{ "schema_version": "obligation_registry_v1", "regulation": "CRA", "regulation_code": "CRA", "family": "updates", "theme": "Security Updates / Patch Management (CRA Annex I (2)(c), Art 13)", "generated_by": "obligation_discovery/claude-opus-4-8", "synthesis_version": "v1", "citation_status": "pending_span_anchor", "curation": { "curated_by": "obligation-registry-session 2026-06-25", "method": "two-stage clustering (670->318 micro->15 review-units) -> Opus synthesis -> LIGHT review (keine Hart-Re-Tier)", "scope_controls": 670, "micro_clusters": 318, "review_units": 15, "obligations": 9, "tier_split": { "LEGAL_MINIMUM": 6, "BEST_PRACTICE": 3 }, "out_of_scope": [ "M4 (allg. digitale Veraenderungen)", "M7 (TLS-Proxy-Kanalverwaltung)" ], "tiering_note": "Synthese DIESMAL gut kalibriert (6 LM / 3 BP) -> KEINE Hart-Kuration noetig (vs Auth 14->6, Remote-Access 14->5). LM mehrheitlich echte CRA-Update-Outcomes: provide_security_updates ((2)(c)/Art13) · support_period_maintenance (Art13(8)) · automatic_updates_optout (steht WOERTLICH in (2)(c): Auto-Updates als Default mit Opt-out) · update_risk_assessment.", "borderline_deferred": "signed_update_integrity + trusted_update_source = OUTCOME(Integritaet/Authentizitaet)+MECHANISMUS(Signatur/Quelle)-Mischung. Tier-Linie im Cross-Domain-Review final ziehen, NICHT jetzt (User-Methodik: borderline nicht vorzeitig tiern).", "capability_candidates": [ "signed_update_integrity", "trusted_update_source", "automatic_updates_optout", "update_rollback", "update_testing_validation" ], "capability_signal": "STARKES Signal fuer die Capability-Hypothese: signed/trusted/automatic/rollback/testing sind technische FAEHIGKEITEN, die das eine LM-Outcome provide_security_updates erfuellen. Das LLM tiert sie INKONSISTENT (signed/trusted/automatic->LM, rollback/testing->BP), genau weil Outcome vs Capability nicht sauber trennbar ist (User-Diagnose). Phase 4: Regulation->Obligation->CAPABILITY->Procedure->Control->Evidence.", "anchor_quality": "Anker approximativ (Opus): '(1)(3)(f)'/'(1)(3)(d)' entsprechen keiner exakten CRA-Annex-I-Struktur (Part I (2) hat Buchstaben a-m, kein Punkt (3)). support_period korrekt Art 13(8); provide_security_updates korrekt (2)(c). Span-genau mit Re-Ingest. NICHT auf Anker joinen." }, "obligations": [ { "id": "provide_security_updates", "name": "Bereitstellung von Sicherheitsupdates", "description": "Hersteller stellen wirksame Sicherheitsupdates und Patches zur Behebung von Schwachstellen ueber den gesamten Support-Zeitraum regelmaessig und kostenlos bereit, inkl. strukturiertem Patch-Management-Verfahren.", "tier": "LEGAL_MINIMUM", "subdomain": "patch_provisioning", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (2)(c)", "citation": "Schwachstellen durch Sicherheitsupdates ohne Verzug behandeln, einschliesslich automatischer Updates und Benachrichtigung." }, { "source": "CRA", "anchor": "Art. 13", "citation": "Pflicht zur Bereitstellung von Sicherheitsupdates waehrend des Support-Zeitraums." } ], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-40 Patch Management", "role": "best_practice" }, { "source": "BSI", "anchor": "OPS.1.1.3 Patch- und Aenderungsmanagement", "role": "best_practice" } ], "member_review_units": [ "M0", "M2", "M6", "M14" ], "member_controls": [ "ACC-605-A06", "ACC-650-A06", "AI-1827-A04", "AI-462-A06", "AI-462-A07", "AI-462-A17", "AI-810-A12", "AI-810-A19", "AUTH-101-A19", "AUTH-101-A22", "AUTH-1086-A02", "AUTH-1086-A04", "AUTH-1090-A04", "AUTH-1520-A03", "AUTH-1538-A02", "AUTH-1538-A03", "AUTH-1538-A11", "AUTH-1630-A03", "AUTH-1630-A07", "AUTH-1710-A03", "AUTH-1742", "AUTH-1742-A02", "AUTH-1742-A03", "AUTH-1742-A04", "AUTH-1742-A05", "AUTH-1742-A06", "AUTH-1742-A07", "AUTH-1746", "AUTH-182", "AUTH-187-A05", "AUTH-1925-A02", "AUTH-1925-A06", "AUTH-197-A13", "AUTH-2480", "AUTH-2543", "AUTH-2563-A01", "AUTH-2563-A02", "AUTH-2679-A08", "AUTH-2868", "AUTH-2913-A08", "AUTH-2942", "AUTH-2942-A01", "AUTH-2942-A06", "AUTH-2959", "AUTH-2998-A01", "AUTH-2998-A04", "AUTH-2998-A08", "AUTH-3009-A15", "AUTH-3169-A01", "AUTH-3169-A07", "AUTH-3649-A09", "AUTH-3704-A03", "AUTH-3704-A04", "AUTH-3823", "AUTH-3960", "AUTH-3961-A01", "AUTH-3974-A07", "AUTH-4034", "AUTH-4034-A01", "AUTH-4034-A04", "AUTH-4048-A02", "AUTH-513", "COMP-074-A05", "COMP-1052", "COMP-1123-A06", "COMP-1261-A01", "COMP-1907-A08", "COMP-2768-A01", "COMP-2969-A01", "COMP-2969-A02", "COMP-2969-A05", "COMP-2969-A06", "COMP-2969-A07", "COMP-2970-A03", "COMP-2970-A04", "COMP-2970-A05", "COMP-2991-A09", "COMP-3030-A09", "COMP-3360-A04", "COMP-3411-A04", "COMP-3411-A07", "COMP-3548-A07", "COMP-3990-A01", "COMP-4063-A10", "COMP-4119", "COMP-652", "COMP-652-A01", "COMP-652-A05", "COMP-995-A14", "COMP-995-A15", "CRYP-1332", "CRYP-1332-A03", "CRYP-1624", "CRYP-1805-A06", "CRYP-1805-A12", "CRYP-1886-A03", "CRYP-2073-A03", "CRYP-2289-A10", "CRYP-2359-A02", "CRYP-2359-A07", "CRYP-2361-A12", "CRYP-415-A07", "CRYP-415-A30", "CRYP-415-A41", "CRYP-415-A49", "CRYP-723-A14", "CRYP-882-A05", "CRYP-882-A06", "CRYP-882-A14", "CRYP-882-A15", "CRYP-898-A03", "DATA-1435-A10", "DATA-1435-A11", "DATA-2374-A06", "DATA-2486-A02", "DATA-265-A07", "DATA-3995-A04", "DATA-4193-A01", "DATA-4193-A07", "DATA-4674-A07", "DATA-4679", "DATA-673-A05", "DATA-673-A10", "GOV-2281-A04", "GOV-2540-A07", "GOV-3106-A03", "GOV-3108-A01", "GOV-3108-A05", "HLT-018-A13", "HLT-114-A05", "HLT-114-A41", "HLT-372-A03", "HLT-519-A04", "HLT-519-A09", "INC-241", "LOG-1409-A04", "LOG-1410", "LOG-1410-A10", "LOG-1511-A10", "LOG-1547-A11", "LOG-1730-A05", "LOG-1730-A09", "LOG-1741-A01", "LOG-1741-A02", "LOG-1741-A05", "LOG-1741-A06", "LOG-1741-A08", "LOG-1749", "LOG-1759-A13", "LOG-1760", "LOG-1760-A01", "LOG-1760-A06", "LOG-1770-A06", "LOG-1774-A06", "LOG-1774-A11", "LOG-1838-A06", "LOG-2074-A06", "LOG-2074-A09", "LOG-2075", "LOG-2078", "LOG-2078-A03", "LOG-903-A06", "LOG-904-A02", "NET-077-A05", "NET-077-A23", "NET-1196-A12", "NET-1196-A13", "NET-125-A09", "NET-125-A17", "NET-1306-A04", "NET-1317-A02", "NET-1351-A10", "NET-1465-A05", "NET-1482-A12", "NET-1494-A12", "NET-1626-A12", "NET-1637-A03", "NET-1744", "NET-1744-A01", "NET-1841-A04", "NET-1841-A05", "NET-1856-A02", "NET-1858-A02", "NET-1864-A09", "NET-1864-A13", "NET-1868", "NET-1868-A07", "NET-248-A06", "NET-248-A12", "NET-373-A02", "NET-373-A10", "NET-476-A14", "NET-476-A83", "NET-892-A04", "NET-904-A05", "NET-981-A01", "NET-981-A09", "NET-981-A10", "OPS-003", "OPS-003-A01", "OPS-003-A02", "OPS-003-A05", "OPS-003-A06", "OPS-003-A09", "PCM-003", "PCM-003-A01", "PCM-003-A02", "SEC-1041", "SEC-1041-A01", "SEC-1041-A02", "SEC-1041-A03", "SEC-1041-A04", "SEC-1041-A05", "SEC-1041-A06", "SEC-1041-A07", "SEC-1042", "SEC-1042-A01", "SEC-1042-A02", "SEC-1042-A03", "SEC-1042-A04", "SEC-1042-A06", "SEC-110-A02", "SEC-110-A03", "SEC-110-A06", "SEC-120-A07", "SEC-120-A18", "SEC-1218-A03", "SEC-1218-A12", "SEC-1243-A03", "SEC-1243-A04", "SEC-1247-A02", "SEC-1252", "SEC-1254-A04", "SEC-1254-A07", "SEC-126", "SEC-126-A05", "SEC-132", "SEC-132-A05", "SEC-132-A12", "SEC-150", "SEC-171-A10", "SEC-171-A28", "SEC-171-A41", "SEC-179-A02", "SEC-179-A07", "SEC-182-A01", "SEC-182-A12", "SEC-195-A07", "SEC-195-A13", "SEC-279-A05", "SEC-279-A10", "SEC-295", "SEC-3019-A01", "SEC-3150-A02", "SEC-3150-A03", "SEC-3166-A01", "SEC-3166-A05", "SEC-3166-A06", "SEC-3167-A01", "SEC-3167-A02", "SEC-3169-A03", "SEC-3175", "SEC-3175-A01", "SEC-3175-A04", "SEC-3175-A06", "SEC-3175-A10", "SEC-3325-A08", "SEC-339-A08", "SEC-339-A09", "SEC-339-A19", "SEC-342-A10", "SEC-342-A26", "SEC-349", "SEC-3665", "SEC-3665-A01", "SEC-3665-A02", "SEC-3665-A05", "SEC-3676-A06", "SEC-3680-A04", "SEC-3680-A10", "SEC-3719-A05", "SEC-3725", "SEC-3725-A01", "SEC-3725-A02", "SEC-3725-A03", "SEC-3725-A04", "SEC-3740-A02", "SEC-3740-A05", "SEC-3740-A06", "SEC-3740-A07", "SEC-376", "SEC-3789-A01", "SEC-3789-A02", "SEC-3829-A01", "SEC-3829-A02", "SEC-3829-A03", "SEC-3829-A04", "SEC-3834-A01", "SEC-3834-A02", "SEC-3834-A03", "SEC-3834-A04", "SEC-3834-A06", "SEC-3834-A07", "SEC-3835-A04", "SEC-3838-A01", "SEC-3838-A02", "SEC-3838-A07", "SEC-3838-A08", "SEC-3838-A09", "SEC-3839-A04", "SEC-3839-A07", "SEC-3845-A10", "SEC-3847", "SEC-3847-A02", "SEC-3847-A05", "SEC-3858", "SEC-3875-A05", "SEC-3885-A01", "SEC-3885-A02", "SEC-3885-A04", "SEC-3928", "SEC-3928-A05", "SEC-3928-A06", "SEC-3931-A04", "SEC-3931-A11", "SEC-3936-A03", "SEC-3949-A05", "SEC-3963-A03", "SEC-3963-A04", "SEC-3963-A05", "SEC-3963-A06", "SEC-3970", "SEC-3970-A03", "SEC-3972-A01", "SEC-3972-A02", "SEC-3972-A06", "SEC-3972-A07", "SEC-3972-A09", "SEC-3972-A10", "SEC-3972-A13", "SEC-3974-A06", "SEC-3985-A02", "SEC-3995", "SEC-3995-A01", "SEC-3995-A02", "SEC-3995-A03", "SEC-3995-A04", "SEC-3995-A05", "SEC-3999", "SEC-3999-A01", "SEC-3999-A03", "SEC-4005-A01", "SEC-4005-A02", "SEC-4018-A03", "SEC-4081-A02", "SEC-4081-A03", "SEC-4191", "SEC-4191-A02", "SEC-4195", "SEC-4195-A02", "SEC-4195-A08", "SEC-4209-A03", "SEC-445", "SEC-4559-A01", "SEC-4567-A01", "SEC-4567-A06", "SEC-462-A12", "SEC-470", "SEC-4945-A04", "SEC-4966-A01", "SEC-4966-A09", "SEC-4970-A04", "SEC-4970-A17", "SEC-4988-A04", "SEC-5109", "SEC-5109-A01", "SEC-5109-A02", "SEC-5528", "SEC-5528-A01", "SEC-5532-A02", "SEC-5541-A03", "SEC-5640-A08", "SEC-5640-A09", "SEC-5748", "SEC-5767-A02", "SEC-5769-A05", "SEC-5770", "SEC-5804-A07", "SEC-5818", "SEC-5818-A10", "SEC-5835", "SEC-5835-A01", "SEC-5835-A05", "SEC-5850-A03", "SEC-5850-A06", "SEC-5851-A01", "SEC-5851-A02", "SEC-5851-A03", "SEC-5851-A04", "SEC-5851-A12", "SEC-5908", "SEC-5909", "SEC-5912-A01", "SEC-5912-A03", "SEC-5921-A02", "SEC-5921-A07", "SEC-5923-A04", "SEC-5923-A05", "SEC-5924-A02", "SEC-5925-A02", "SEC-5930-A08", "SEC-5931", "SEC-5934-A04", "SEC-5941-A02", "SEC-5941-A03", "SEC-5941-A06", "SEC-5941-A07", "SEC-5941-A08", "SEC-5947-A06", "SEC-5947-A07", "SEC-5954-A04", "SEC-6092-A03", "SEC-6096-A03", "SEC-6098", "SEC-6105-A01", "SEC-6105-A03", "SEC-6105-A04", "SEC-6105-A08", "SEC-6105-A12", "SEC-6224", "SEC-6431-A07", "SEC-6431-A08", "SEC-6440-A02", "SEC-6815-A03", "SEC-6889-A01", "SEC-6890-A01", "SEC-691", "SEC-6913-A02", "SEC-6918", "SEC-6928-A04", "SEC-6928-A10", "SEC-6928-A13", "SEC-6991-A01", "SEC-6993-A01", "SEC-6996", "SEC-7016", "SEC-7018-A05", "SEC-7024-A02", "SEC-7026-A01", "SEC-7026-A06", "SEC-7037-A04", "SEC-7037-A06", "SEC-7044", "SEC-7049", "SEC-7056-A05", "SEC-7056-A10", "SEC-7056-A11", "SEC-7060-A02", "SEC-7060-A07", "SEC-7067-A01", "SEC-7077", "SEC-7077-A01", "SEC-7082-A01", "SEC-7084", "SEC-7097-A01", "SEC-710", "SEC-7100-A01", "SEC-7109-A01", "SEC-7109-A06", "SEC-7110-A01", "SEC-7113", "SEC-7117-A02", "SEC-7117-A08", "SEC-7128-A07", "SEC-7237-A03", "SEC-7577-A02", "SEC-7581-A01", "SEC-7621-A04", "SEC-7678", "SEC-7803-A08", "SEC-8324", "SEC-8324-A09", "SEC-8326", "SEC-8326-A01", "SEC-8326-A02", "SEC-8326-A06", "SEC-8326-A07", "SEC-8327-A01", "SEC-8334-A01", "SEC-8334-A02", "SEC-8334-A10", "SEC-8801-A05", "SEC-8801-A08", "SEC-8801-A09", "SEC-8801-A10", "SEC-8806", "SEC-8829-A03", "SEC-8839", "SEC-8842", "SEC-8842-A01", "SEC-8842-A03", "SEC-8842-A04", "SEC-8842-A05", "SEC-8842-A08", "SEC-8842-A09", "SEC-8842-A10", "SEC-8842-A11", "SEC-8842-A12", "SEC-8842-A14", "SEC-8871", "SEC-8871-A01", "SEC-8871-A04", "SEC-8871-A06", "SEC-8871-A07", "SEC-8871-A08", "SEC-8871-A09", "SEC-8880", "SEC-8888-A01", "SEC-8888-A11", "SEC-8923", "SEC-8991-A02", "SEC-8991-A09", "SEC-8997", "SEC-8997-A03", "SEC-8998-A02", "SEC-8998-A04", "SEC-8999", "SEC-8999-A01", "SEC-8999-A03", "SEC-8999-A06", "SEC-9002-A01", "SEC-9002-A06", "SEC-9003", "SEC-9003-A01", "SEC-9007", "SEC-9007-A02", "SEC-9007-A05", "SEC-9009-A03", "SEC-9009-A04", "SEC-9009-A05", "SEC-9009-A06", "SEC-9019-A04", "SEC-9027", "SEC-9029", "SEC-9033-A01", "SEC-9033-A02", "SEC-9033-A04", "SEC-9033-A05", "SEC-9033-A06", "SEC-9035-A01", "SEC-9035-A06", "SEC-9036", "SEC-9039", "SEC-9039-A01", "SEC-9039-A04", "SEC-9045-A06", "SEC-9055", "SEC-9055-A01", "SEC-9062-A04", "SEC-9073-A10", "SEC-9107", "SEC-9107-A02", "SEC-9107-A03", "SEC-9110-A04", "SEC-9115", "SEC-9116-A01", "SEC-9116-A02", "SEC-9116-A03", "SEC-9116-A04", "SEC-9129", "SEC-9129-A07", "SEC-9129-A08", "SEC-9129-A09", "SEC-9135-A09", "SYS-002", "SYS-002-A05", "VUL-001", "VUL-001-A05" ], "member_count": 578, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.95, "source_meta_cluster": "M0", "cluster_size": 574, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates" }, { "id": "support_period_maintenance", "name": "Wartung waehrend des Support-Zeitraums", "description": "Festlegung und Umsetzung von Wartungs- und Pflegemassnahmen inkl. Haeufigkeit ueber den definierten Support-Zeitraum.", "tier": "LEGAL_MINIMUM", "subdomain": "support_period", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Art. 13(8)", "citation": "Bestimmung des Support-Zeitraums entsprechend der erwarteten Nutzungsdauer." } ], "guidance_basis": [], "member_review_units": [ "M0" ], "member_controls": [ "ACC-605-A06", "ACC-650-A06", "AI-1827-A04", "AI-462-A06", "AI-462-A07", "AI-462-A17", "AI-810-A12", "AI-810-A19", "AUTH-101-A19", "AUTH-101-A22", "AUTH-1086-A02", "AUTH-1086-A04", "AUTH-1090-A04", "AUTH-1520-A03", "AUTH-1538-A02", "AUTH-1538-A03", "AUTH-1538-A11", "AUTH-1630-A03", "AUTH-1630-A07", "AUTH-1710-A03", "AUTH-1742", "AUTH-1742-A02", "AUTH-1742-A03", "AUTH-1742-A04", "AUTH-1742-A05", "AUTH-1742-A06", "AUTH-1742-A07", "AUTH-1746", "AUTH-182", "AUTH-187-A05", "AUTH-1925-A02", "AUTH-1925-A06", "AUTH-197-A13", "AUTH-2480", "AUTH-2543", "AUTH-2563-A01", "AUTH-2563-A02", "AUTH-2679-A08", "AUTH-2913-A08", "AUTH-2942", "AUTH-2942-A01", "AUTH-2942-A06", "AUTH-2959", "AUTH-2998-A01", "AUTH-2998-A04", "AUTH-2998-A08", "AUTH-3009-A15", "AUTH-3169-A01", "AUTH-3169-A07", "AUTH-3649-A09", "AUTH-3704-A03", "AUTH-3704-A04", "AUTH-3823", "AUTH-3960", "AUTH-3961-A01", "AUTH-3974-A07", "AUTH-4034", "AUTH-4034-A01", "AUTH-4034-A04", "AUTH-4048-A02", "AUTH-513", "COMP-074-A05", "COMP-1052", "COMP-1123-A06", "COMP-1261-A01", "COMP-1907-A08", "COMP-2768-A01", "COMP-2969-A01", "COMP-2969-A02", "COMP-2969-A05", "COMP-2969-A06", "COMP-2969-A07", "COMP-2970-A03", "COMP-2970-A04", "COMP-2970-A05", "COMP-2991-A09", "COMP-3030-A09", "COMP-3360-A04", "COMP-3411-A04", "COMP-3411-A07", "COMP-3548-A07", "COMP-3990-A01", "COMP-4063-A10", "COMP-4119", "COMP-652", "COMP-652-A01", "COMP-652-A05", "COMP-995-A14", "COMP-995-A15", "CRYP-1332", "CRYP-1332-A03", "CRYP-1805-A06", "CRYP-1805-A12", "CRYP-1886-A03", "CRYP-2073-A03", "CRYP-2289-A10", "CRYP-2359-A02", "CRYP-2359-A07", "CRYP-2361-A12", "CRYP-415-A07", "CRYP-415-A30", "CRYP-415-A41", "CRYP-415-A49", "CRYP-723-A14", "CRYP-882-A05", "CRYP-882-A06", "CRYP-882-A14", "CRYP-882-A15", "CRYP-898-A03", "DATA-1435-A10", "DATA-1435-A11", "DATA-2374-A06", "DATA-2486-A02", "DATA-265-A07", "DATA-3995-A04", "DATA-4193-A01", "DATA-4193-A07", "DATA-4674-A07", "DATA-4679", "DATA-673-A05", "DATA-673-A10", "GOV-2281-A04", "GOV-2540-A07", "GOV-3106-A03", "GOV-3108-A01", "GOV-3108-A05", "HLT-018-A13", "HLT-114-A05", "HLT-114-A41", "HLT-372-A03", "HLT-519-A04", "HLT-519-A09", "INC-241", "LOG-1409-A04", "LOG-1410", "LOG-1410-A10", "LOG-1511-A10", "LOG-1547-A11", "LOG-1730-A05", "LOG-1730-A09", "LOG-1741-A01", "LOG-1741-A02", "LOG-1741-A05", "LOG-1741-A06", "LOG-1741-A08", "LOG-1749", "LOG-1759-A13", "LOG-1760", "LOG-1760-A01", "LOG-1760-A06", "LOG-1770-A06", "LOG-1774-A06", "LOG-1774-A11", "LOG-1838-A06", "LOG-2074-A06", "LOG-2074-A09", "LOG-2075", "LOG-2078", "LOG-2078-A03", "LOG-903-A06", "LOG-904-A02", "NET-077-A05", "NET-077-A23", "NET-1196-A12", "NET-1196-A13", "NET-125-A09", "NET-125-A17", "NET-1306-A04", "NET-1317-A02", "NET-1351-A10", "NET-1465-A05", "NET-1482-A12", "NET-1494-A12", "NET-1626-A12", "NET-1637-A03", "NET-1744", "NET-1744-A01", "NET-1841-A04", "NET-1841-A05", "NET-1856-A02", "NET-1858-A02", "NET-1864-A09", "NET-1864-A13", "NET-1868", "NET-1868-A07", "NET-248-A06", "NET-248-A12", "NET-373-A02", "NET-373-A10", "NET-476-A14", "NET-476-A83", "NET-892-A04", "NET-904-A05", "NET-981-A01", "NET-981-A09", "NET-981-A10", "OPS-003", "OPS-003-A01", "OPS-003-A02", "OPS-003-A05", "OPS-003-A06", "OPS-003-A09", "PCM-003", "PCM-003-A01", "PCM-003-A02", "SEC-1041", "SEC-1041-A01", "SEC-1041-A02", "SEC-1041-A03", "SEC-1041-A04", "SEC-1041-A05", "SEC-1041-A06", "SEC-1041-A07", "SEC-1042", "SEC-1042-A01", "SEC-1042-A02", "SEC-1042-A03", "SEC-1042-A04", "SEC-1042-A06", "SEC-110-A02", "SEC-110-A03", "SEC-110-A06", "SEC-120-A07", "SEC-120-A18", "SEC-1218-A03", "SEC-1218-A12", "SEC-1243-A03", "SEC-1243-A04", "SEC-1247-A02", "SEC-1252", "SEC-1254-A04", "SEC-1254-A07", "SEC-126", "SEC-126-A05", "SEC-132", "SEC-132-A05", "SEC-132-A12", "SEC-150", "SEC-171-A10", "SEC-171-A28", "SEC-171-A41", "SEC-179-A02", "SEC-179-A07", "SEC-182-A01", "SEC-182-A12", "SEC-195-A07", "SEC-195-A13", "SEC-279-A05", "SEC-279-A10", "SEC-295", "SEC-3019-A01", "SEC-3150-A02", "SEC-3150-A03", "SEC-3166-A01", "SEC-3166-A05", "SEC-3166-A06", "SEC-3167-A01", "SEC-3167-A02", "SEC-3169-A03", "SEC-3175", "SEC-3175-A01", "SEC-3175-A04", "SEC-3175-A06", "SEC-3175-A10", "SEC-3325-A08", "SEC-339-A08", "SEC-339-A09", "SEC-339-A19", "SEC-342-A10", "SEC-342-A26", "SEC-349", "SEC-3665", "SEC-3665-A01", "SEC-3665-A02", "SEC-3665-A05", "SEC-3676-A06", "SEC-3680-A04", "SEC-3680-A10", "SEC-3719-A05", "SEC-3725", "SEC-3725-A01", "SEC-3725-A02", "SEC-3725-A03", "SEC-3725-A04", "SEC-3740-A02", "SEC-3740-A05", "SEC-3740-A06", "SEC-3740-A07", "SEC-376", "SEC-3789-A01", "SEC-3789-A02", "SEC-3829-A01", "SEC-3829-A02", "SEC-3829-A03", "SEC-3829-A04", "SEC-3834-A01", "SEC-3834-A02", "SEC-3834-A03", "SEC-3834-A04", "SEC-3834-A06", "SEC-3834-A07", "SEC-3835-A04", "SEC-3838-A01", "SEC-3838-A02", "SEC-3838-A07", "SEC-3838-A08", "SEC-3838-A09", "SEC-3839-A04", "SEC-3839-A07", "SEC-3845-A10", "SEC-3847", "SEC-3847-A02", "SEC-3847-A05", "SEC-3858", "SEC-3875-A05", "SEC-3885-A01", "SEC-3885-A02", "SEC-3885-A04", "SEC-3928", "SEC-3928-A05", "SEC-3928-A06", "SEC-3931-A04", "SEC-3931-A11", "SEC-3936-A03", "SEC-3949-A05", "SEC-3963-A03", "SEC-3963-A04", "SEC-3963-A05", "SEC-3963-A06", "SEC-3970", "SEC-3970-A03", "SEC-3972-A01", "SEC-3972-A02", "SEC-3972-A06", "SEC-3972-A07", "SEC-3972-A09", "SEC-3972-A10", "SEC-3972-A13", "SEC-3974-A06", "SEC-3985-A02", "SEC-3995", "SEC-3995-A01", "SEC-3995-A02", "SEC-3995-A03", "SEC-3995-A04", "SEC-3995-A05", "SEC-3999", "SEC-3999-A01", "SEC-3999-A03", "SEC-4005-A01", "SEC-4005-A02", "SEC-4018-A03", "SEC-4081-A02", "SEC-4081-A03", "SEC-4191", "SEC-4191-A02", "SEC-4195", "SEC-4195-A02", "SEC-4195-A08", "SEC-4209-A03", "SEC-445", "SEC-4559-A01", "SEC-4567-A01", "SEC-4567-A06", "SEC-462-A12", "SEC-470", "SEC-4945-A04", "SEC-4966-A01", "SEC-4966-A09", "SEC-4970-A04", "SEC-4970-A17", "SEC-4988-A04", "SEC-5109", "SEC-5109-A01", "SEC-5109-A02", "SEC-5528", "SEC-5528-A01", "SEC-5532-A02", "SEC-5541-A03", "SEC-5640-A08", "SEC-5640-A09", "SEC-5748", "SEC-5767-A02", "SEC-5769-A05", "SEC-5770", "SEC-5804-A07", "SEC-5818", "SEC-5818-A10", "SEC-5835", "SEC-5835-A01", "SEC-5835-A05", "SEC-5850-A03", "SEC-5850-A06", "SEC-5851-A01", "SEC-5851-A02", "SEC-5851-A03", "SEC-5851-A04", "SEC-5851-A12", "SEC-5908", "SEC-5909", "SEC-5912-A01", "SEC-5912-A03", "SEC-5921-A02", "SEC-5921-A07", "SEC-5923-A04", "SEC-5923-A05", "SEC-5924-A02", "SEC-5925-A02", "SEC-5930-A08", "SEC-5931", "SEC-5934-A04", "SEC-5941-A02", "SEC-5941-A03", "SEC-5941-A06", "SEC-5941-A07", "SEC-5941-A08", "SEC-5947-A06", "SEC-5947-A07", "SEC-5954-A04", "SEC-6092-A03", "SEC-6096-A03", "SEC-6098", "SEC-6105-A01", "SEC-6105-A03", "SEC-6105-A04", "SEC-6105-A08", "SEC-6105-A12", "SEC-6224", "SEC-6431-A07", "SEC-6431-A08", "SEC-6440-A02", "SEC-6815-A03", "SEC-6889-A01", "SEC-6890-A01", "SEC-691", "SEC-6913-A02", "SEC-6928-A04", "SEC-6928-A10", "SEC-6928-A13", "SEC-6991-A01", "SEC-6993-A01", "SEC-6996", "SEC-7016", "SEC-7018-A05", "SEC-7024-A02", "SEC-7026-A01", "SEC-7026-A06", "SEC-7037-A04", "SEC-7037-A06", "SEC-7044", "SEC-7049", "SEC-7056-A05", "SEC-7056-A10", "SEC-7056-A11", "SEC-7060-A02", "SEC-7060-A07", "SEC-7067-A01", "SEC-7077", "SEC-7077-A01", "SEC-7082-A01", "SEC-7084", "SEC-7097-A01", "SEC-710", "SEC-7100-A01", "SEC-7109-A01", "SEC-7109-A06", "SEC-7110-A01", "SEC-7113", "SEC-7117-A02", "SEC-7117-A08", "SEC-7128-A07", "SEC-7237-A03", "SEC-7577-A02", "SEC-7581-A01", "SEC-7621-A04", "SEC-7678", "SEC-7803-A08", "SEC-8324", "SEC-8324-A09", "SEC-8326", "SEC-8326-A01", "SEC-8326-A02", "SEC-8326-A06", "SEC-8326-A07", "SEC-8327-A01", "SEC-8334-A01", "SEC-8334-A02", "SEC-8334-A10", "SEC-8801-A05", "SEC-8801-A08", "SEC-8801-A09", "SEC-8801-A10", "SEC-8806", "SEC-8829-A03", "SEC-8839", "SEC-8842", "SEC-8842-A01", "SEC-8842-A03", "SEC-8842-A04", "SEC-8842-A05", "SEC-8842-A08", "SEC-8842-A09", "SEC-8842-A10", "SEC-8842-A11", "SEC-8842-A12", "SEC-8842-A14", "SEC-8871", "SEC-8871-A01", "SEC-8871-A04", "SEC-8871-A06", "SEC-8871-A07", "SEC-8871-A08", "SEC-8871-A09", "SEC-8880", "SEC-8888-A01", "SEC-8888-A11", "SEC-8923", "SEC-8991-A02", "SEC-8991-A09", "SEC-8997", "SEC-8997-A03", "SEC-8998-A02", "SEC-8998-A04", "SEC-8999", "SEC-8999-A01", "SEC-8999-A03", "SEC-8999-A06", "SEC-9002-A01", "SEC-9002-A06", "SEC-9003", "SEC-9003-A01", "SEC-9007", "SEC-9007-A02", "SEC-9007-A05", "SEC-9009-A03", "SEC-9009-A04", "SEC-9009-A05", "SEC-9009-A06", "SEC-9019-A04", "SEC-9029", "SEC-9033-A01", "SEC-9033-A02", "SEC-9033-A04", "SEC-9033-A05", "SEC-9033-A06", "SEC-9035-A01", "SEC-9035-A06", "SEC-9036", "SEC-9039", "SEC-9039-A01", "SEC-9039-A04", "SEC-9045-A06", "SEC-9055", "SEC-9055-A01", "SEC-9062-A04", "SEC-9073-A10", "SEC-9107", "SEC-9107-A02", "SEC-9107-A03", "SEC-9110-A04", "SEC-9115", "SEC-9116-A01", "SEC-9116-A02", "SEC-9116-A03", "SEC-9116-A04", "SEC-9129", "SEC-9129-A07", "SEC-9129-A08", "SEC-9129-A09", "SEC-9135-A09", "SYS-002", "SYS-002-A05", "VUL-001", "VUL-001-A05" ], "member_count": 574, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.85, "source_meta_cluster": "M0", "cluster_size": 574, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates" }, { "id": "signed_update_integrity", "name": "Signierte und integritaetsgeschuetzte Update-Pakete", "description": "Update-Pakete werden digital signiert; Integritaet und Authentizitaet (inkl. Boot-/Firmware) werden vor der Installation verifiziert; unsignierte oder manipulierte Updates werden abgelehnt.", "tier": "LEGAL_MINIMUM", "subdomain": "update_integrity", "applicability": "universal", "evidence_facets": { "governance": false, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (1)(3)(f)", "citation": "Schutz der Integritaet von Daten, Befehlen und Konfigurationen vor Manipulation." } ], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-147 BIOS Protection", "role": "best_practice" } ], "member_review_units": [ "M8", "M5", "M11", "M13" ], "member_controls": [ "CRYP-127-A10", "FWU-003", "FWU-003-A01", "FWU-003-A04", "LOG-1782-A02", "NET-981-A07", "SEC-1083-A01", "SEC-1083-A04", "SEC-1083-A06", "SEC-1083-A09", "SEC-1083-A10", "SEC-1170-A02", "SEC-1170-A12", "SEC-1170-A18", "SEC-1170-A28", "SEC-1170-A34", "SEC-1170-A44", "SEC-1170-A50", "SEC-1170-A60", "SEC-1170-A66", "SEC-3150-A04", "SEC-3169", "SEC-3175-A07", "SEC-3740-A01", "SEC-3740-A03", "SEC-3740-A04", "SEC-3740-A08", "SEC-3740-A09", "SEC-3834", "SEC-3838", "SEC-3838-A10", "SEC-3838-A11", "SEC-3839", "SEC-3854", "SEC-3885", "SEC-3885-A05", "SEC-3933-A01", "SEC-3936", "SEC-3936-A01", "SEC-3936-A02", "SEC-3937-A01", "SEC-3963", "SEC-3963-A01", "SEC-3972-A05", "SEC-3972-A12", "SEC-3999-A04", "SEC-4005", "SEC-4018-A02", "SEC-6993-A02", "SEC-7077-A03", "SEC-7109", "SEC-7109-A02", "SEC-7621-A08", "SEC-8998-A01", "SEC-9002-A10", "SEC-9007-A01", "SEC-9007-A04", "UPD-004-A07" ], "member_count": 58, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.9, "source_meta_cluster": "M8", "cluster_size": 37, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates", "capability_candidate": true }, { "id": "trusted_update_source", "name": "Vertrauenswuerdige und zugriffsbeschraenkte Update-Quelle", "description": "Firmware-/Software-Updates werden nur aus vertrauenswuerdigen Quellen bezogen; der Update-Bereitstellungskanal und die Quelle sind zugriffsbeschraenkt und abgesichert; Versions-Downgrades werden verhindert.", "tier": "LEGAL_MINIMUM", "subdomain": "update_channel_security", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (1)(3)(d)", "citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen." } ], "guidance_basis": [ { "source": "BSI", "anchor": "SYS.4.4 IoT", "role": "best_practice" } ], "member_review_units": [ "M8", "M13" ], "member_controls": [ "FWU-003", "FWU-003-A01", "FWU-003-A04", "LOG-1782-A02", "SEC-1083-A01", "SEC-1083-A04", "SEC-1083-A06", "SEC-1083-A09", "SEC-1083-A10", "SEC-3150-A04", "SEC-3169", "SEC-3175-A07", "SEC-3740-A01", "SEC-3740-A03", "SEC-3740-A04", "SEC-3740-A08", "SEC-3740-A09", "SEC-3834", "SEC-3838", "SEC-3838-A10", "SEC-3838-A11", "SEC-3839", "SEC-3885", "SEC-3885-A05", "SEC-3933-A01", "SEC-3936", "SEC-3936-A01", "SEC-3936-A02", "SEC-3937-A01", "SEC-3963", "SEC-3963-A01", "SEC-3972-A05", "SEC-3972-A12", "SEC-4005", "SEC-6993-A02", "SEC-7109-A02", "SEC-7621-A08", "SEC-8998-A01", "SEC-9002-A10", "SEC-9007-A01", "SEC-9007-A04", "UPD-004-A07" ], "member_count": 42, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.85, "source_meta_cluster": "M8", "cluster_size": 37, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates", "capability_candidate": true }, { "id": "update_testing_validation", "name": "Test und Validierung von Updates", "description": "Updates werden vor Verteilung in isolierten Testumgebungen getestet und validiert; manipulierte und unvollstaendige Update-Pakete werden in Tests erkannt; Funktionsfaehigkeit nach Update wird geprueft.", "tier": "BEST_PRACTICE", "subdomain": "update_testing", "applicability": "universal", "evidence_facets": { "governance": false, "capability": true, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-40 Test before deploy", "role": "best_practice" }, { "source": "ISO", "anchor": "ISO/IEC 27001 A.8.32", "role": "best_practice" } ], "member_review_units": [ "M1", "M13" ], "member_controls": [ "AUTH-1742-A10", "COMP-2768-A06", "COMP-2768-A07", "CRYP-1332-A08", "CRYP-504-A07", "CRYP-504-A17", "CRYP-504-A24", "GOV-2540-A08", "HSM-003-A01", "HSM-003-A08", "ROT-005-A01", "SEC-3665-A06", "SEC-3847-A03", "SEC-3885-A03", "SEC-3928-A01", "SEC-3970-A09", "SEC-3972", "SEC-430-A29", "SEC-7067-A11", "SEC-7621-A08", "SEC-8998-A01", "SEC-9002-A10", "SEC-9007-A01", "SEC-9019-A06", "UPD-004-A07" ], "member_count": 25, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.8, "source_meta_cluster": "M1", "cluster_size": 20, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates", "capability_candidate": true }, { "id": "update_rollback", "name": "Rollback-Prozess fuer Updates", "description": "Dokumentierter und getesteter Rollback-Prozess fuer fehlerhafte Firmware-/Software-Updates; unvollstaendige Updates werden blockiert und Update-Ereignisse explizit bestaetigt.", "tier": "BEST_PRACTICE", "subdomain": "update_rollback", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-40 Rollback", "role": "best_practice" } ], "member_review_units": [ "M1", "M11" ], "member_controls": [ "AUTH-1742-A10", "COMP-2768-A06", "COMP-2768-A07", "CRYP-1332-A08", "CRYP-504-A07", "CRYP-504-A17", "CRYP-504-A24", "GOV-2540-A08", "HSM-003-A01", "HSM-003-A08", "ROT-005-A01", "SEC-3665-A06", "SEC-3847-A03", "SEC-3885-A03", "SEC-3928-A01", "SEC-3970-A09", "SEC-3972", "SEC-3999-A04", "SEC-4018-A02", "SEC-430-A29", "SEC-7067-A11", "SEC-7077-A03", "SEC-9019-A06" ], "member_count": 23, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.75, "source_meta_cluster": "M1", "cluster_size": 20, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates", "capability_candidate": true }, { "id": "automatic_updates_optout", "name": "Automatische Updates mit Standardaktivierung und Opt-out", "description": "Automatische Sicherheitsupdates sind standardmaessig aktiviert mit sicherer Standardkonfiguration; eine Funktion zur Deaktivierung (Opt-out) wird bereitgestellt.", "tier": "LEGAL_MINIMUM", "subdomain": "automatic_updates", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (2)(c)", "citation": "Sicherheitsupdates werden, soweit moeglich, automatisch installiert mit Opt-out-Moeglichkeit des Nutzers." } ], "guidance_basis": [], "member_review_units": [ "M12", "M9" ], "member_controls": [ "SEC-1494-A02", "SEC-4195-A01", "SEC-4984-A03", "SEC-580", "SEC-9025", "SEC-9110-A01" ], "member_count": 6, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.9, "source_meta_cluster": "M12", "cluster_size": 5, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates", "capability_candidate": true }, { "id": "update_risk_assessment", "name": "Risikobeurteilung der Update-Pflicht", "description": "Risikobeurteilung des Herstellers zur Bestimmung notwendiger Sicherheitsupdates, einschliesslich Behandlung von Software ohne Sicherheitsupdates.", "tier": "LEGAL_MINIMUM", "subdomain": "risk_assessment", "applicability": "universal", "evidence_facets": { "governance": true, "capability": false, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (1)(2)", "citation": "Cybersicherheits-Risikobeurteilung als Grundlage fuer Schwachstellenbehandlung." } ], "guidance_basis": [], "member_review_units": [ "M3" ], "member_controls": [ "COMP-745", "NET-790-A02" ], "member_count": 2, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.8, "source_meta_cluster": "M3", "cluster_size": 2, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates" }, { "id": "secure_modification_control", "name": "Kontrolle sicherheitsrelevanter Updates an Lifecycle-Objekten", "description": "Schreibzugriff auf sicherheitskritische Lifecycle-Objekte (z.B. EF.SecModLifeCycle) ist nur im Rahmen validierter Firmware-Updates moeglich; Schreibzugriff ohne Update wird abgelehnt.", "tier": "BEST_PRACTICE", "subdomain": "lifecycle_access_control", "applicability": "conditional:secure_element_or_smartcard", "evidence_facets": { "governance": false, "capability": true, "evidence": true }, "source_role": "IMPLEMENTATION", "legal_basis": [], "guidance_basis": [ { "source": "BSI", "anchor": "TR-03110 / SecMod Lifecycle", "role": "best_practice" } ], "member_review_units": [ "M10" ], "member_controls": [ "SEC-3738-A03", "SEC-3738-A08", "SEC-3738-A09" ], "member_count": 3, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.7, "source_meta_cluster": "M10", "cluster_size": 3, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "updates" } ], "relationships": [ { "type": "supports", "from": "signed_update_integrity", "to": "provide_security_updates", "note": "Integritaetsschutz sichert die Update-Bereitstellung ab." }, { "type": "supports", "from": "trusted_update_source", "to": "provide_security_updates", "note": "Vertrauenswuerdige Quelle als Voraussetzung sicherer Updates." }, { "type": "produces_evidence_for", "from": "update_testing_validation", "to": "provide_security_updates", "note": "Testnachweise belegen Wirksamkeit der Updates." }, { "type": "supports", "from": "update_rollback", "to": "provide_security_updates", "note": "Rollback sichert Update-Prozess gegen Fehler ab." }, { "type": "implements", "from": "automatic_updates_optout", "to": "provide_security_updates", "note": "Automatische Installation konkretisiert Bereitstellungspflicht." }, { "type": "depends_on", "from": "provide_security_updates", "to": "update_risk_assessment", "note": "Updatebedarf folgt aus Risikobeurteilung." }, { "type": "depends_on", "from": "support_period_maintenance", "to": "provide_security_updates", "note": "Wartung definiert den Bereitstellungszeitraum." }, { "type": "derived_from", "from": "secure_modification_control", "to": "signed_update_integrity", "note": "Spezialfall validierter Schreibzugriff via Firmware-Update." }, { "type": "out_of_scope", "review_units": [ "M4", "M7" ], "note": "M4 (digitale Veraenderungen allgemein) und M7 (TLS-Proxy-Kanalverwaltung) betreffen Konfigurations-/Netzwerkmanagement, nicht die Update-/Patch-Pflicht im engeren Sinne." } ] }