{ "schema_version": "obligation_registry_v1", "regulation": "CRA", "regulation_code": "CRA", "family": "core", "theme": "CORE Security Objectives (CRA Annex I als regulierungs-agnostische Sicherheitsziele)", "generated_by": "materialize_capabilities.py (#5b, Modell C)", "note": "CORE Legal Obligations = Sicherheitsziele (Modell C: KEINE eigene SecurityObjective-Klasse). DOMAIN-Obligations specializes-en hierauf. objective_tags = Vorwaerts-Kompat zu Modell B.", "citation_status": "pending_span_anchor", "obligations": [ { "id": "attack_surface_minimization", "name": "Minimierung der Angriffsflaeche", "family": "core", "description": "Das Produkt minimiert seine Angriffsflaeche: unnoetige Funktionen/Ports/Dienste/Schnittstellen sind deaktiviert (Least Functionality).", "tier": "LEGAL_MINIMUM", "source_role": "LEGAL_BASIS", "applicability": "universal", "objective_tags": [ "attack_surface" ], "legal_basis": [ { "source": "CRA", "anchor": "Annex I Part I (2)(j)", "citation": "limit attack surfaces, including external interfaces", "norm_ids": [ "EU-CRA-AnhangI" ], "norm_id_status": "annex_confirmed" } ], "guidance_basis": [ { "source": "NIST", "anchor": "CM-7 Least Functionality", "role": "best_practice" } ], "specialized_by": [ "remote_access_attack_surface_min", "component_remote_interface_security" ], "primary_implementation": "NIST CM-7", "citation_status": "norm_id_linked", "review_status": "core_from_5b" }, { "id": "software_integrity_protection", "name": "Schutz der Software-/Firmware-Integritaet", "family": "core", "description": "Das Produkt schuetzt Integritaet und Authentizitaet von Software/Firmware (Manipulationserkennung, Secure Boot, Signaturpruefung, Runtime-Integritaet).", "tier": "LEGAL_MINIMUM", "source_role": "LEGAL_BASIS", "applicability": "universal", "objective_tags": [ "integrity" ], "legal_basis": [ { "source": "CRA", "anchor": "Annex I Part I (2)(f)", "citation": "protect the integrity of stored, transmitted or processed data, software and configuration", "norm_ids": [ "EU-CRA-AnhangI" ], "norm_id_status": "annex_confirmed" } ], "guidance_basis": [ { "source": "NIST", "anchor": "SI-7 Software, Firmware, and Information Integrity", "role": "best_practice" } ], "specialized_by": [ "signed_update_integrity", "firmware_software_authentication" ], "realized_by_capabilities": [ "code_signing" ], "primary_implementation": "NIST SI-7", "citation_status": "norm_id_linked", "review_status": "core_from_5b" } ], "relationships": [], "norm_id_contract": { "convention": "EU--Anhang (Annex-Ebene) / EU--Art (verify) — KB-v2 bp_compliance_kb_2026_1_build", "act_naming": "EU-MaschVO-* (NICHT MaschinenVO)", "granularity": "annex-grob — 'Annex I Part II (1)' -> EU-CRA-AnhangI; Part/Punkt = KB-Enhancement TBD", "article_status": "EU--Art in KB-v2 BESTÄTIGT (16/16); Annex-IDs confirmed", "source": "Board Compliance/KB-v2 2026-07-01", "kb_v2_verification": "2026-07-01: 16/19 verify_pending IDs in KB-v2 bestätigt (alle Artikel); 3 Kapitel-IDs = chapter_no_kb_unit (Compiler mintet keine Kapitel)." } }