{ "schema_version": "obligation_registry_v1", "regulation": "CRA", "regulation_code": "eu_2024_2847", "generated_by": "obl_registry_build/claude-opus-4-8", "citation_status": "pending_span_anchor", "obligations": [ { "id": "sbom_creation", "name": "SBOM erstellen", "description": "Hersteller von Produkten mit digitalen Elementen müssen eine Software Bill of Materials erstellen.", "tier": "LEGAL_MINIMUM", "family": "sbom", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (1)", "citation": "SBOM in gängigem maschinenlesbarem Format, mind. Top-Level-Abhängigkeiten" } ], "guidance_basis": [ { "source": "BSI", "anchor": "TR-03183", "role": "implementation_guidance" }, { "source": "ENISA", "anchor": "", "role": "best_practice" } ], "member_controls": [ "AI-1246", "AI-1246-A01", "AI-528-A06", "AI-528-A13", "AUTH-006-A10", "AUTH-2111-A08", "AUTH-2962-A05", "AUTH-3664-A07", "AUTH-4033-A02", "AUTH-4042-A03", "AUTH-4061-A04", "COMP-2335-A05", "COMP-2782-A06", "COMP-3363-A07", "COMP-4052", "COMP-511-A04", "COMP-511-A10", "COMP-705-A11", "CRYP-030-A04", "GOV-306-A02", "GOV-306-A08", "GOV-356-A02", "GOV-3850", "GOV-3850-A01", "HLT-062", "INC-066-A21", "LOG-1185", "LOG-1185-A02", "LOG-1191-A05", "LOG-1208-A03", "LOG-1759-A08", "LOG-2075-A03", "LOG-2076-A01", "LOG-2076-A02", "LOG-2079", "LOG-2079-A01", "LOG-2079-A02", "LOG-211", "LOG-211-A01", "LOG-211-A03", "LOG-211-A09", "LOG-211-A10", "LOG-211-A11", "LOG-543-A03", "LOG-543-A08", "NET-246-A03", "NET-246-A09", "SEC-020-A06", "SEC-020-A15", "SEC-020-A28", "SEC-027", "SEC-027-A02", "SEC-027-A03", "SEC-027-A11", "SEC-027-A23", "SEC-027-A24", "SEC-096-A02", "SEC-096-A10", "SEC-347", "SEC-347-A01", "SEC-347-A02", "SEC-347-A11", "SEC-347-A12", "SEC-430-A20", "SEC-430-A21", "SEC-481-A01", "SEC-4981-A01", "SEC-4981-A02", "SEC-5516", "SEC-5516-A04", "SEC-5897-A01", "SEC-5906", "SEC-669", "SEC-669-A02", "SEC-669-A07", "SEC-669-A08", "SEC-708-A13", "SEC-7117-A01", "SEC-7128-A04", "SEC-7128-A12", "SEC-9045-A04", "SEC-9107-A05", "SUP-001-A06", "SUP-001-A11", "SUP-001-A12" ], "member_count": 85, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_dependency_coverage", "name": "Abhängigkeiten in SBOM abdecken", "description": "Die SBOM muss direkte und (kritische) indirekte/transitive Abhängigkeiten samt Metadaten dokumentieren.", "tier": "LEGAL_MINIMUM", "family": "sbom", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": false, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Art. 3(36) i.V.m. Annex I Part II (1)", "citation": "SBOM-Definition: formale Aufzeichnung enthaltener Komponenten und Abhängigkeiten" } ], "guidance_basis": [ { "source": "OWASP", "anchor": "CycloneDX", "role": "implementation_guidance" } ], "member_controls": [ "AI-1246-A02", "AI-1246-A03", "AI-1246-A04", "AI-1246-A05", "AUTH-4033-A06", "AUTH-4062-A01", "COMP-4072-A03", "COMP-705-A03", "GOV-3108-A11", "GOV-3850-A02", "LOG-1185-A03", "LOG-1191-A08", "LOG-1191-A09", "SEC-100-A02", "SEC-100-A03", "SEC-100-A14", "SEC-100-A15", "SEC-340-A03", "SEC-340-A12", "SEC-481", "SEC-5897-A03", "SEC-7067-A12", "SEC-9027-A07", "SEC-9027-A08" ], "member_count": 24, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_format_standard", "name": "SBOM-Format nach anerkannten Standards", "description": "Die SBOM muss in einem maschinenlesbaren Format gemäß anerkannten internationalen/EU-Normen (CycloneDX, SPDX) erstellt werden.", "tier": "LEGAL_MINIMUM", "family": "sbom", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (1)", "citation": "gängiges, maschinenlesbares Format" } ], "guidance_basis": [ { "source": "BSI", "anchor": "TR-03183 Abschnitt 5", "role": "implementation_guidance" }, { "source": "OWASP", "anchor": "CycloneDX/SPDX", "role": "implementation_guidance" } ], "member_controls": [ "AUTH-4033-A01", "AUTH-4033-A09", "COMP-2342", "COMP-4072", "COMP-4072-A01", "COMP-4072-A02", "COMP-4072-A04", "GOV-3850-A04", "GOV-3850-A10", "LOG-1191-A06", "LOG-1208-A04", "LOG-1208-A05", "LOG-2076-A04", "SEC-347-A03", "SEC-347-A13", "SEC-669-A09", "SEC-9027-A04", "SEC-9027-A06", "SEC-9047-A01" ], "member_count": 19, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_maintenance_update", "name": "SBOM pflegen und aktualisieren", "description": "Die SBOM muss bei Versionen, Patches und Dependency-Änderungen aktualisiert und mit der Produktversion synchron gehalten werden.", "tier": "LEGAL_MINIMUM", "family": "sbom", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (1)", "citation": "SBOM während Support-Zeitraum führen" } ], "guidance_basis": [ { "source": "NIST SSDF", "anchor": "PS.3", "role": "best_practice" } ], "member_controls": [ "AI-1050-A07", "AI-1246-A06", "AI-929-A29", "AI-929-A30", "AI-929-A40", "AI-929-A41", "AI-929-A51", "AI-929-A52", "AUTH-3664-A08", "AUTH-4033-A04", "AUTH-4033-A07", "GOV-3850-A05", "GOV-3850-A11", "INC-066-A22", "LOG-2076-A05", "NET-246-A04", "NET-246-A10", "SEC-020-A07", "SEC-020-A16", "SEC-020-A29", "SEC-027-A20", "SEC-304-A06", "SEC-304-A16", "SEC-347-A10", "SEC-5516-A03", "SEC-5897-A06", "SEC-5897-A09", "SEC-669-A12", "SEC-7067-A05", "SEC-9027-A02", "SEC-9027-A10" ], "member_count": 31, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_completeness_verification", "name": "SBOM-Vollständigkeit verifizieren", "description": "Die Vollständigkeit und Aktualität der SBOM ist gegen tatsächlich eingesetzte Komponenten zu prüfen und zu auditieren.", "tier": "BEST_PRACTICE", "family": "sbom", "applicability": "conditional:sbom_creation", "evidence_facets": { "governance": false, "capability": true, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "OWASP", "anchor": "Dependency-Check", "role": "implementation_guidance" }, { "source": "NIST SSDF", "anchor": "PS.3.2", "role": "best_practice" } ], "member_controls": [ "AUTH-2603-A09", "AUTH-2924-A06", "AUTH-2924-A07", "AUTH-4033-A03", "AUTH-4033-A10", "GOV-3850-A07", "GOV-3850-A08", "LOG-2079-A04", "LOG-211-A08", "LOG-211-A16", "NET-470-A20", "NET-470-A31", "SEC-1170-A10", "SEC-1170-A26", "SEC-1170-A42", "SEC-1170-A58", "SEC-1252-A04", "SEC-5516-A05", "SEC-5897-A07", "SEC-9027-A05", "SEC-9049-A05" ], "member_count": 21, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_tooling_automation", "name": "SBOM-Tooling in Build-Pipeline", "description": "SBOM-Generierung wird automatisiert in die Build-/Toolchain integriert und die Tools selbst werden auf Schwachstellen gescannt.", "tier": "BEST_PRACTICE", "family": "sbom", "applicability": "conditional:sbom_creation", "evidence_facets": { "governance": false, "capability": true, "evidence": false }, "source_role": "IMPLEMENTATION", "legal_basis": [], "guidance_basis": [ { "source": "OWASP", "anchor": "CycloneDX Tooling", "role": "implementation_guidance" }, { "source": "NIST SSDF", "anchor": "PO.3", "role": "implementation_guidance" } ], "member_controls": [ "AUTH-2924-A02", "AUTH-3667-A08", "NET-1487-A14", "SEC-7078-A09", "SEC-7114-A01", "SEC-7114-A02" ], "member_count": 6, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_access_provision", "name": "SBOM zugänglich machen", "description": "Die SBOM muss für Kunden/Stakeholder über definierte Kanäle zugänglich gemacht und der Zugriffspfad dokumentiert werden.", "tier": "BEST_PRACTICE", "family": "sbom", "applicability": "conditional:sbom_creation", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "ENISA", "anchor": "", "role": "best_practice" } ], "member_controls": [ "AI-1246-A07", "AUTH-4033-A05", "AUTH-4033-A08", "GOV-3850-A12", "LOG-1191-A07", "NET-1842-A02", "SEC-027-A09", "SEC-027-A18", "SEC-027-A21", "SEC-1252-A05", "SEC-212-A10", "SEC-212-A17", "SEC-347-A04", "SEC-347-A14", "SEC-5897-A02", "SEC-5897-A08" ], "member_count": 16, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_authority_provision", "name": "SBOM an Marktüberwachungsbehörde bereitstellen", "description": "Die SBOM muss auf begründetes Verlangen der Marktüberwachungsbehörde vertraulich vorgelegt werden.", "tier": "LEGAL_MINIMUM", "family": "sbom", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": false, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Art. 31 / Annex I Part II (1)", "citation": "Vorlage der SBOM auf begründetes Verlangen der Marktüberwachungsbehörde" } ], "guidance_basis": [], "member_controls": [ "AUTH-006-A28", "AUTH-4061-A01", "LOG-1185-A01", "LOG-2076-A03", "LOG-2079-A03", "LOG-543-A04", "LOG-543-A09", "SEC-669-A10" ], "member_count": 8, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_confidentiality", "name": "Vertraulichkeit der SBOM schützen", "description": "SBOM-Daten und Abhängigkeitsinformationen sind vertraulich zu behandeln und durch Zugriffskontrollen zu schützen.", "tier": "LEGAL_MINIMUM", "family": "sbom", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Art. 31(4)", "citation": "Marktüberwachungsbehörden wahren Vertraulichkeit der erhaltenen Informationen" } ], "guidance_basis": [ { "source": "ISO", "anchor": "ISO/IEC 27001", "role": "best_practice" } ], "member_controls": [ "LOG-1185-A06", "LOG-211-A05", "LOG-211-A13", "LOG-543", "LOG-543-A01", "LOG-543-A05", "LOG-543-A06", "LOG-543-A10", "SEC-1126-A13", "SEC-1126-A31" ], "member_count": 10, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_supply_chain_contracts", "name": "SBOM-Anforderungen in Lieferantenmanagement", "description": "SBOM-Anforderungen werden vertraglich in Lieferanten-/Kundenverträgen und im Supplier-Onboarding verankert.", "tier": "BEST_PRACTICE", "family": "sbom", "applicability": "conditional:third_party_software_used", "evidence_facets": { "governance": true, "capability": false, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST SSDF", "anchor": "PW.4 / PO.1", "role": "best_practice" }, { "source": "ENISA", "anchor": "Supply Chain", "role": "best_practice" } ], "member_controls": [ "DATA-4672-A04", "GOV-3850-A03", "GOV-3850-A06", "GOV-3850-A09", "SEC-8994-A03", "SEC-8994-A09" ], "member_count": 6, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "sbom_technical_documentation", "name": "SBOM in technischer Dokumentation/Konformitätsbewertung", "description": "Die SBOM ist Teil der technischen Dokumentation und der Konformitätsbewertung (inkl. EUCC/ST-Nachweise).", "tier": "LEGAL_MINIMUM", "family": "sbom", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": false, "capability": false, "evidence": true }, "source_role": "EVIDENCE", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Art. 31 i.V.m. Annex VII", "citation": "technische Dokumentation muss SBOM-relevante Nachweise enthalten" } ], "guidance_basis": [ { "source": "ISO", "anchor": "EUCC ALC_SBM", "role": "implementation_guidance" } ], "member_controls": [ "AUTH-004", "AUTH-006", "AUTH-154-A02", "AUTH-154-A08", "AUTH-4042", "AUTH-4042-A05", "AUTH-4061-A02", "AUTH-4061-A03", "AUTH-4062", "NET-1842-A03", "SEC-9027-A03", "SEC-9047", "SEC-9049" ], "member_count": 13, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "vuln_identification_inventory", "name": "Schwachstellen identifizieren & Komponenten erfassen", "description": "Hersteller müssen Schwachstellen in Produkten und enthaltenen (Dritt-)Komponenten kontinuierlich identifizieren und über ein SBOM/Asset-Inventar nachvollziehbar erfassen.", "tier": "LEGAL_MINIMUM", "family": "vuln", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (1)", "citation": "Komponenten identifizieren und dokumentieren, einschl. SBOM" } ], "guidance_basis": [ { "source": "NIST SSDF", "anchor": "PW.4 / RV.1", "role": "implementation_guidance" }, { "source": "ISO", "anchor": "ISO/IEC 27002:2022 8.8", "role": "best_practice" } ], "member_controls": [ "AI-012-A14", "AI-012-A28", "AI-1214-A11", "AUTH-154", "AUTH-458-A04", "AUTH-725-A10", "COMP-418-A03", "COMP-705-A04", "COMP-707-A08", "COMP-917-A10", "COMP-917-A20", "CRYP-031-A06", "DATA-4697", "GOV-206-A04", "GOV-206-A13", "INC-016-A02", "INC-016-A42", "LOG-029-A13", "LOG-1509-A06", "LOG-2028-A10", "LOG-2076", "NET-246", "NET-246-A01", "NET-246-A07", "NET-551-A04", "SEC-027", "SEC-027-A17", "SEC-027-A19", "SEC-027-A30", "SEC-100", "SEC-195-A06", "SEC-195-A12", "SEC-238-A03", "SEC-238-A14", "SEC-298-A18", "SEC-298-A19", "SEC-298-A46", "SEC-298-A47", "SEC-347", "SEC-443", "SEC-5516", "SEC-615", "SEC-6229", "SEC-708", "SEC-9045-A04", "SEC-9080", "SEC-9080-A01", "SEC-994-A06" ], "member_count": 48, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "vuln_assessment_prioritization", "name": "Schwachstellen bewerten & priorisieren", "description": "Identifizierte Schwachstellen müssen anhand standardisierter Kriterien (Schweregrad, Ausnutzbarkeit, Impact) bewertet und für die Behebung priorisiert werden.", "tier": "LEGAL_MINIMUM", "family": "vuln", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (1)", "citation": "Schwachstellen behandeln und beheben" } ], "guidance_basis": [ { "source": "OWASP", "anchor": "CVSS / Risk Rating", "role": "best_practice" }, { "source": "NIST SSDF", "anchor": "RV.2", "role": "implementation_guidance" } ], "member_controls": [ "ACC-261-A08", "ACC-261-A19", "ACC-588-A05", "AUTH-2172-A02", "AUTH-2187-A03", "AUTH-4018", "AUTH-4018-A01", "COMP-1131-A10", "COMP-1131-A11", "COMP-1557-A05", "COMP-705-A04", "CRYP-1586-A03", "CRYP-1586-A04", "DATA-4697-A08", "DATA-703-A06", "HLT-109-A44", "INC-013-A07", "INC-013-A18", "LOG-1470-A04", "LOG-1547-A03", "LOG-510-A03", "LOG-510-A09", "NET-0738-A10", "NET-0738-A22", "NET-1834-A01", "NET-551-A04", "SEC-001-A03", "SEC-005-A02", "SEC-005-A09", "SEC-005-A31", "SEC-100-A05", "SEC-100-A17", "SEC-194-A18", "SEC-295-A02", "SEC-295-A17", "SEC-302-A01", "SEC-302-A10", "SEC-302-A20", "SEC-302-A21", "SEC-417-A18", "SEC-4558-A03", "SEC-465", "SEC-517", "SEC-5269-A10", "SEC-5283-A03", "SEC-5532-A01", "SEC-5889-A01", "SEC-5930-A03", "SEC-5988-A01", "SEC-6058-A04", "SEC-6213", "SEC-6213-A01", "SEC-6213-A02", "SEC-6233-A01", "SEC-640-A07", "SEC-8387-A02", "SEC-8580-A06", "SEC-9063", "SEC-9148-A01", "VUL-002-A02", "VUL-002-A07" ], "member_count": 61, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "vuln_remediation_patching", "name": "Schwachstellen beheben & Sicherheitsupdates bereitstellen", "description": "Schwachstellen müssen unverzüglich, risikobasiert und innerhalb des Unterstützungszeitraums durch Patches oder Gegenmaßnahmen behoben werden.", "tier": "LEGAL_MINIMUM", "family": "vuln", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (2) & (8)", "citation": "Schwachstellen unverzüglich beheben, kostenlose Sicherheitsupdates" } ], "guidance_basis": [ { "source": "NIST SSDF", "anchor": "RV.3", "role": "implementation_guidance" } ], "member_controls": [ "ACC-099-A16", "ACC-218-A08", "ACC-218-A16", "ACC-218-A24", "ACC-218-A32", "ACC-218-A40", "AI-054-A15", "AI-248-A13", "AI-748-A06", "AI-748-A16", "AI-748-A32", "AI-748-A49", "AI-773-A36", "AI-773-A45", "AI-778-A14", "AI-778-A23", "AI-799-A08", "AI-799-A19", "AUTH-130-A02", "AUTH-132", "AUTH-183", "AUTH-480-A05", "AUTH-524-A04", "AUTH-632-A05", "AUTH-647-A08", "AUTH-718-A08", "AUTH-725-A10", "AUTH-831-A08", "AUTH-831-A17", "AUTH-871-A26", "COMP-001-A59", "COMP-1107-A03", "COMP-1107-A12", "COMP-1107-A22", "COMP-1107-A31", "COMP-1107-A43", "COMP-1107-A48", "COMP-1135-A03", "COMP-150-A08", "COMP-4063-A04", "COMP-996-A02", "CRYP-024-A08", "CRYP-031-A07", "CRYP-035-A04", "CRYP-087-A06", "CRYP-409-A06", "CRYP-431-A67", "CRYP-438-A39", "DATA-874-A04", "DATA-874-A09", "DATA-874-A19", "FIN-092-A05", "FIN-092-A19", "FIN-092-A32", "FIN-092-A46", "FIN-092-A60", "FIN-092-A73", "GOV-385-A12", "INC-013-A20", "INC-016-A27", "INC-044-A02", "INC-071-A16", "INC-092-A17", "INC-227-A59", "LOG-359-A12", "LOG-600-A05", "LOG-681-A02", "LOG-845-A13", "LOG-845-A23", "LOG-845-A39", "LOG-845-A50", "NET-072-A08", "NET-072-A10", "NET-122-A09", "NET-122-A17", "NET-1266", "NET-294-A05", "SEC-005-A04", "SEC-005-A05", "SEC-1136-A04", "SEC-1136-A12", "SEC-1136-A20", "SEC-1136-A28", "SEC-1158-A05", "SEC-1158-A14", "SEC-1158-A23", "SEC-1158-A32", "SEC-1158-A41", "SEC-1158-A48", "SEC-132", "SEC-132-A02", "SEC-132-A09", "SEC-195-A07", "SEC-195-A13", "SEC-256-A09", "SEC-289-A06", "SEC-289-A18", "SEC-298-A02", "SEC-298-A30", "SEC-342-A14", "SEC-342-A30", "SEC-349-A03", "SEC-349-A15", "SEC-393-A13", "SEC-393-A14", "SEC-554-A08", "SEC-554-A24", "SEC-5930-A04", "SEC-708-A15", "SEC-994-A06" ], "member_count": 110, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "vuln_handling_process", "name": "Schwachstellenbehandlungsverfahren dokumentieren & etablieren", "description": "Ein dokumentierter Vulnerability-Handling-Prozess mit definierten Rollen, Schritten und Zeithorizonten muss etabliert und über die technische Dokumentation nachweisbar sein.", "tier": "LEGAL_MINIMUM", "family": "vuln", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Article 13(8) & Annex VII", "citation": "Schwachstellenbehandlungsprozesse einrichten und in technischer Doku belegen" } ], "guidance_basis": [ { "source": "NIST SSDF", "anchor": "RV", "role": "implementation_guidance" }, { "source": "ISO", "anchor": "ISO/IEC 30111", "role": "best_practice" } ], "member_controls": [ "AI-010-A17", "AI-748-A04", "AI-748-A14", "AI-748-A30", "AI-748-A47", "AI-773-A25", "AI-773-A34", "AI-773-A43", "AI-778-A12", "AI-778-A21", "AI-799-A06", "AI-799-A17", "AUTH-076-A22", "AUTH-132-A09", "AUTH-143-A02", "AUTH-154", "AUTH-154-A02", "AUTH-154-A08", "AUTH-183-A09", "AUTH-2105-A02", "AUTH-2112-A04", "AUTH-2113-A05", "AUTH-2117-A03", "AUTH-2117-A04", "AUTH-2117-A07", "AUTH-2298-A06", "AUTH-3473-A08", "AUTH-4026-A02", "AUTH-4115", "AUTH-718-A06", "AUTH-871-A24", "COMP-001-A57", "COMP-150-A06", "COMP-4114-A08", "COMP-4114-A09", "COMP-910", "COMP-910-A01", "COMP-910-A02", "CRYP-031-A05", "CRYP-760-A02", "GOV-2632-A09", "INC-092-A15", "LOG-2075-A02", "LOG-222-A02", "LOG-222-A08", "LOG-222-A11", "LOG-222-A12", "NET-1196-A11", "NET-240-A06", "NET-240-A07", "NET-240-A13", "NET-240-A14", "SDL-009", "SDL-009-A01", "SDL-009-A06", "SEC-027-A07", "SEC-027-A15", "SEC-027-A28", "SEC-1158-A03", "SEC-1158-A04", "SEC-1158-A12", "SEC-1158-A13", "SEC-1158-A21", "SEC-1158-A22", "SEC-1158-A30", "SEC-1158-A31", "SEC-1158-A39", "SEC-1158-A40", "SEC-1158-A46", "SEC-1158-A47", "SEC-118-A04", "SEC-118-A08", "SEC-132-A03", "SEC-132-A04", "SEC-132-A10", "SEC-132-A11", "SEC-171-A11", "SEC-171-A29", "SEC-171-A42", "SEC-194-A17", "SEC-279", "SEC-279-A01", "SEC-279-A06", "SEC-443-A08", "SEC-443-A09", "SEC-492", "SEC-4944-A04", "SEC-4944-A05", "SEC-4953-A02", "SEC-4953-A03", "SEC-4957-A06", "SEC-4970-A14", "SEC-5952", "SEC-5958-A04", "SEC-655-A11", "SEC-691-A01", "SEC-8566-A02", "SEC-8789-A07", "SEC-8968-A01", "SEC-8987-A05", "SEC-9045-A01", "SEC-9046-A01", "SEC-925-A01", "SEC-994", "SEC-994-A02" ], "member_count": 105, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "coordinated_vulnerability_disclosure", "name": "Coordinated Vulnerability Disclosure Policy & Meldekanal", "description": "Eine öffentliche CVD-Richtlinie und ein zugänglicher, vertraulicher Meldekanal für externe Schwachstellenmeldungen müssen bereitgestellt werden.", "tier": "LEGAL_MINIMUM", "family": "vuln", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (5)", "citation": "Coordinated Vulnerability Disclosure Policy einrichten" } ], "guidance_basis": [ { "source": "ISO", "anchor": "ISO/IEC 29147", "role": "best_practice" }, { "source": "ENISA", "anchor": "CVD Good Practice Guide", "role": "best_practice" } ], "member_controls": [ "AUTH-2298-A07", "AUTH-241-A02", "AUTH-4018-A05", "AUTH-4019-A01", "AUTH-4026-A01", "COMP-3615-A10", "CRYP-2322-A06", "CRYP-2323-A02", "CRYP-2325-A01", "CRYP-2325-A02", "DATA-4673", "DATA-4674-A02", "DATA-4697-A01", "GOV-3493", "GOV-3847", "GOV-3847-A01", "GOV-3847-A02", "GOV-3851", "INC-063-A01", "INC-063-A08", "INC-063-A09", "INC-063-A10", "LOG-1527-A05", "LOG-2068-A11", "LOG-2075-A01", "LOG-623-A04", "LOG-623-A05", "NET-1824", "SEC-027-A04", "SEC-027-A08", "SEC-027-A12", "SEC-027-A16", "SEC-027-A25", "SEC-027-A29", "SEC-132-A06", "SEC-132-A13", "SEC-277-A04", "SEC-277-A13", "SEC-347-A08", "SEC-347-A18", "SEC-446", "SEC-4995-A03", "SEC-4995-A08", "SEC-4996-A02", "SEC-4996-A08", "SEC-5969-A09", "SEC-8938-A01", "SEC-8943-A15", "SEC-8948-A06", "SEC-8948-A07", "SEC-8950-A01", "SEC-8950-A02", "SEC-8950-A07", "SEC-8950-A09", "SEC-8950-A10", "SEC-8951-A01", "SEC-8959-A01", "SEC-8963", "SEC-8963-A02", "SEC-8963-A06", "SEC-8963-A10", "SEC-8967-A02", "SEC-8971-A13", "SEC-8973-A01", "SEC-8974", "SEC-8974-A13", "SEC-8974-A14", "SEC-8974-A16", "SEC-8976", "SEC-8983-A05", "SEC-8984-A08", "SEC-9003-A03", "SEC-9006-A01", "SEC-9006-A04", "SEC-9045-A02", "SEC-9107-A07", "SEC-925-A03", "SEC-938-A09" ], "member_count": 78, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "exploited_vuln_reporting_authorities", "name": "Meldung aktiv ausgenutzter Schwachstellen an CSIRT/ENISA", "description": "Aktiv ausgenutzte Schwachstellen müssen fristgerecht (Frühwarnung 24h, vollständige Meldung 72h) an das koordinierende CSIRT und ENISA über die Single-Reporting-Plattform gemeldet werden.", "tier": "LEGAL_MINIMUM", "family": "vuln", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Article 14 & Article 16", "citation": "Meldepflicht aktiv ausgenutzter Schwachstellen über Single Reporting Platform" } ], "guidance_basis": [], "member_controls": [ "AUTH-186", "COMP-1243-A08", "COMP-1243-A14", "COMP-1243-A20", "COMP-1243-A26", "COMP-1243-A32", "LOG-510-A06", "LOG-510-A07", "LOG-510-A12", "NET-023-A07", "NET-023-A20", "SEC-112", "SEC-112-A01", "SEC-118-A01", "SEC-118-A05", "SEC-124-A02", "SEC-142-A01", "SEC-142-A03", "SEC-142-A09", "SEC-142-A11", "SEC-142-A19", "SEC-168", "SEC-171-A14", "SEC-171-A32", "SEC-195-A11", "SEC-195-A20", "SEC-273-A02", "SEC-273-A10", "SEC-4991-A03", "SEC-603-A08", "SEC-9148-A01" ], "member_count": 31, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" }, { "id": "vuln_info_dissemination_users", "name": "Nutzerinformation über behobene Schwachstellen", "description": "Nach Behebung müssen Nutzer über die Schwachstelle, das Sicherheitsupdate und ggf. CVE-Einträge transparent informiert werden.", "tier": "LEGAL_MINIMUM", "family": "vuln", "applicability": "domain:products_with_digital_elements", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "regulation_code": "eu_2024_2847", "anchor": "Annex I Part II (4) & (6)", "citation": "Informationen über behobene Schwachstellen teilen und offenlegen" } ], "guidance_basis": [ { "source": "ISO", "anchor": "ISO/IEC 29147 (Disclosure)", "role": "best_practice" } ], "member_controls": [ "CRYP-031-A01", "CRYP-031-A04", "NET-1829-A05", "SEC-349-A04", "SEC-349-A16" ], "member_count": 5, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft" } ], "relationships": [ { "type": "depends_on", "from": "sbom_dependency_coverage", "to": "sbom_creation", "note": "Inhaltsanforderung setzt SBOM-Erstellung voraus" }, { "type": "depends_on", "from": "sbom_format_standard", "to": "sbom_creation", "note": "Format gilt für die erstellte SBOM" }, { "type": "supports", "from": "sbom_tooling_automation", "to": "sbom_creation", "note": "Tooling automatisiert Erstellung" }, { "type": "produces_evidence_for", "from": "sbom_completeness_verification", "to": "sbom_dependency_coverage", "note": "Verifikation belegt Vollständigkeit" }, { "type": "produces_evidence_for", "from": "sbom_technical_documentation", "to": "sbom_creation", "note": "Doku als Konformitätsnachweis" }, { "type": "supports", "from": "sbom_access_provision", "to": "sbom_authority_provision", "note": "Zugänglichkeit unterstützt Behördenvorlage" }, { "type": "depends_on", "from": "sbom_supply_chain_contracts", "to": "sbom_dependency_coverage", "note": "Third-Party-Daten via Verträge beschaffen" }, { "type": "out_of_scope", "clusters": [ 10, 11, 19, 35, 32, 37, 76 ], "note": "Material-/Batterie-Stücklisten, CO₂-/Energiemix-Berechnung und Sicherheitskomponentenlisten (Türverriegelung) sind keine Software-SBOM, sondern Ökodesign/Maschinenrichtlinie/Batterieverordnung" }, { "type": "supports", "from": "vuln_identification_inventory", "to": "vuln_assessment_prioritization", "note": "Inventar liefert Basis für Bewertung" }, { "type": "depends_on", "from": "vuln_remediation_patching", "to": "vuln_assessment_prioritization", "note": "Priorisierung steuert Behebungsreihenfolge" }, { "type": "produces_evidence_for", "from": "vuln_handling_process", "to": "vuln_remediation_patching", "note": "Prozessdoku belegt Behebung" }, { "type": "supports", "from": "coordinated_vulnerability_disclosure", "to": "exploited_vuln_reporting_authorities", "note": "Meldungseingang speist Behörden-Reporting" }, { "type": "produces_evidence_for", "from": "vuln_remediation_patching", "to": "vuln_info_dissemination_users", "note": "Behebung Voraussetzung für Nutzerinfo" }, { "type": "out_of_scope", "clusters": [ 5, 22, 24, 25, 26, 31, 33, 35, 36, 43, 50, 53, 54, 61, 64, 65, 74, 83, 87, 88, 92, 97, 98, 100, 101, 102, 106, 107, 110, 117, 118, 121, 126, 127, 131, 134, 135, 136, 139, 140, 141, 145, 146, 151, 153, 154, 156, 163, 164, 165, 166, 168, 169, 170, 171, 175, 176, 177, 187, 190, 194, 197, 198 ], "note": "Adressieren NIS2-Einrichtungspflichten, CSIRT/ENISA-Behördenaufgaben, Konformitätsbewertungsstellen/EUCC-Zertifizierung, Distributor/Importeur-Pflichten, nationale Strategien, Secure-by-Design/Tooling oder Interoperabilität — keine herstellerseitige Vulnerability-Handling-Pflicht nach CRA Art. 13(8)/Annex I Part II" } ] }