{ "schema_version": "capability_layer_v1", "model": "Modell C (docs-src/development/capability_model_v1.md)", "note": "Capability = technische Faehigkeit (regulierungs-agnostisch). realized_by = Obligations, die sie erfuellt (n:m). guidance_basis hier KANONISCH hochgezogen aus den realisierten Obligations (die Obligation-Kopien bleiben vorerst als Legacy; Strip = Folge-Cleanup). Sicherheitsziele sind KEINE Capabilities -> cra_core.json.", "dropped": { "access_control": "OVERLAP (credential_confidentiality <-> sbom_confidentiality), nicht materialisiert" }, "candidate_capabilities_followup": [ "automatic_update_delivery", "update_rollback", "trusted_update_source", "hash_verification", "secure_boot", "least_functionality", "credential_storage" ], "capabilities": [ { "capability_id": "multi_factor_authentication", "name": "Multi-Factor Authentication", "description": "Mehrfaktor-Authentisierung als technische Faehigkeit (Besitz/Wissen/Inhaerenz).", "type": "technical_capability", "realized_by": [ "mfa_required", "privileged_op_reauth", "remote_access_authentication", "remote_access_mfa", "remote_access_user_validation_ot", "supplier_access_auth" ], "realizes_count": 6, "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-63B", "role": "best_practice" }, { "source": "Out-of-Band-Authentifizierung", "anchor": "", "role": "implementation_guidance", "merged_from": "out_of_band_authentication" }, { "source": "Hardware-basierte Authentifizierung (AAL3)", "anchor": "", "role": "implementation_guidance", "merged_from": "hardware_authenticators" }, { "source": "E-Mail-Authentifizierungsmechanismen (SPF/DKIM/DMARC)", "anchor": "", "role": "implementation_guidance", "merged_from": "email_authentication" }, { "source": "NIST", "anchor": "IA-02", "role": "best_practice" }, { "source": "NIST", "anchor": "IA-02(1)", "role": "best_practice" }, { "source": "NIST", "anchor": "AC-17", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-53 IA-2", "role": "best_practice" }, { "source": "BSI", "anchor": "ICS Security Kompendium", "role": "best_practice" }, { "source": "ISO", "anchor": "ISO 27001 A.5.19", "role": "best_practice" } ], "domains": [ "authentication", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "capability_id": "session_management", "name": "Session Management", "description": "Sichere Sitzungsverwaltung: Timeouts, Bindung, Re-Auth, Beendigung.", "type": "technical_capability", "realized_by": [ "reauth_after_inactivity", "remote_session_management", "session_binding_management", "temporary_remote_access_mgmt" ], "realizes_count": 4, "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-63B 4.3", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-53 AC-12", "role": "best_practice" }, { "source": "OWASP", "anchor": "ASVS V3", "role": "best_practice" }, { "source": "NIST", "anchor": "AC-2(5)", "role": "best_practice" } ], "domains": [ "authentication", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "capability_id": "transport_encryption", "name": "Transport Encryption", "description": "Verschluesselter Transport (TLS, mutual-TLS, Zertifikats-Auth, VPN/Tunnel).", "type": "technical_capability", "realized_by": [ "encrypted_auth_channel", "mutual_authentication", "reject_insecure_remote_protocols", "remote_access_confidentiality_integrity", "remote_access_encryption", "service_to_service_auth", "tls_certificate_auth" ], "realizes_count": 7, "guidance_basis": [ { "source": "BSI", "anchor": "TR-02102-2", "role": "best_practice" }, { "source": "NIST", "anchor": "IA-03", "role": "best_practice" }, { "source": "NIST", "anchor": "SC-8", "role": "best_practice" }, { "source": "BSI", "anchor": "IT-Grundschutz NET.3.3", "role": "best_practice" }, { "source": "OWASP", "anchor": "API Security Top 10", "role": "best_practice" }, { "source": "NIST", "anchor": "IA-05(2)", "role": "best_practice" } ], "domains": [ "authentication", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "capability_id": "code_signing", "name": "Code & Update Signing", "description": "Digitale Signatur + Integritaets-/Authentizitaetspruefung von Firmware/Software/Updates.", "type": "technical_capability", "realized_by": [ "firmware_software_authentication", "signed_update_integrity" ], "realizes_count": 2, "guidance_basis": [ { "source": "NIST", "anchor": "SI-07", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-147 BIOS Protection", "role": "best_practice" } ], "domains": [ "authentication", "updates" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "capability_id": "security_monitoring_alerting", "name": "Security Monitoring & Alerting", "description": "Anomalie-/Bedrohungserkennung und Alarmierung aus Logs/Telemetrie.", "type": "technical_capability", "realized_by": [ "log_monitoring_alerting", "remote_access_threat_detection" ], "realizes_count": 2, "guidance_basis": [ { "source": "NIST", "anchor": "AU-6/SI-4", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-94", "role": "best_practice" } ], "domains": [ "logging", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } } ] }