{ "schema_version": "capability_registry_v1", "contract_version": "1.0", "status": "stable_api_contract", "note": "PRODUKTNEUTRALER Vertrag zwischen Product Knowledge Graph (Domaene 3, Feature->Capability) und Compliance Execution Graph (Domaene 2). Stabile cap.*-IDs NIE umbenennen. KEINE Business-Features hier (die besitzt die Product-Session). Siehe docs-src/development/session_ownership_model_v1.md + compliance_meta_model_v1.md (Freeze v1.0).", "id_namespace": "cap.", "contract_fields": [ "id", "name", "description", "guidance_basis", "realizes_obligations", "required_procedures", "evidence_patterns", "domains" ], "dropped": { "access_control": "OVERLAP (credential_confidentiality <-> sbom_confidentiality), nicht materialisiert" }, "candidate_capabilities_followup": [ "automatic_update_delivery", "update_rollback", "trusted_update_source", "hash_verification", "secure_boot", "least_functionality", "credential_storage" ], "capabilities": [ { "id": "cap.multi_factor_authentication", "slug": "multi_factor_authentication", "name": "Multi-Factor Authentication", "description": "Mehrfaktor-Authentisierung als technische Faehigkeit (Besitz/Wissen/Inhaerenz).", "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-63B", "role": "best_practice" }, { "source": "Out-of-Band-Authentifizierung", "anchor": "", "role": "implementation_guidance", "merged_from": "out_of_band_authentication" }, { "source": "Hardware-basierte Authentifizierung (AAL3)", "anchor": "", "role": "implementation_guidance", "merged_from": "hardware_authenticators" }, { "source": "E-Mail-Authentifizierungsmechanismen (SPF/DKIM/DMARC)", "anchor": "", "role": "implementation_guidance", "merged_from": "email_authentication" }, { "source": "NIST", "anchor": "IA-02", "role": "best_practice" }, { "source": "NIST", "anchor": "IA-02(1)", "role": "best_practice" }, { "source": "NIST", "anchor": "AC-17", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-53 IA-2", "role": "best_practice" }, { "source": "BSI", "anchor": "ICS Security Kompendium", "role": "best_practice" }, { "source": "ISO", "anchor": "ISO 27001 A.5.19", "role": "best_practice" } ], "realizes_obligations": [ "mfa_required", "privileged_op_reauth", "remote_access_authentication", "remote_access_mfa", "remote_access_user_validation_ot", "supplier_access_auth" ], "required_procedures": [], "evidence_patterns": [ "iam_config_export", "mfa_policy_export", "auth_audit_log" ], "domains": [ "authentication", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "id": "cap.session_management", "slug": "session_management", "name": "Session Management", "description": "Sichere Sitzungsverwaltung: Timeouts, Bindung, Re-Auth, Beendigung.", "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-63B 4.3", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-53 AC-12", "role": "best_practice" }, { "source": "OWASP", "anchor": "ASVS V3", "role": "best_practice" }, { "source": "NIST", "anchor": "AC-2(5)", "role": "best_practice" } ], "realizes_obligations": [ "reauth_after_inactivity", "remote_session_management", "session_binding_management", "temporary_remote_access_mgmt" ], "required_procedures": [], "evidence_patterns": [ "session_config_export", "timeout_policy_export" ], "domains": [ "authentication", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "id": "cap.transport_encryption", "slug": "transport_encryption", "name": "Transport Encryption", "description": "Verschluesselter Transport (TLS, mutual-TLS, Zertifikats-Auth, VPN/Tunnel).", "guidance_basis": [ { "source": "BSI", "anchor": "TR-02102-2", "role": "best_practice" }, { "source": "NIST", "anchor": "IA-03", "role": "best_practice" }, { "source": "NIST", "anchor": "SC-8", "role": "best_practice" }, { "source": "BSI", "anchor": "IT-Grundschutz NET.3.3", "role": "best_practice" }, { "source": "OWASP", "anchor": "API Security Top 10", "role": "best_practice" }, { "source": "NIST", "anchor": "IA-05(2)", "role": "best_practice" } ], "realizes_obligations": [ "encrypted_auth_channel", "mutual_authentication", "reject_insecure_remote_protocols", "remote_access_confidentiality_integrity", "remote_access_encryption", "service_to_service_auth", "tls_certificate_auth" ], "required_procedures": [], "evidence_patterns": [ "tls_config_export", "cipher_scan", "cert_inventory" ], "domains": [ "authentication", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "id": "cap.code_signing", "slug": "code_signing", "name": "Code & Update Signing", "description": "Digitale Signatur + Integritaets-/Authentizitaetspruefung von Firmware/Software/Updates.", "guidance_basis": [ { "source": "NIST", "anchor": "SI-07", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-147 BIOS Protection", "role": "best_practice" } ], "realizes_obligations": [ "firmware_software_authentication", "signed_update_integrity" ], "required_procedures": [], "evidence_patterns": [ "signature_verification_log", "sbom", "signing_key_policy" ], "domains": [ "authentication", "updates" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } }, { "id": "cap.security_monitoring_alerting", "slug": "security_monitoring_alerting", "name": "Security Monitoring & Alerting", "description": "Anomalie-/Bedrohungserkennung und Alarmierung aus Logs/Telemetrie.", "guidance_basis": [ { "source": "NIST", "anchor": "AU-6/SI-4", "role": "best_practice" }, { "source": "NIST", "anchor": "SP 800-94", "role": "best_practice" } ], "realizes_obligations": [ "log_monitoring_alerting", "remote_access_threat_detection" ], "required_procedures": [], "evidence_patterns": [ "siem_config_export", "alert_rule_export", "monitoring_audit_log" ], "domains": [ "logging", "remote_access" ], "provenance": { "source": "cross_domain_relationships.json SHARED_CAPABILITY" } } ] }