855-A04", + "NET-1855-A10", + "NET-942", + "NET-942-A02", + "SEC-476", + "SEC-4872-A13", + "SEC-5787-A02", + "SEC-5858-A08", + "SEC-8327", + "SEC-8327-A01", + "SEC-8327-A02", + "SEC-8327-A08" + ], + "member_count": 17, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.82, + "source_meta_cluster": "M15", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access", + "cross_family_ref": "vuln-Familie (cra.json)" + }, + { + "id": "remote_access_threat_detection", + "name": "Erkennung von Bedrohungen bei Fernzugriff", + "description": "Erkennungsmechanismen fuer Remote Access Trojans und verdaechtige Remote-Zugriffsmuster (EDR-Logs, APT-Abwehr).", + "tier": "BEST_PRACTICE", + "subdomain": "detection", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-94", + "role": "best_practice" + } + ], + "member_review_units": [ + "M20" + ], + "member_controls": [ + "NET-1855", + "NET-1855-A04", + "NET-1855-A10", + "NET-942", + "NET-942-A02", + "SEC-5787-A02" + ], + "member_count": 6, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.79, + "source_meta_cluster": "M20", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_maintenance_governance", + "name": "Governance externer Fernwartung", + "description": "Permanente Fernwartung durch externe Dienstleister erfordert Genehmigung, Zeitbegrenzung, vertragliche Regelung und Dokumentation (inkl. Auftragsverarbeitung).", + "tier": "BEST_PRACTICE", + "subdomain": "maintenance_governance", + "applicability": "conditional:external_maintenance_provider", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "IT-Grundschutz OPS.2.3", + "role": "best_practice" + } + ], + "member_review_units": [ + "M18", + "M10", + "M9" + ], + "member_controls": [ + "DATA-4409", + "DATA-4692-A04", + "GOV-524", + "GOV-524-A12", + "LOG-1170-A08", + "LOG-1495-A07", + "NET-1626-A03", + "NET-1626-A10", + "NET-1760-A05", + "NET-908-A02", + "SEC-3855", + "SEC-3855-A02", + "SEC-6712", + "SEC-6712-A02", + "SEC-6930", + "SEC-8507-A01" + ], + "member_count": 16, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M18", + "cluster_size": 6, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "temporary_remote_access_mgmt", + "name": "Verwaltung temporaerer Fernzugriffe", + "description": "Temporaere Fernzugriffe sind sicher zu verwalten, zeitlich zu begrenzen und nach Nutzung zu entziehen.", + "tier": "BEST_PRACTICE", + "subdomain": "access_control", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "AC-2(5)", + "role": "best_practice" + } + ], + "member_review_units": [ + "M14" + ], + "member_controls": [ + "NET-1237", + "NET-1343", + "NET-1364", + "SEC-4872-A13", + "SEC-5858-A08" + ], + "member_count": 5, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.78, + "source_meta_cluster": "M14", + "cluster_size": 5, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_data_export_protection", + "name": "Schutz von Datenexport ueber Support-Fernzugriff", + "description": "Download-/Export-Einschraenkungen bei Fernzugriff; Datenexport ueber Support-Fernzugriff technisch verhindern, insb. EU-Kundendaten.", + "tier": "BEST_PRACTICE", + "subdomain": "data_protection", + "applicability": "conditional:support_remote_access_to_customer_data", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "AC-4", + "role": "best_practice" + } + ], + "member_review_units": [ + "M17", + "M2" + ], + "member_controls": [ + "AUTH-2461-A05", + "AUTH-3915-A07", + "AUTH-3980-A05", + "AUTH-894-A03", + "AUTH-894-A08", + "AUTH-894-A14", + "AUTH-894-A19", + "AUTH-894-A24", + "CRYP-1700", + "CRYP-1938-A02", + "NET-082-A05", + "NET-082-A17", + "NET-082-A18", + "NET-1547", + "NET-1547-A01", + "NET-1547-A03", + "NET-1787", + "NET-1787-A11", + "NET-375-A07", + "SEC-3870", + "SEC-6795-A02", + "SEC-8334-A06" + ], + "member_count": 22, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.77, + "source_meta_cluster": "M17", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "component_remote_interface_security", + "name": "Sicherheit von Komponenten mit Fernzugriffsschnittstellen", + "description": "Komponenten mit Fernzugriffs- oder lokalen IT-Schnittstellen sind hinsichtlich Sicherheit zu pruefen und abzusichern.", + "tier": "BEST_PRACTICE", + "subdomain": "product_security", + "applicability": "conditional:component_with_remote_interface", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "CM-7", + "role": "best_practice" + } + ], + "member_review_units": [ + "M4" + ], + "member_controls": [ + "COMP-1727-A01", + "NET-925-A04", + "SEC-3155-A02" + ], + "member_count": 3, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "curated_retier_mechanism", + "provenance": { + "discovery_confidence": 0.75, + "source_meta_cluster": "M4", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + }, + { + "id": "remote_access_fallback_concept", + "name": "Betriebskonzept mit Fallback fuer Fernzugriff", + "description": "Betriebskonzept mit Fallback-Szenarien und alternativen Kommunikationswegen bei Ausfall des Fernzugriffs.", + "tier": "BEST_PRACTICE", + "subdomain": "resilience", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": false + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "ISO", + "anchor": "ISO/IEC 27001 A.5.30", + "role": "best_practice" + } + ], + "member_review_units": [ + "M24" + ], + "member_controls": [ + "SEC-3867-A01", + "SEC-3867-A02", + "SEC-7969" + ], + "member_count": 3, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.72, + "source_meta_cluster": "M24", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "remote_access" + } + ], + "relationships": [ + { + "type": "supports", + "from": "remote_access_encryption", + "to": "remote_access_confidentiality_integrity", + "note": "Verschluesselung realisiert Vertraulichkeit/Integritaet" + }, + { + "type": "supports", + "from": "remote_access_mfa", + "to": "remote_access_control_least_privilege", + "note": "MFA unterstuetzt Zugriffskontrolle" + }, + { + "type": "implements", + "from": "reject_insecure_remote_protocols", + "to": "remote_access_encryption", + "note": "Verbot unsicherer Protokolle setzt Verschluesselungspflicht durch" + }, + { + "type": "produces_evidence_for", + "from": "remote_access_logging_audit", + "to": "remote_maintenance_governance", + "note": "Logs belegen genehmigte Fernwartung" + }, + { + "type": "supports", + "from": "remote_access_threat_detection", + "to": "remote_access_logging_audit", + "note": "Detection nutzt Logdaten" + }, + { + "type": "supports", + "from": "remote_access_architecture_design", + "to": "remote_access_control_least_privilege", + "note": "Zero-Trust/Segmentierung unterstuetzt Least Privilege" + }, + { + "type": "depends_on", + "from": "temporary_remote_access_mgmt", + "to": "remote_maintenance_governance", + "note": "Temporaere Zugriffe oft fuer externe Wartung" + }, + { + "type": "supports", + "from": "remote_session_management", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "implements", + "from": "remote_access_encryption", + "to": "remote_access_confidentiality_integrity", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "reject_insecure_remote_protocols", + "to": "remote_access_confidentiality_integrity", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "remote_access_user_validation_ot", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "remote_maintenance_governance", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "temporary_remote_access_mgmt", + "to": "remote_access_control_least_privilege", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "remote_access_data_export_protection", + "to": "remote_access_confidentiality_integrity", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "supports", + "from": "component_remote_interface_security", + "to": "remote_access_attack_surface_min", + "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" + }, + { + "type": "out_of_scope", + "review_units": [ + "M5", + "M11" + ], + "note": "Physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen-Sicherheit (MaschinenVO 2023/1230), keine Cybersecurity-Fernwartung" + } + ] +} \ No newline at end of file diff --git a/obligations/cra_updates.json b/obligations/cra_updates.json new file mode 100644 index 00000000..ee801ba3 --- /dev/null +++ b/obligations/cra_updates.json @@ -0,0 +1,1816 @@ +{ + "schema_version": "obligation_registry_v1", + "regulation": "CRA", + "regulation_code": "CRA", + "family": "updates", + "theme": "Security Updates / Patch Management (CRA Annex I (2)(c), Art 13)", + "generated_by": "obligation_discovery/claude-opus-4-8", + "synthesis_version": "v1", + "citation_status": "pending_span_anchor", + "curation": { + "curated_by": "obligation-registry-session 2026-06-25", + "method": "two-stage clustering (670->318 micro->15 review-units) -> Opus synthesis -> LIGHT review (keine Hart-Re-Tier)", + "scope_controls": 670, + "micro_clusters": 318, + "review_units": 15, + "obligations": 9, + "tier_split": { + "LEGAL_MINIMUM": 6, + "BEST_PRACTICE": 3 + }, + "out_of_scope": [ + "M4 (allg. digitale Veraenderungen)", + "M7 (TLS-Proxy-Kanalverwaltung)" + ], + "tiering_note": "Synthese DIESMAL gut kalibriert (6 LM / 3 BP) -> KEINE Hart-Kuration noetig (vs Auth 14->6, Remote-Access 14->5). LM mehrheitlich echte CRA-Update-Outcomes: provide_security_updates ((2)(c)/Art13) · support_period_maintenance (Art13(8)) · automatic_updates_optout (steht WOERTLICH in (2)(c): Auto-Updates als Default mit Opt-out) · update_risk_assessment.", + "borderline_deferred": "signed_update_integrity + trusted_update_source = OUTCOME(Integritaet/Authentizitaet)+MECHANISMUS(Signatur/Quelle)-Mischung. Tier-Linie im Cross-Domain-Review final ziehen, NICHT jetzt (User-Methodik: borderline nicht vorzeitig tiern).", + "capability_candidates": [ + "signed_update_integrity", + "trusted_update_source", + "automatic_updates_optout", + "update_rollback", + "update_testing_validation" + ], + "capability_signal": "STARKES Signal fuer die Capability-Hypothese: signed/trusted/automatic/rollback/testing sind technische FAEHIGKEITEN, die das eine LM-Outcome provide_security_updates erfuellen. Das LLM tiert sie INKONSISTENT (signed/trusted/automatic->LM, rollback/testing->BP), genau weil Outcome vs Capability nicht sauber trennbar ist (User-Diagnose). Phase 4: Regulation->Obligation->CAPABILITY->Procedure->Control->Evidence.", + "anchor_quality": "Anker approximativ (Opus): '(1)(3)(f)'/'(1)(3)(d)' entsprechen keiner exakten CRA-Annex-I-Struktur (Part I (2) hat Buchstaben a-m, kein Punkt (3)). support_period korrekt Art 13(8); provide_security_updates korrekt (2)(c). Span-genau mit Re-Ingest. NICHT auf Anker joinen." + }, + "obligations": [ + { + "id": "provide_security_updates", + "name": "Bereitstellung von Sicherheitsupdates", + "description": "Hersteller stellen wirksame Sicherheitsupdates und Patches zur Behebung von Schwachstellen ueber den gesamten Support-Zeitraum regelmaessig und kostenlos bereit, inkl. strukturiertem Patch-Management-Verfahren.", + "tier": "LEGAL_MINIMUM", + "subdomain": "patch_provisioning", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (2)(c)", + "citation": "Schwachstellen durch Sicherheitsupdates ohne Verzug behandeln, einschliesslich automatischer Updates und Benachrichtigung." + }, + { + "source": "CRA", + "anchor": "Art. 13", + "citation": "Pflicht zur Bereitstellung von Sicherheitsupdates waehrend des Support-Zeitraums." + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-40 Patch Management", + "role": "best_practice" + }, + { + "source": "BSI", + "anchor": "OPS.1.1.3 Patch- und Aenderungsmanagement", + "role": "best_practice" + } + ], + "member_review_units": [ + "M0", + "M2", + "M6", + "M14" + ], + "member_controls": [ + "ACC-605-A06", + "ACC-650-A06", + "AI-1827-A04", + "AI-462-A06", + "AI-462-A07", + "AI-462-A17", + "AI-810-A12", + "AI-810-A19", + "AUTH-101-A19", + "AUTH-101-A22", + "AUTH-1086-A02", + "AUTH-1086-A04", + "AUTH-1090-A04", + "AUTH-1520-A03", + "AUTH-1538-A02", + "AUTH-1538-A03", + "AUTH-1538-A11", + "AUTH-1630-A03", + "AUTH-1630-A07", + "AUTH-1710-A03", + "AUTH-1742", + "AUTH-1742-A02", + "AUTH-1742-A03", + "AUTH-1742-A04", + "AUTH-1742-A05", + "AUTH-1742-A06", + "AUTH-1742-A07", + "AUTH-1746", + "AUTH-182", + "AUTH-187-A05", + "AUTH-1925-A02", + "AUTH-1925-A06", + "AUTH-197-A13", + "AUTH-2480", + "AUTH-2543", + "AUTH-2563-A01", + "AUTH-2563-A02", + "AUTH-2679-A08", + "AUTH-2868", + "AUTH-2913-A08", + "AUTH-2942", + "AUTH-2942-A01", + "AUTH-2942-A06", + "AUTH-2959", + "AUTH-2998-A01", + "AUTH-2998-A04", + "AUTH-2998-A08", + "AUTH-3009-A15", + "AUTH-3169-A01", + "AUTH-3169-A07", + "AUTH-3649-A09", + "AUTH-3704-A03", + "AUTH-3704-A04", + "AUTH-3823", + "AUTH-3960", + "AUTH-3961-A01", + "AUTH-3974-A07", + "AUTH-4034", + "AUTH-4034-A01", + "AUTH-4034-A04", + "AUTH-4048-A02", + "AUTH-513", + "COMP-074-A05", + "COMP-1052", + "COMP-1123-A06", + "COMP-1261-A01", + "COMP-1907-A08", + "COMP-2768-A01", + "COMP-2969-A01", + "COMP-2969-A02", + "COMP-2969-A05", + "COMP-2969-A06", + "COMP-2969-A07", + "COMP-2970-A03", + "COMP-2970-A04", + "COMP-2970-A05", + "COMP-2991-A09", + "COMP-3030-A09", + "COMP-3360-A04", + "COMP-3411-A04", + "COMP-3411-A07", + "COMP-3548-A07", + "COMP-3990-A01", + "COMP-4063-A10", + "COMP-4119", + "COMP-652", + "COMP-652-A01", + "COMP-652-A05", + "COMP-995-A14", + "COMP-995-A15", + "CRYP-1332", + "CRYP-1332-A03", + "CRYP-1624", + "CRYP-1805-A06", + "CRYP-1805-A12", + "CRYP-1886-A03", + "CRYP-2073-A03", + "CRYP-2289-A10", + "CRYP-2359-A02", + "CRYP-2359-A07", + "CRYP-2361-A12", + "CRYP-415-A07", + "CRYP-415-A30", + "CRYP-415-A41", + "CRYP-415-A49", + "CRYP-723-A14", + "CRYP-882-A05", + "CRYP-882-A06", + "CRYP-882-A14", + "CRYP-882-A15", + "CRYP-898-A03", + "DATA-1435-A10", + "DATA-1435-A11", + "DATA-2374-A06", + "DATA-2486-A02", + "DATA-265-A07", + "DATA-3995-A04", + "DATA-4193-A01", + "DATA-4193-A07", + "DATA-4674-A07", + "DATA-4679", + "DATA-673-A05", + "DATA-673-A10", + "GOV-2281-A04", + "GOV-2540-A07", + "GOV-3106-A03", + "GOV-3108-A01", + "GOV-3108-A05", + "HLT-018-A13", + "HLT-114-A05", + "HLT-114-A41", + "HLT-372-A03", + "HLT-519-A04", + "HLT-519-A09", + "INC-241", + "LOG-1409-A04", + "LOG-1410", + "LOG-1410-A10", + "LOG-1511-A10", + "LOG-1547-A11", + "LOG-1730-A05", + "LOG-1730-A09", + "LOG-1741-A01", + "LOG-1741-A02", + "LOG-1741-A05", + "LOG-1741-A06", + "LOG-1741-A08", + "LOG-1749", + "LOG-1759-A13", + "LOG-1760", + "LOG-1760-A01", + "LOG-1760-A06", + "LOG-1770-A06", + "LOG-1774-A06", + "LOG-1774-A11", + "LOG-1838-A06", + "LOG-2074-A06", + "LOG-2074-A09", + "LOG-2075", + "LOG-2078", + "LOG-2078-A03", + "LOG-903-A06", + "LOG-904-A02", + "NET-077-A05", + "NET-077-A23", + "NET-1196-A12", + "NET-1196-A13", + "NET-125-A09", + "NET-125-A17", + "NET-1306-A04", + "NET-1317-A02", + "NET-1351-A10", + "NET-1465-A05", + "NET-1482-A12", + "NET-1494-A12", + "NET-1626-A12", + "NET-1637-A03", + "NET-1744", + "NET-1744-A01", + "NET-1841-A04", + "NET-1841-A05", + "NET-1856-A02", + "NET-1858-A02", + "NET-1864-A09", + "NET-1864-A13", + "NET-1868", + "NET-1868-A07", + "NET-248-A06", + "NET-248-A12", + "NET-373-A02", + "NET-373-A10", + "NET-476-A14", + "NET-476-A83", + "NET-892-A04", + "NET-904-A05", + "NET-981-A01", + "NET-981-A09", + "NET-981-A10", + "OPS-003", + "OPS-003-A01", + "OPS-003-A02", + "OPS-003-A05", + "OPS-003-A06", + "OPS-003-A09", + "PCM-003", + "PCM-003-A01", + "PCM-003-A02", + "SEC-1041", + "SEC-1041-A01", + "SEC-1041-A02", + "SEC-1041-A03", + "SEC-1041-A04", + "SEC-1041-A05", + "SEC-1041-A06", + "SEC-1041-A07", + "SEC-1042", + "SEC-1042-A01", + "SEC-1042-A02", + "SEC-1042-A03", + "SEC-1042-A04", + "SEC-1042-A06", + "SEC-110-A02", + "SEC-110-A03", + "SEC-110-A06", + "SEC-120-A07", + "SEC-120-A18", + "SEC-1218-A03", + "SEC-1218-A12", + "SEC-1243-A03", + "SEC-1243-A04", + "SEC-1247-A02", + "SEC-1252", + "SEC-1254-A04", + "SEC-1254-A07", + "SEC-126", + "SEC-126-A05", + "SEC-132", + "SEC-132-A05", + "SEC-132-A12", + "SEC-150", + "SEC-171-A10", + "SEC-171-A28", + "SEC-171-A41", + "SEC-179-A02", + "SEC-179-A07", + "SEC-182-A01", + "SEC-182-A12", + "SEC-195-A07", + "SEC-195-A13", + "SEC-279-A05", + "SEC-279-A10", + "SEC-295", + "SEC-3019-A01", + "SEC-3150-A02", + "SEC-3150-A03", + "SEC-3166-A01", + "SEC-3166-A05", + "SEC-3166-A06", + "SEC-3167-A01", + "SEC-3167-A02", + "SEC-3169-A03", + "SEC-3175", + "SEC-3175-A01", + "SEC-3175-A04", + "SEC-3175-A06", + "SEC-3175-A10", + "SEC-3325-A08", + "SEC-339-A08", + "SEC-339-A09", + "SEC-339-A19", + "SEC-342-A10", + "SEC-342-A26", + "SEC-349", + "SEC-3665", + "SEC-3665-A01", + "SEC-3665-A02", + "SEC-3665-A05", + "SEC-3676-A06", + "SEC-3680-A04", + "SEC-3680-A10", + "SEC-3719-A05", + "SEC-3725", + "SEC-3725-A01", + "SEC-3725-A02", + "SEC-3725-A03", + "SEC-3725-A04", + "SEC-3740-A02", + "SEC-3740-A05", + "SEC-3740-A06", + "SEC-3740-A07", + "SEC-376", + "SEC-3789-A01", + "SEC-3789-A02", + "SEC-3829-A01", + "SEC-3829-A02", + "SEC-3829-A03", + "SEC-3829-A04", + "SEC-3834-A01", + "SEC-3834-A02", + "SEC-3834-A03", + "SEC-3834-A04", + "SEC-3834-A06", + "SEC-3834-A07", + "SEC-3835-A04", + "SEC-3838-A01", + "SEC-3838-A02", + "SEC-3838-A07", + "SEC-3838-A08", + "SEC-3838-A09", + "SEC-3839-A04", + "SEC-3839-A07", + "SEC-3845-A10", + "SEC-3847", + "SEC-3847-A02", + "SEC-3847-A05", + "SEC-3858", + "SEC-3875-A05", + "SEC-3885-A01", + "SEC-3885-A02", + "SEC-3885-A04", + "SEC-3928", + "SEC-3928-A05", + "SEC-3928-A06", + "SEC-3931-A04", + "SEC-3931-A11", + "SEC-3936-A03", + "SEC-3949-A05", + "SEC-3963-A03", + "SEC-3963-A04", + "SEC-3963-A05", + "SEC-3963-A06", + "SEC-3970", + "SEC-3970-A03", + "SEC-3972-A01", + "SEC-3972-A02", + "SEC-3972-A06", + "SEC-3972-A07", + "SEC-3972-A09", + "SEC-3972-A10", + "SEC-3972-A13", + "SEC-3974-A06", + "SEC-3985-A02", + "SEC-3995", + "SEC-3995-A01", + "SEC-3995-A02", + "SEC-3995-A03", + "SEC-3995-A04", + "SEC-3995-A05", + "SEC-3999", + "SEC-3999-A01", + "SEC-3999-A03", + "SEC-4005-A01", + "SEC-4005-A02", + "SEC-4018-A03", + "SEC-4081-A02", + "SEC-4081-A03", + "SEC-4191", + "SEC-4191-A02", + "SEC-4195", + "SEC-4195-A02", + "SEC-4195-A08", + "SEC-4209-A03", + "SEC-445", + "SEC-4559-A01", + "SEC-4567-A01", + "SEC-4567-A06", + "SEC-462-A12", + "SEC-470", + "SEC-4945-A04", + "SEC-4966-A01", + "SEC-4966-A09", + "SEC-4970-A04", + "SEC-4970-A17", + "SEC-4988-A04", + "SEC-5109", + "SEC-5109-A01", + "SEC-5109-A02", + "SEC-5528", + "SEC-5528-A01", + "SEC-5532-A02", + "SEC-5541-A03", + "SEC-5640-A08", + "SEC-5640-A09", + "SEC-5748", + "SEC-5767-A02", + "SEC-5769-A05", + "SEC-5770", + "SEC-5804-A07", + "SEC-5818", + "SEC-5818-A10", + "SEC-5835", + "SEC-5835-A01", + "SEC-5835-A05", + "SEC-5850-A03", + "SEC-5850-A06", + "SEC-5851-A01", + "SEC-5851-A02", + "SEC-5851-A03", + "SEC-5851-A04", + "SEC-5851-A12", + "SEC-5908", + "SEC-5909", + "SEC-5912-A01", + "SEC-5912-A03", + "SEC-5921-A02", + "SEC-5921-A07", + "SEC-5923-A04", + "SEC-5923-A05", + "SEC-5924-A02", + "SEC-5925-A02", + "SEC-5930-A08", + "SEC-5931", + "SEC-5934-A04", + "SEC-5941-A02", + "SEC-5941-A03", + "SEC-5941-A06", + "SEC-5941-A07", + "SEC-5941-A08", + "SEC-5947-A06", + "SEC-5947-A07", + "SEC-5954-A04", + "SEC-6092-A03", + "SEC-6096-A03", + "SEC-6098", + "SEC-6105-A01", + "SEC-6105-A03", + "SEC-6105-A04", + "SEC-6105-A08", + "SEC-6105-A12", + "SEC-6224", + "SEC-6431-A07", + "SEC-6431-A08", + "SEC-6440-A02", + "SEC-6815-A03", + "SEC-6889-A01", + "SEC-6890-A01", + "SEC-691", + "SEC-6913-A02", + "SEC-6918", + "SEC-6928-A04", + "SEC-6928-A10", + "SEC-6928-A13", + "SEC-6991-A01", + "SEC-6993-A01", + "SEC-6996", + "SEC-7016", + "SEC-7018-A05", + "SEC-7024-A02", + "SEC-7026-A01", + "SEC-7026-A06", + "SEC-7037-A04", + "SEC-7037-A06", + "SEC-7044", + "SEC-7049", + "SEC-7056-A05", + "SEC-7056-A10", + "SEC-7056-A11", + "SEC-7060-A02", + "SEC-7060-A07", + "SEC-7067-A01", + "SEC-7077", + "SEC-7077-A01", + "SEC-7082-A01", + "SEC-7084", + "SEC-7097-A01", + "SEC-710", + "SEC-7100-A01", + "SEC-7109-A01", + "SEC-7109-A06", + "SEC-7110-A01", + "SEC-7113", + "SEC-7117-A02", + "SEC-7117-A08", + "SEC-7128-A07", + "SEC-7237-A03", + "SEC-7577-A02", + "SEC-7581-A01", + "SEC-7621-A04", + "SEC-7678", + "SEC-7803-A08", + "SEC-8324", + "SEC-8324-A09", + "SEC-8326", + "SEC-8326-A01", + "SEC-8326-A02", + "SEC-8326-A06", + "SEC-8326-A07", + "SEC-8327-A01", + "SEC-8334-A01", + "SEC-8334-A02", + "SEC-8334-A10", + "SEC-8801-A05", + "SEC-8801-A08", + "SEC-8801-A09", + "SEC-8801-A10", + "SEC-8806", + "SEC-8829-A03", + "SEC-8839", + "SEC-8842", + "SEC-8842-A01", + "SEC-8842-A03", + "SEC-8842-A04", + "SEC-8842-A05", + "SEC-8842-A08", + "SEC-8842-A09", + "SEC-8842-A10", + "SEC-8842-A11", + "SEC-8842-A12", + "SEC-8842-A14", + "SEC-8871", + "SEC-8871-A01", + "SEC-8871-A04", + "SEC-8871-A06", + "SEC-8871-A07", + "SEC-8871-A08", + "SEC-8871-A09", + "SEC-8880", + "SEC-8888-A01", + "SEC-8888-A11", + "SEC-8923", + "SEC-8991-A02", + "SEC-8991-A09", + "SEC-8997", + "SEC-8997-A03", + "SEC-8998-A02", + "SEC-8998-A04", + "SEC-8999", + "SEC-8999-A01", + "SEC-8999-A03", + "SEC-8999-A06", + "SEC-9002-A01", + "SEC-9002-A06", + "SEC-9003", + "SEC-9003-A01", + "SEC-9007", + "SEC-9007-A02", + "SEC-9007-A05", + "SEC-9009-A03", + "SEC-9009-A04", + "SEC-9009-A05", + "SEC-9009-A06", + "SEC-9019-A04", + "SEC-9027", + "SEC-9029", + "SEC-9033-A01", + "SEC-9033-A02", + "SEC-9033-A04", + "SEC-9033-A05", + "SEC-9033-A06", + "SEC-9035-A01", + "SEC-9035-A06", + "SEC-9036", + "SEC-9039", + "SEC-9039-A01", + "SEC-9039-A04", + "SEC-9045-A06", + "SEC-9055", + "SEC-9055-A01", + "SEC-9062-A04", + "SEC-9073-A10", + "SEC-9107", + "SEC-9107-A02", + "SEC-9107-A03", + "SEC-9110-A04", + "SEC-9115", + "SEC-9116-A01", + "SEC-9116-A02", + "SEC-9116-A03", + "SEC-9116-A04", + "SEC-9129", + "SEC-9129-A07", + "SEC-9129-A08", + "SEC-9129-A09", + "SEC-9135-A09", + "SYS-002", + "SYS-002-A05", + "VUL-001", + "VUL-001-A05" + ], + "member_count": 578, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.95, + "source_meta_cluster": "M0", + "cluster_size": 574, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + }, + { + "id": "support_period_maintenance", + "name": "Wartung waehrend des Support-Zeitraums", + "description": "Festlegung und Umsetzung von Wartungs- und Pflegemassnahmen inkl. Haeufigkeit ueber den definierten Support-Zeitraum.", + "tier": "LEGAL_MINIMUM", + "subdomain": "support_period", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Art. 13(8)", + "citation": "Bestimmung des Support-Zeitraums entsprechend der erwarteten Nutzungsdauer." + } + ], + "guidance_basis": [], + "member_review_units": [ + "M0" + ], + "member_controls": [ + "ACC-605-A06", + "ACC-650-A06", + "AI-1827-A04", + "AI-462-A06", + "AI-462-A07", + "AI-462-A17", + "AI-810-A12", + "AI-810-A19", + "AUTH-101-A19", + "AUTH-101-A22", + "AUTH-1086-A02", + "AUTH-1086-A04", + "AUTH-1090-A04", + "AUTH-1520-A03", + "AUTH-1538-A02", + "AUTH-1538-A03", + "AUTH-1538-A11", + "AUTH-1630-A03", + "AUTH-1630-A07", + "AUTH-1710-A03", + "AUTH-1742", + "AUTH-1742-A02", + "AUTH-1742-A03", + "AUTH-1742-A04", + "AUTH-1742-A05", + "AUTH-1742-A06", + "AUTH-1742-A07", + "AUTH-1746", + "AUTH-182", + "AUTH-187-A05", + "AUTH-1925-A02", + "AUTH-1925-A06", + "AUTH-197-A13", + "AUTH-2480", + "AUTH-2543", + "AUTH-2563-A01", + "AUTH-2563-A02", + "AUTH-2679-A08", + "AUTH-2913-A08", + "AUTH-2942", + "AUTH-2942-A01", + "AUTH-2942-A06", + "AUTH-2959", + "AUTH-2998-A01", + "AUTH-2998-A04", + "AUTH-2998-A08", + "AUTH-3009-A15", + "AUTH-3169-A01", + "AUTH-3169-A07", + "AUTH-3649-A09", + "AUTH-3704-A03", + "AUTH-3704-A04", + "AUTH-3823", + "AUTH-3960", + "AUTH-3961-A01", + "AUTH-3974-A07", + "AUTH-4034", + "AUTH-4034-A01", + "AUTH-4034-A04", + "AUTH-4048-A02", + "AUTH-513", + "COMP-074-A05", + "COMP-1052", + "COMP-1123-A06", + "COMP-1261-A01", + "COMP-1907-A08", + "COMP-2768-A01", + "COMP-2969-A01", + "COMP-2969-A02", + "COMP-2969-A05", + "COMP-2969-A06", + "COMP-2969-A07", + "COMP-2970-A03", + "COMP-2970-A04", + "COMP-2970-A05", + "COMP-2991-A09", + "COMP-3030-A09", + "COMP-3360-A04", + "COMP-3411-A04", + "COMP-3411-A07", + "COMP-3548-A07", + "COMP-3990-A01", + "COMP-4063-A10", + "COMP-4119", + "COMP-652", + "COMP-652-A01", + "COMP-652-A05", + "COMP-995-A14", + "COMP-995-A15", + "CRYP-1332", + "CRYP-1332-A03", + "CRYP-1805-A06", + "CRYP-1805-A12", + "CRYP-1886-A03", + "CRYP-2073-A03", + "CRYP-2289-A10", + "CRYP-2359-A02", + "CRYP-2359-A07", + "CRYP-2361-A12", + "CRYP-415-A07", + "CRYP-415-A30", + "CRYP-415-A41", + "CRYP-415-A49", + "CRYP-723-A14", + "CRYP-882-A05", + "CRYP-882-A06", + "CRYP-882-A14", + "CRYP-882-A15", + "CRYP-898-A03", + "DATA-1435-A10", + "DATA-1435-A11", + "DATA-2374-A06", + "DATA-2486-A02", + "DATA-265-A07", + "DATA-3995-A04", + "DATA-4193-A01", + "DATA-4193-A07", + "DATA-4674-A07", + "DATA-4679", + "DATA-673-A05", + "DATA-673-A10", + "GOV-2281-A04", + "GOV-2540-A07", + "GOV-3106-A03", + "GOV-3108-A01", + "GOV-3108-A05", + "HLT-018-A13", + "HLT-114-A05", + "HLT-114-A41", + "HLT-372-A03", + "HLT-519-A04", + "HLT-519-A09", + "INC-241", + "LOG-1409-A04", + "LOG-1410", + "LOG-1410-A10", + "LOG-1511-A10", + "LOG-1547-A11", + "LOG-1730-A05", + "LOG-1730-A09", + "LOG-1741-A01", + "LOG-1741-A02", + "LOG-1741-A05", + "LOG-1741-A06", + "LOG-1741-A08", + "LOG-1749", + "LOG-1759-A13", + "LOG-1760", + "LOG-1760-A01", + "LOG-1760-A06", + "LOG-1770-A06", + "LOG-1774-A06", + "LOG-1774-A11", + "LOG-1838-A06", + "LOG-2074-A06", + "LOG-2074-A09", + "LOG-2075", + "LOG-2078", + "LOG-2078-A03", + "LOG-903-A06", + "LOG-904-A02", + "NET-077-A05", + "NET-077-A23", + "NET-1196-A12", + "NET-1196-A13", + "NET-125-A09", + "NET-125-A17", + "NET-1306-A04", + "NET-1317-A02", + "NET-1351-A10", + "NET-1465-A05", + "NET-1482-A12", + "NET-1494-A12", + "NET-1626-A12", + "NET-1637-A03", + "NET-1744", + "NET-1744-A01", + "NET-1841-A04", + "NET-1841-A05", + "NET-1856-A02", + "NET-1858-A02", + "NET-1864-A09", + "NET-1864-A13", + "NET-1868", + "NET-1868-A07", + "NET-248-A06", + "NET-248-A12", + "NET-373-A02", + "NET-373-A10", + "NET-476-A14", + "NET-476-A83", + "NET-892-A04", + "NET-904-A05", + "NET-981-A01", + "NET-981-A09", + "NET-981-A10", + "OPS-003", + "OPS-003-A01", + "OPS-003-A02", + "OPS-003-A05", + "OPS-003-A06", + "OPS-003-A09", + "PCM-003", + "PCM-003-A01", + "PCM-003-A02", + "SEC-1041", + "SEC-1041-A01", + "SEC-1041-A02", + "SEC-1041-A03", + "SEC-1041-A04", + "SEC-1041-A05", + "SEC-1041-A06", + "SEC-1041-A07", + "SEC-1042", + "SEC-1042-A01", + "SEC-1042-A02", + "SEC-1042-A03", + "SEC-1042-A04", + "SEC-1042-A06", + "SEC-110-A02", + "SEC-110-A03", + "SEC-110-A06", + "SEC-120-A07", + "SEC-120-A18", + "SEC-1218-A03", + "SEC-1218-A12", + "SEC-1243-A03", + "SEC-1243-A04", + "SEC-1247-A02", + "SEC-1252", + "SEC-1254-A04", + "SEC-1254-A07", + "SEC-126", + "SEC-126-A05", + "SEC-132", + "SEC-132-A05", + "SEC-132-A12", + "SEC-150", + "SEC-171-A10", + "SEC-171-A28", + "SEC-171-A41", + "SEC-179-A02", + "SEC-179-A07", + "SEC-182-A01", + "SEC-182-A12", + "SEC-195-A07", + "SEC-195-A13", + "SEC-279-A05", + "SEC-279-A10", + "SEC-295", + "SEC-3019-A01", + "SEC-3150-A02", + "SEC-3150-A03", + "SEC-3166-A01", + "SEC-3166-A05", + "SEC-3166-A06", + "SEC-3167-A01", + "SEC-3167-A02", + "SEC-3169-A03", + "SEC-3175", + "SEC-3175-A01", + "SEC-3175-A04", + "SEC-3175-A06", + "SEC-3175-A10", + "SEC-3325-A08", + "SEC-339-A08", + "SEC-339-A09", + "SEC-339-A19", + "SEC-342-A10", + "SEC-342-A26", + "SEC-349", + "SEC-3665", + "SEC-3665-A01", + "SEC-3665-A02", + "SEC-3665-A05", + "SEC-3676-A06", + "SEC-3680-A04", + "SEC-3680-A10", + "SEC-3719-A05", + "SEC-3725", + "SEC-3725-A01", + "SEC-3725-A02", + "SEC-3725-A03", + "SEC-3725-A04", + "SEC-3740-A02", + "SEC-3740-A05", + "SEC-3740-A06", + "SEC-3740-A07", + "SEC-376", + "SEC-3789-A01", + "SEC-3789-A02", + "SEC-3829-A01", + "SEC-3829-A02", + "SEC-3829-A03", + "SEC-3829-A04", + "SEC-3834-A01", + "SEC-3834-A02", + "SEC-3834-A03", + "SEC-3834-A04", + "SEC-3834-A06", + "SEC-3834-A07", + "SEC-3835-A04", + "SEC-3838-A01", + "SEC-3838-A02", + "SEC-3838-A07", + "SEC-3838-A08", + "SEC-3838-A09", + "SEC-3839-A04", + "SEC-3839-A07", + "SEC-3845-A10", + "SEC-3847", + "SEC-3847-A02", + "SEC-3847-A05", + "SEC-3858", + "SEC-3875-A05", + "SEC-3885-A01", + "SEC-3885-A02", + "SEC-3885-A04", + "SEC-3928", + "SEC-3928-A05", + "SEC-3928-A06", + "SEC-3931-A04", + "SEC-3931-A11", + "SEC-3936-A03", + "SEC-3949-A05", + "SEC-3963-A03", + "SEC-3963-A04", + "SEC-3963-A05", + "SEC-3963-A06", + "SEC-3970", + "SEC-3970-A03", + "SEC-3972-A01", + "SEC-3972-A02", + "SEC-3972-A06", + "SEC-3972-A07", + "SEC-3972-A09", + "SEC-3972-A10", + "SEC-3972-A13", + "SEC-3974-A06", + "SEC-3985-A02", + "SEC-3995", + "SEC-3995-A01", + "SEC-3995-A02", + "SEC-3995-A03", + "SEC-3995-A04", + "SEC-3995-A05", + "SEC-3999", + "SEC-3999-A01", + "SEC-3999-A03", + "SEC-4005-A01", + "SEC-4005-A02", + "SEC-4018-A03", + "SEC-4081-A02", + "SEC-4081-A03", + "SEC-4191", + "SEC-4191-A02", + "SEC-4195", + "SEC-4195-A02", + "SEC-4195-A08", + "SEC-4209-A03", + "SEC-445", + "SEC-4559-A01", + "SEC-4567-A01", + "SEC-4567-A06", + "SEC-462-A12", + "SEC-470", + "SEC-4945-A04", + "SEC-4966-A01", + "SEC-4966-A09", + "SEC-4970-A04", + "SEC-4970-A17", + "SEC-4988-A04", + "SEC-5109", + "SEC-5109-A01", + "SEC-5109-A02", + "SEC-5528", + "SEC-5528-A01", + "SEC-5532-A02", + "SEC-5541-A03", + "SEC-5640-A08", + "SEC-5640-A09", + "SEC-5748", + "SEC-5767-A02", + "SEC-5769-A05", + "SEC-5770", + "SEC-5804-A07", + "SEC-5818", + "SEC-5818-A10", + "SEC-5835", + "SEC-5835-A01", + "SEC-5835-A05", + "SEC-5850-A03", + "SEC-5850-A06", + "SEC-5851-A01", + "SEC-5851-A02", + "SEC-5851-A03", + "SEC-5851-A04", + "SEC-5851-A12", + "SEC-5908", + "SEC-5909", + "SEC-5912-A01", + "SEC-5912-A03", + "SEC-5921-A02", + "SEC-5921-A07", + "SEC-5923-A04", + "SEC-5923-A05", + "SEC-5924-A02", + "SEC-5925-A02", + "SEC-5930-A08", + "SEC-5931", + "SEC-5934-A04", + "SEC-5941-A02", + "SEC-5941-A03", + "SEC-5941-A06", + "SEC-5941-A07", + "SEC-5941-A08", + "SEC-5947-A06", + "SEC-5947-A07", + "SEC-5954-A04", + "SEC-6092-A03", + "SEC-6096-A03", + "SEC-6098", + "SEC-6105-A01", + "SEC-6105-A03", + "SEC-6105-A04", + "SEC-6105-A08", + "SEC-6105-A12", + "SEC-6224", + "SEC-6431-A07", + "SEC-6431-A08", + "SEC-6440-A02", + "SEC-6815-A03", + "SEC-6889-A01", + "SEC-6890-A01", + "SEC-691", + "SEC-6913-A02", + "SEC-6928-A04", + "SEC-6928-A10", + "SEC-6928-A13", + "SEC-6991-A01", + "SEC-6993-A01", + "SEC-6996", + "SEC-7016", + "SEC-7018-A05", + "SEC-7024-A02", + "SEC-7026-A01", + "SEC-7026-A06", + "SEC-7037-A04", + "SEC-7037-A06", + "SEC-7044", + "SEC-7049", + "SEC-7056-A05", + "SEC-7056-A10", + "SEC-7056-A11", + "SEC-7060-A02", + "SEC-7060-A07", + "SEC-7067-A01", + "SEC-7077", + "SEC-7077-A01", + "SEC-7082-A01", + "SEC-7084", + "SEC-7097-A01", + "SEC-710", + "SEC-7100-A01", + "SEC-7109-A01", + "SEC-7109-A06", + "SEC-7110-A01", + "SEC-7113", + "SEC-7117-A02", + "SEC-7117-A08", + "SEC-7128-A07", + "SEC-7237-A03", + "SEC-7577-A02", + "SEC-7581-A01", + "SEC-7621-A04", + "SEC-7678", + "SEC-7803-A08", + "SEC-8324", + "SEC-8324-A09", + "SEC-8326", + "SEC-8326-A01", + "SEC-8326-A02", + "SEC-8326-A06", + "SEC-8326-A07", + "SEC-8327-A01", + "SEC-8334-A01", + "SEC-8334-A02", + "SEC-8334-A10", + "SEC-8801-A05", + "SEC-8801-A08", + "SEC-8801-A09", + "SEC-8801-A10", + "SEC-8806", + "SEC-8829-A03", + "SEC-8839", + "SEC-8842", + "SEC-8842-A01", + "SEC-8842-A03", + "SEC-8842-A04", + "SEC-8842-A05", + "SEC-8842-A08", + "SEC-8842-A09", + "SEC-8842-A10", + "SEC-8842-A11", + "SEC-8842-A12", + "SEC-8842-A14", + "SEC-8871", + "SEC-8871-A01", + "SEC-8871-A04", + "SEC-8871-A06", + "SEC-8871-A07", + "SEC-8871-A08", + "SEC-8871-A09", + "SEC-8880", + "SEC-8888-A01", + "SEC-8888-A11", + "SEC-8923", + "SEC-8991-A02", + "SEC-8991-A09", + "SEC-8997", + "SEC-8997-A03", + "SEC-8998-A02", + "SEC-8998-A04", + "SEC-8999", + "SEC-8999-A01", + "SEC-8999-A03", + "SEC-8999-A06", + "SEC-9002-A01", + "SEC-9002-A06", + "SEC-9003", + "SEC-9003-A01", + "SEC-9007", + "SEC-9007-A02", + "SEC-9007-A05", + "SEC-9009-A03", + "SEC-9009-A04", + "SEC-9009-A05", + "SEC-9009-A06", + "SEC-9019-A04", + "SEC-9029", + "SEC-9033-A01", + "SEC-9033-A02", + "SEC-9033-A04", + "SEC-9033-A05", + "SEC-9033-A06", + "SEC-9035-A01", + "SEC-9035-A06", + "SEC-9036", + "SEC-9039", + "SEC-9039-A01", + "SEC-9039-A04", + "SEC-9045-A06", + "SEC-9055", + "SEC-9055-A01", + "SEC-9062-A04", + "SEC-9073-A10", + "SEC-9107", + "SEC-9107-A02", + "SEC-9107-A03", + "SEC-9110-A04", + "SEC-9115", + "SEC-9116-A01", + "SEC-9116-A02", + "SEC-9116-A03", + "SEC-9116-A04", + "SEC-9129", + "SEC-9129-A07", + "SEC-9129-A08", + "SEC-9129-A09", + "SEC-9135-A09", + "SYS-002", + "SYS-002-A05", + "VUL-001", + "VUL-001-A05" + ], + "member_count": 574, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.85, + "source_meta_cluster": "M0", + "cluster_size": 574, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + }, + { + "id": "signed_update_integrity", + "name": "Signierte und integritaetsgeschuetzte Update-Pakete", + "description": "Update-Pakete werden digital signiert; Integritaet und Authentizitaet (inkl. Boot-/Firmware) werden vor der Installation verifiziert; unsignierte oder manipulierte Updates werden abgelehnt.", + "tier": "LEGAL_MINIMUM", + "subdomain": "update_integrity", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(3)(f)", + "citation": "Schutz der Integritaet von Daten, Befehlen und Konfigurationen vor Manipulation." + } + ], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-147 BIOS Protection", + "role": "best_practice" + } + ], + "member_review_units": [ + "M8", + "M5", + "M11", + "M13" + ], + "member_controls": [ + "CRYP-127-A10", + "FWU-003", + "FWU-003-A01", + "FWU-003-A04", + "LOG-1782-A02", + "NET-981-A07", + "SEC-1083-A01", + "SEC-1083-A04", + "SEC-1083-A06", + "SEC-1083-A09", + "SEC-1083-A10", + "SEC-1170-A02", + "SEC-1170-A12", + "SEC-1170-A18", + "SEC-1170-A28", + "SEC-1170-A34", + "SEC-1170-A44", + "SEC-1170-A50", + "SEC-1170-A60", + "SEC-1170-A66", + "SEC-3150-A04", + "SEC-3169", + "SEC-3175-A07", + "SEC-3740-A01", + "SEC-3740-A03", + "SEC-3740-A04", + "SEC-3740-A08", + "SEC-3740-A09", + "SEC-3834", + "SEC-3838", + "SEC-3838-A10", + "SEC-3838-A11", + "SEC-3839", + "SEC-3854", + "SEC-3885", + "SEC-3885-A05", + "SEC-3933-A01", + "SEC-3936", + "SEC-3936-A01", + "SEC-3936-A02", + "SEC-3937-A01", + "SEC-3963", + "SEC-3963-A01", + "SEC-3972-A05", + "SEC-3972-A12", + "SEC-3999-A04", + "SEC-4005", + "SEC-4018-A02", + "SEC-6993-A02", + "SEC-7077-A03", + "SEC-7109", + "SEC-7109-A02", + "SEC-7621-A08", + "SEC-8998-A01", + "SEC-9002-A10", + "SEC-9007-A01", + "SEC-9007-A04", + "UPD-004-A07" + ], + "member_count": 58, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M8", + "cluster_size": 37, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "trusted_update_source", + "name": "Vertrauenswuerdige und zugriffsbeschraenkte Update-Quelle", + "description": "Firmware-/Software-Updates werden nur aus vertrauenswuerdigen Quellen bezogen; der Update-Bereitstellungskanal und die Quelle sind zugriffsbeschraenkt und abgesichert; Versions-Downgrades werden verhindert.", + "tier": "LEGAL_MINIMUM", + "subdomain": "update_channel_security", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(3)(d)", + "citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen." + } + ], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "SYS.4.4 IoT", + "role": "best_practice" + } + ], + "member_review_units": [ + "M8", + "M13" + ], + "member_controls": [ + "FWU-003", + "FWU-003-A01", + "FWU-003-A04", + "LOG-1782-A02", + "SEC-1083-A01", + "SEC-1083-A04", + "SEC-1083-A06", + "SEC-1083-A09", + "SEC-1083-A10", + "SEC-3150-A04", + "SEC-3169", + "SEC-3175-A07", + "SEC-3740-A01", + "SEC-3740-A03", + "SEC-3740-A04", + "SEC-3740-A08", + "SEC-3740-A09", + "SEC-3834", + "SEC-3838", + "SEC-3838-A10", + "SEC-3838-A11", + "SEC-3839", + "SEC-3885", + "SEC-3885-A05", + "SEC-3933-A01", + "SEC-3936", + "SEC-3936-A01", + "SEC-3936-A02", + "SEC-3937-A01", + "SEC-3963", + "SEC-3963-A01", + "SEC-3972-A05", + "SEC-3972-A12", + "SEC-4005", + "SEC-6993-A02", + "SEC-7109-A02", + "SEC-7621-A08", + "SEC-8998-A01", + "SEC-9002-A10", + "SEC-9007-A01", + "SEC-9007-A04", + "UPD-004-A07" + ], + "member_count": 42, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.85, + "source_meta_cluster": "M8", + "cluster_size": 37, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "update_testing_validation", + "name": "Test und Validierung von Updates", + "description": "Updates werden vor Verteilung in isolierten Testumgebungen getestet und validiert; manipulierte und unvollstaendige Update-Pakete werden in Tests erkannt; Funktionsfaehigkeit nach Update wird geprueft.", + "tier": "BEST_PRACTICE", + "subdomain": "update_testing", + "applicability": "universal", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-40 Test before deploy", + "role": "best_practice" + }, + { + "source": "ISO", + "anchor": "ISO/IEC 27001 A.8.32", + "role": "best_practice" + } + ], + "member_review_units": [ + "M1", + "M13" + ], + "member_controls": [ + "AUTH-1742-A10", + "COMP-2768-A06", + "COMP-2768-A07", + "CRYP-1332-A08", + "CRYP-504-A07", + "CRYP-504-A17", + "CRYP-504-A24", + "GOV-2540-A08", + "HSM-003-A01", + "HSM-003-A08", + "ROT-005-A01", + "SEC-3665-A06", + "SEC-3847-A03", + "SEC-3885-A03", + "SEC-3928-A01", + "SEC-3970-A09", + "SEC-3972", + "SEC-430-A29", + "SEC-7067-A11", + "SEC-7621-A08", + "SEC-8998-A01", + "SEC-9002-A10", + "SEC-9007-A01", + "SEC-9019-A06", + "UPD-004-A07" + ], + "member_count": 25, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M1", + "cluster_size": 20, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "update_rollback", + "name": "Rollback-Prozess fuer Updates", + "description": "Dokumentierter und getesteter Rollback-Prozess fuer fehlerhafte Firmware-/Software-Updates; unvollstaendige Updates werden blockiert und Update-Ereignisse explizit bestaetigt.", + "tier": "BEST_PRACTICE", + "subdomain": "update_rollback", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": true + }, + "source_role": "GUIDANCE", + "legal_basis": [], + "guidance_basis": [ + { + "source": "NIST", + "anchor": "SP 800-40 Rollback", + "role": "best_practice" + } + ], + "member_review_units": [ + "M1", + "M11" + ], + "member_controls": [ + "AUTH-1742-A10", + "COMP-2768-A06", + "COMP-2768-A07", + "CRYP-1332-A08", + "CRYP-504-A07", + "CRYP-504-A17", + "CRYP-504-A24", + "GOV-2540-A08", + "HSM-003-A01", + "HSM-003-A08", + "ROT-005-A01", + "SEC-3665-A06", + "SEC-3847-A03", + "SEC-3885-A03", + "SEC-3928-A01", + "SEC-3970-A09", + "SEC-3972", + "SEC-3999-A04", + "SEC-4018-A02", + "SEC-430-A29", + "SEC-7067-A11", + "SEC-7077-A03", + "SEC-9019-A06" + ], + "member_count": 23, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.75, + "source_meta_cluster": "M1", + "cluster_size": 20, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "automatic_updates_optout", + "name": "Automatische Updates mit Standardaktivierung und Opt-out", + "description": "Automatische Sicherheitsupdates sind standardmaessig aktiviert mit sicherer Standardkonfiguration; eine Funktion zur Deaktivierung (Opt-out) wird bereitgestellt.", + "tier": "LEGAL_MINIMUM", + "subdomain": "automatic_updates", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": true, + "evidence": false + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (2)(c)", + "citation": "Sicherheitsupdates werden, soweit moeglich, automatisch installiert mit Opt-out-Moeglichkeit des Nutzers." + } + ], + "guidance_basis": [], + "member_review_units": [ + "M12", + "M9" + ], + "member_controls": [ + "SEC-1494-A02", + "SEC-4195-A01", + "SEC-4984-A03", + "SEC-580", + "SEC-9025", + "SEC-9110-A01" + ], + "member_count": 6, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.9, + "source_meta_cluster": "M12", + "cluster_size": 5, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates", + "capability_candidate": true + }, + { + "id": "update_risk_assessment", + "name": "Risikobeurteilung der Update-Pflicht", + "description": "Risikobeurteilung des Herstellers zur Bestimmung notwendiger Sicherheitsupdates, einschliesslich Behandlung von Software ohne Sicherheitsupdates.", + "tier": "LEGAL_MINIMUM", + "subdomain": "risk_assessment", + "applicability": "universal", + "evidence_facets": { + "governance": true, + "capability": false, + "evidence": true + }, + "source_role": "LEGAL_BASIS", + "legal_basis": [ + { + "source": "CRA", + "anchor": "Annex I (1)(2)", + "citation": "Cybersicherheits-Risikobeurteilung als Grundlage fuer Schwachstellenbehandlung." + } + ], + "guidance_basis": [], + "member_review_units": [ + "M3" + ], + "member_controls": [ + "COMP-745", + "NET-790-A02" + ], + "member_count": 2, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.8, + "source_meta_cluster": "M3", + "cluster_size": 2, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + }, + { + "id": "secure_modification_control", + "name": "Kontrolle sicherheitsrelevanter Updates an Lifecycle-Objekten", + "description": "Schreibzugriff auf sicherheitskritische Lifecycle-Objekte (z.B. EF.SecModLifeCycle) ist nur im Rahmen validierter Firmware-Updates moeglich; Schreibzugriff ohne Update wird abgelehnt.", + "tier": "BEST_PRACTICE", + "subdomain": "lifecycle_access_control", + "applicability": "conditional:secure_element_or_smartcard", + "evidence_facets": { + "governance": false, + "capability": true, + "evidence": true + }, + "source_role": "IMPLEMENTATION", + "legal_basis": [], + "guidance_basis": [ + { + "source": "BSI", + "anchor": "TR-03110 / SecMod Lifecycle", + "role": "best_practice" + } + ], + "member_review_units": [ + "M10" + ], + "member_controls": [ + "SEC-3738-A03", + "SEC-3738-A08", + "SEC-3738-A09" + ], + "member_count": 3, + "relationships": [], + "citation_anchor_ids": [], + "citation_status": "pending_span_anchor", + "review_status": "draft", + "provenance": { + "discovery_confidence": 0.7, + "source_meta_cluster": "M10", + "cluster_size": 3, + "llm_model": "claude-opus-4-8", + "synthesis_version": "v1" + }, + "family": "updates" + } + ], + "relationships": [ + { + "type": "supports", + "from": "signed_update_integrity", + "to": "provide_security_updates", + "note": "Integritaetsschutz sichert die Update-Bereitstellung ab." + }, + { + "type": "supports", + "from": "trusted_update_source", + "to": "provide_security_updates", + "note": "Vertrauenswuerdige Quelle als Voraussetzung sicherer Updates." + }, + { + "type": "produces_evidence_for", + "from": "update_testing_validation", + "to": "provide_security_updates", + "note": "Testnachweise belegen Wirksamkeit der Updates." + }, + { + "type": "supports", + "from": "update_rollback", + "to": "provide_security_updates", + "note": "Rollback sichert Update-Prozess gegen Fehler ab." + }, + { + "type": "implements", + "from": "automatic_updates_optout", + "to": "provide_security_updates", + "note": "Automatische Installation konkretisiert Bereitstellungspflicht." + }, + { + "type": "depends_on", + "from": "provide_security_updates", + "to": "update_risk_assessment", + "note": "Updatebedarf folgt aus Risikobeurteilung." + }, + { + "type": "depends_on", + "from": "support_period_maintenance", + "to": "provide_security_updates", + "note": "Wartung definiert den Bereitstellungszeitraum." + }, + { + "type": "derived_from", + "from": "secure_modification_control", + "to": "signed_update_integrity", + "note": "Spezialfall validierter Schreibzugriff via Firmware-Update." + }, + { + "type": "out_of_scope", + "review_units": [ + "M4", + "M7" + ], + "note": "M4 (digitale Veraenderungen allgemein) und M7 (TLS-Proxy-Kanalverwaltung) betreffen Konfigurations-/Netzwerkmanagement, nicht die Update-/Patch-Pflicht im engeren Sinne." + } + ] +} \ No newline at end of file diff --git a/obligations/obligation_join_keys.json b/obligations/obligation_join_keys.json index 6351aedb..7a5d5bec 100644 --- a/obligations/obligation_join_keys.json +++ b/obligations/obligation_join_keys.json @@ -1,7 +1,7 @@ { "schema_version": "obligation_join_keys_v1", "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).", - "count": 66, + "count": 93, "obligation_ids": [ { "obligation_id": "sbom_creation", @@ -582,6 +582,245 @@ "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_control_least_privilege", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(d)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_confidentiality_integrity", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(b)(c)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_session_management", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_mfa", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_encryption", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "reject_insecure_remote_protocols", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_logging_audit", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(g)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_user_validation_ot", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_training", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_architecture_design", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_attack_surface_min", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)(a)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_vuln_patch_mgmt", + "regulation": "CRA", + "family": "remote_access", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(1)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "remote_access_threat_detection", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_maintenance_governance", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "temporary_remote_access_mgmt", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_data_export_protection", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "component_remote_interface_security", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "remote_access_fallback_concept", + "regulation": "CRA", + "family": "remote_access", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "provide_security_updates", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(c)", + "Art. 13" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "support_period_maintenance", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Art. 13(8)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "signed_update_integrity", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(3)(f)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "trusted_update_source", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(3)(d)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "update_testing_validation", + "regulation": "CRA", + "family": "updates", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "update_rollback", + "regulation": "CRA", + "family": "updates", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "GUIDANCE" + }, + { + "obligation_id": "automatic_updates_optout", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (2)(c)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "update_risk_assessment", + "regulation": "CRA", + "family": "updates", + "tier": "LEGAL_MINIMUM", + "citation_units": [ + "Annex I (1)(2)" + ], + "source_role": "LEGAL_BASIS" + }, + { + "obligation_id": "secure_modification_control", + "regulation": "CRA", + "family": "updates", + "tier": "BEST_PRACTICE", + "citation_units": [], + "source_role": "IMPLEMENTATION" } ] } \ No newline at end of file diff --git a/scripts/obligation_discovery/precluster.py b/scripts/obligation_discovery/precluster.py index ed81294b..f4b09dd8 100644 --- a/scripts/obligation_discovery/precluster.py +++ b/scripts/obligation_discovery/precluster.py @@ -22,6 +22,17 @@ SCOPES = { "logging": ["%logging%", "%protokollierung%", "%audit-log%", "%audit-trail%", "%ereignisprotokoll%", "%sicherheitsprotokoll%", "%audit-protokoll%", "%log-management%", "%sicherheitsereignis%protokoll%", "%audit-trail%"], + "remote_access": ["%fernwartung%", "%fernzugriff%", "%fernzugang%", "%fernwartungs%", + "%remote access%", "%remote maintenance%", "%remote management%", + "%remote-wartung%", "%remote-zugriff%", "%remote-zugang%", + "%sichere fernwartung%", "%fernsteuerung%"], + "updates": ["%sicherheitsupdate%", "%security update%", "%sicherheits-update%", + "%security patch%", "%sicherheitspatch%", "%patch-management%", + "%patchmanagement%", "%patch management%", "%firmware-update%", + "%firmware update%", "%software-update%", "%software update%", + "%automatische aktualisierung%", "%update-mechanismus%", + "%update-bereitstellung%", "%bereitstellung von updates%", + "%sichere aktualisierung%", "%signierte update%", "%update-paket%"], }