{ "schema_version": "obligation_registry_v1", "regulation": "CRA", "regulation_code": "CRA", "family": "remote_access", "theme": "Sichere Fernwartung / Remote Access (CRA Annex I)", "generated_by": "obligation_discovery/claude-opus-4-8", "synthesis_version": "v1", "citation_status": "pending_span_anchor", "curation": { "curated_by": "obligation-registry-session 2026-06-25", "method": "two-stage clustering (445->209 micro->27 review-units) -> Opus synthesis -> key-free re-tier", "scope_controls": 445, "micro_clusters": 209, "review_units": 27, "obligations": 18, "tier_split": { "LEGAL_MINIMUM": 5, "BEST_PRACTICE": 13 }, "out_of_scope": [ "M5/M11 = physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen (MaschinenVO 2023/1230)" ], "retier_rule": "Synthese vergab 14 LM. Kuriert nach der Auth-Regel: nur OUTCOME-Pflichten je CRA-Annex-I-Buchstabe bleiben LEGAL_MINIMUM (confidentiality/integrity, access-control/least-privilege, attack-surface-min, logging, vuln-patch); spezifische MECHANISMEN/Sub-Praktiken (MFA, Session-Timeout, VPN/TLS, insecure-protocol-block, OT-Validierung, Wartungs-Governance, temporaerer Zugriff, Daten-Export, Komponenten-Interface) -> BEST_PRACTICE + guidance_basis + supports-Kante zur Eltern-LM.", "anchor_quality": "legal_basis-Buchstaben sind APPROXIMATIV (Opus): Verschluesselung als (b) statt (e), Logging als (g)/(k) statt (l), Attack-Surface als (a) statt (j). CRA Annex I Part I (2): (d)=Zugriffsschutz, (e)=Vertraulichkeit, (f)=Integritaet, (j)=Angriffsflaeche, (l)=Logging. Span-genaue Korrektur mit Re-Ingest. NICHT auf Buchstaben joinen.", "borderline": [ "remote_access_data_export_protection (evtl. LM unter (g) Datenminimierung)", "component_remote_interface_security (ueberlappt attack_surface_min)" ] }, "obligations": [ { "id": "remote_access_control_least_privilege", "name": "Zugriffskontrolle und Least Privilege fuer Fernzugriff", "description": "Fernzugriff auf Systeme ist zu konfigurieren und zu kontrollieren nach dem Prinzip der minimalen Rechtevergabe; privilegierte Befehle ueber Fernzugriff sind zu beschraenken und Zugriffsgenehmigungen pro Benutzer/Zielressource festzulegen.", "tier": "LEGAL_MINIMUM", "subdomain": "access_control", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (1)(2)(d)", "citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen (Authentifizierung, Identitaets- und Zugriffsmanagement)" } ], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-53 AC-3/AC-6/AC-17", "role": "best_practice" } ], "member_review_units": [ "M0", "M13" ], "member_controls": [ "ACC-0404-A02", "ACC-0404-A06", "ACC-0405-A02", "ACC-0406-A02", "ACC-0406-A03", "ACC-0406-A04", "ACC-0406-A05", "ACC-0407-A03", "ACC-0407-A04", "ACC-0409-A01", "ACC-0409-A05", "ACC-0409-A06", "ACC-163-A24", "ACC-584", "ACC-584-A01", "ACC-584-A02", "ACC-584-A06", "ACC-584-A07", "ACC-584-A08", "AI-067-A08", "AI-067-A20", "AI-084-A37", "AI-099-A27", "AI-101-A22", "AI-117-A09", "AI-117-A25", "AI-118-A29", "AI-120-A27", "AI-126-A21", "AI-1263", "AI-195-A12", "AUTH-1446-A03", "AUTH-2338-A04", "AUTH-2338-A09", "AUTH-2386", "AUTH-2386-A01", "AUTH-2386-A02", "AUTH-2413", "AUTH-2413-A01", "AUTH-2413-A02", "AUTH-2419-A07", "AUTH-2421-A01", "AUTH-2421-A02", "AUTH-2421-A03", "AUTH-2421-A04", "AUTH-2461", "AUTH-2461-A01", "AUTH-3825-A08", "AUTH-3887-A01", "AUTH-3928-A08", "AUTH-3928-A09", "AUTH-586", "AUTH-586-A01", "AUTH-586-A03", "AUTH-586-A04", "AUTH-909-A10", "AUTH-909-A20", "AUTH-909-A30", "AUTH-909-A40", "AUTH-909-A50", "COMP-001-A81", "COMP-043-A23", "COMP-096-A26", "COMP-1054-A08", "COMP-1212-A13", "COMP-1212-A27", "COMP-1212-A39", "COMP-1212-A53", "COMP-1212-A69", "COMP-1240-A31", "COMP-372-A11", "COMP-383-A07", "COMP-383-A14", "COMP-430-A09", "COMP-449-A12", "COMP-449-A25", "COMP-498-A01", "COMP-592-A09", "COMP-592-A21", "COMP-707-A15", "COMP-711-A07", "COMP-932-A11", "COMP-932-A23", "COMP-995-A13", "COMP-995-A22", "CRYP-127-A03", "CRYP-127-A04", "CRYP-127-A05", "CRYP-127-A06", "CRYP-1700-A01", "CRYP-1700-A02", "CRYP-1701-A01", "CRYP-1725-A04", "CRYP-1725-A05", "CRYP-1725-A06", "CRYP-1725-A07", "CRYP-1726", "CRYP-1726-A01", "CRYP-182", "CRYP-182-A01", "CRYP-182-A03", "CRYP-182-A04", "CRYP-182-A05", "CRYP-191-A04", "CRYP-191-A05", "CRYP-191-A06", "CRYP-194-A07", "CRYP-1988-A07", "CRYP-210", "CRYP-210-A01", "CRYP-210-A02", "CRYP-210-A03", "CRYP-210-A04", "CRYP-210-A05", "CRYP-210-A09", "CRYP-210-A10", "CRYP-210-A11", "CRYP-2191-A12", "CRYP-245", "CRYP-245-A01", "CRYP-245-A02", "CRYP-289", "CRYP-289-A01", "CRYP-289-A02", "CRYP-289-A04", "CRYP-289-A05", "CRYP-289-A06", "CRYP-289-A10", "DATA-119-A23", "DATA-4067-A03", "DATA-554-A03", "DATA-700-A12", "FIN-101-A13", "FIN-101-A29", "FIN-101-A45", "FIN-101-A62", "FIN-101-A78", "FIN-101-A95", "FIN-258-A19", "FIN-340-A11", "FIN-340-A25", "FIN-340-A39", "FIN-340-A53", "FIN-340-A67", "GOV-0665-A07", "GOV-0665-A18", "GOV-0665-A25", "GOV-0665-A37", "GOV-191-A07", "GOV-191-A17", "GOV-277-A05", "GOV-277-A06", "GOV-3066", "GOV-413-A05", "GOV-413-A09", "GOV-413-A14", "GOV-413-A18", "GOV-524-A04", "GOV-524-A05", "GOV-524-A31", "GOV-561-A07", "LOG-072-A22", "LOG-1361-A01", "LOG-1385-A02", "LOG-1486-A06", "LOG-1506-A03", "LOG-1549-A10", "LOG-1692", "LOG-1692-A01", "LOG-1692-A02", "LOG-1692-A03", "LOG-1692-A04", "LOG-266", "LOG-353-A07", "LOG-353-A08", "LOG-353-A13", "LOG-353-A18", "LOG-445-A06", "LOG-445-A10", "LOG-445-A16", "LOG-445-A20", "LOG-471-A01", "LOG-471-A05", "LOG-741-A24", "NET-041-A07", "NET-041-A17", "NET-047-A05", "NET-047-A06", "NET-047-A15", "NET-047-A16", "NET-0673-A02", "NET-0673-A05", "NET-0673-A09", "NET-073-A08", "NET-073-A22", "NET-078-A05", "NET-078-A16", "NET-082-A04", "NET-091-A02", "NET-091-A03", "NET-091-A04", "NET-091-A05", "NET-091-A13", "NET-091-A14", "NET-091-A15", "NET-091-A16", "NET-093-A09", "NET-093-A22", "NET-1147-A10", "NET-1243-A05", "NET-1344-A05", "NET-1356-A03", "NET-1461-A03", "NET-1626-A17", "NET-266-A15", "NET-277-A04", "NET-277-A05", "NET-277-A13", "NET-277-A14", "NET-326", "NET-329-A10", "NET-329-A22", "NET-336-A03", "NET-336-A12", "NET-375", "NET-375-A02", "NET-375-A04", "NET-375-A08", "NET-375-A10", "NET-382-A12", "NET-382-A24", "NET-416", "NET-416-A14", "NET-441-A01", "NET-441-A06", "NET-441-A07", "NET-441-A12", "NET-543-A04", "NET-543-A77", "SEC-049-A12", "SEC-156-A16", "SEC-156-A30", "SEC-182-A07", "SEC-182-A08", "SEC-182-A16", "SEC-182-A17", "SEC-297-A09", "SEC-297-A19", "SEC-3193-A05", "SEC-338-A11", "SEC-338-A22", "SEC-3855-A05", "SEC-386", "SEC-386-A01", "SEC-386-A03", "SEC-386-A05", "SEC-386-A06", "SEC-386-A07", "SEC-386-A09", "SEC-386-A11", "SEC-386-A13", "SEC-386-A14", "SEC-386-A15", "SEC-386-A16", "SEC-4874-A03", "SEC-4874-A05", "SEC-5814", "SEC-5843", "SEC-6093-A01", "SEC-6762", "SEC-6762-A02", "SEC-6795-A03", "SEC-6795-A06", "SEC-8179-A04", "SEC-839-A19", "SEC-8507", "SEC-8885-A22" ], "member_count": 277, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.92, "source_meta_cluster": "M0", "cluster_size": 274, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_confidentiality_integrity", "name": "Vertraulichkeit und Integritaet des Fernzugriffs", "description": "Vertraulichkeit und Integritaet von Remote-Zugriffsverbindungen sind sicherzustellen.", "tier": "LEGAL_MINIMUM", "subdomain": "access_control", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (1)(2)(b)(c)", "citation": "Schutz der Vertraulichkeit und Integritaet von Daten und Befehlen" } ], "guidance_basis": [], "member_review_units": [ "M0" ], "member_controls": [ "ACC-0404-A02", "ACC-0404-A06", "ACC-0405-A02", "ACC-0406-A02", "ACC-0406-A03", "ACC-0406-A04", "ACC-0406-A05", "ACC-0407-A03", "ACC-0407-A04", "ACC-0409-A01", "ACC-0409-A05", "ACC-0409-A06", "ACC-163-A24", "ACC-584", "ACC-584-A01", "ACC-584-A02", "ACC-584-A06", "ACC-584-A07", "ACC-584-A08", "AI-067-A08", "AI-067-A20", "AI-084-A37", "AI-099-A27", "AI-101-A22", "AI-117-A09", "AI-117-A25", "AI-118-A29", "AI-120-A27", "AI-126-A21", "AI-1263", "AI-195-A12", "AUTH-1446-A03", "AUTH-2338-A04", "AUTH-2338-A09", "AUTH-2386", "AUTH-2386-A01", "AUTH-2386-A02", "AUTH-2413", "AUTH-2413-A01", "AUTH-2413-A02", "AUTH-2419-A07", "AUTH-2421-A01", "AUTH-2421-A02", "AUTH-2421-A03", "AUTH-2421-A04", "AUTH-2461", "AUTH-2461-A01", "AUTH-3825-A08", "AUTH-3887-A01", "AUTH-3928-A08", "AUTH-3928-A09", "AUTH-586", "AUTH-586-A01", "AUTH-586-A03", "AUTH-586-A04", "AUTH-909-A10", "AUTH-909-A20", "AUTH-909-A30", "AUTH-909-A40", "AUTH-909-A50", "COMP-001-A81", "COMP-043-A23", "COMP-096-A26", "COMP-1054-A08", "COMP-1212-A13", "COMP-1212-A27", "COMP-1212-A39", "COMP-1212-A53", "COMP-1212-A69", "COMP-1240-A31", "COMP-372-A11", "COMP-383-A07", "COMP-383-A14", "COMP-430-A09", "COMP-449-A12", "COMP-449-A25", "COMP-498-A01", "COMP-592-A09", "COMP-592-A21", "COMP-707-A15", "COMP-711-A07", "COMP-932-A11", "COMP-932-A23", "COMP-995-A13", "COMP-995-A22", "CRYP-127-A03", "CRYP-127-A04", "CRYP-127-A05", "CRYP-127-A06", "CRYP-1700-A01", "CRYP-1700-A02", "CRYP-1701-A01", "CRYP-1725-A04", "CRYP-1725-A05", "CRYP-1725-A06", "CRYP-1725-A07", "CRYP-1726", "CRYP-1726-A01", "CRYP-182", "CRYP-182-A01", "CRYP-182-A03", "CRYP-182-A04", "CRYP-182-A05", "CRYP-191-A04", "CRYP-191-A05", "CRYP-191-A06", "CRYP-194-A07", "CRYP-1988-A07", "CRYP-210", "CRYP-210-A01", "CRYP-210-A02", "CRYP-210-A03", "CRYP-210-A04", "CRYP-210-A05", "CRYP-210-A09", "CRYP-210-A10", "CRYP-210-A11", "CRYP-2191-A12", "CRYP-245", "CRYP-245-A01", "CRYP-245-A02", "CRYP-289", "CRYP-289-A01", "CRYP-289-A02", "CRYP-289-A04", "CRYP-289-A05", "CRYP-289-A06", "CRYP-289-A10", "DATA-119-A23", "DATA-4067-A03", "DATA-554-A03", "DATA-700-A12", "FIN-101-A13", "FIN-101-A29", "FIN-101-A45", "FIN-101-A62", "FIN-101-A78", "FIN-101-A95", "FIN-258-A19", "FIN-340-A11", "FIN-340-A25", "FIN-340-A39", "FIN-340-A53", "FIN-340-A67", "GOV-0665-A07", "GOV-0665-A18", "GOV-0665-A25", "GOV-0665-A37", "GOV-191-A07", "GOV-191-A17", "GOV-277-A05", "GOV-277-A06", "GOV-3066", "GOV-413-A05", "GOV-413-A09", "GOV-413-A14", "GOV-413-A18", "GOV-524-A04", "GOV-524-A05", "GOV-524-A31", "GOV-561-A07", "LOG-072-A22", "LOG-1361-A01", "LOG-1385-A02", "LOG-1486-A06", "LOG-1506-A03", "LOG-1549-A10", "LOG-1692", "LOG-1692-A01", "LOG-1692-A02", "LOG-1692-A03", "LOG-1692-A04", "LOG-266", "LOG-353-A07", "LOG-353-A08", "LOG-353-A13", "LOG-353-A18", "LOG-445-A06", "LOG-445-A10", "LOG-445-A16", "LOG-445-A20", "LOG-471-A01", "LOG-471-A05", "LOG-741-A24", "NET-041-A07", "NET-041-A17", "NET-047-A05", "NET-047-A06", "NET-047-A15", "NET-047-A16", "NET-0673-A02", "NET-0673-A05", "NET-0673-A09", "NET-073-A08", "NET-073-A22", "NET-078-A05", "NET-078-A16", "NET-082-A04", "NET-091-A02", "NET-091-A03", "NET-091-A04", "NET-091-A05", "NET-091-A13", "NET-091-A14", "NET-091-A15", "NET-091-A16", "NET-093-A09", "NET-093-A22", "NET-1243-A05", "NET-1344-A05", "NET-1461-A03", "NET-1626-A17", "NET-266-A15", "NET-277-A04", "NET-277-A05", "NET-277-A13", "NET-277-A14", "NET-326", "NET-329-A10", "NET-329-A22", "NET-336-A03", "NET-336-A12", "NET-375", "NET-375-A02", "NET-375-A04", "NET-375-A08", "NET-375-A10", "NET-382-A12", "NET-382-A24", "NET-416", "NET-416-A14", "NET-441-A01", "NET-441-A06", "NET-441-A07", "NET-441-A12", "NET-543-A04", "NET-543-A77", "SEC-049-A12", "SEC-156-A16", "SEC-156-A30", "SEC-182-A07", "SEC-182-A08", "SEC-182-A16", "SEC-182-A17", "SEC-297-A09", "SEC-297-A19", "SEC-338-A11", "SEC-338-A22", "SEC-3855-A05", "SEC-386", "SEC-386-A01", "SEC-386-A03", "SEC-386-A05", "SEC-386-A06", "SEC-386-A07", "SEC-386-A09", "SEC-386-A11", "SEC-386-A13", "SEC-386-A14", "SEC-386-A15", "SEC-386-A16", "SEC-4874-A03", "SEC-4874-A05", "SEC-5814", "SEC-5843", "SEC-6093-A01", "SEC-6762", "SEC-6762-A02", "SEC-6795-A03", "SEC-6795-A06", "SEC-8179-A04", "SEC-839-A19", "SEC-8507", "SEC-8885-A22" ], "member_count": 274, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.9, "source_meta_cluster": "M0", "cluster_size": 274, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_session_management", "name": "Sitzungsmanagement und automatische Trennung", "description": "Fernzugriffssitzungen muessen Timeouts haben und nach Abschluss bzw. Inaktivitaet automatisch getrennt werden.", "tier": "BEST_PRACTICE", "subdomain": "session_management", "applicability": "universal", "evidence_facets": { "governance": false, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-53 AC-12", "role": "best_practice" } ], "member_review_units": [ "M1" ], "member_controls": [ "AUTH-2419-A01", "AUTH-2419-A02", "CRYP-1700-A04", "CRYP-1700-A05", "CRYP-1725-A01", "CRYP-1938-A09", "LOG-1506-A04", "NET-041-A06", "NET-041-A16", "NET-1344-A02", "NET-1626-A01", "NET-1626-A11", "NET-336", "NET-336-A09", "NET-336-A16", "SEC-3855-A03", "SEC-3855-A06", "SEC-3870-A01", "SEC-3870-A02", "SEC-6795-A01", "SEC-6795-A04", "SEC-6808-A01", "SEC-8327-A10" ], "member_count": 23, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.88, "source_meta_cluster": "M1", "cluster_size": 23, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_mfa", "name": "Multi-Faktor-Authentifizierung fuer Fernzugriff", "description": "Fuer alle Fernzugriffssessions, insbesondere privilegierte Konten, ist MFA zu erzwingen.", "tier": "BEST_PRACTICE", "subdomain": "authentication", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-53 IA-2", "role": "best_practice" } ], "member_review_units": [ "M2" ], "member_controls": [ "AUTH-2461-A05", "AUTH-3915-A07", "AUTH-3980-A05", "AUTH-894-A03", "AUTH-894-A08", "AUTH-894-A14", "AUTH-894-A19", "AUTH-894-A24", "CRYP-1700", "CRYP-1938-A02", "NET-082-A05", "NET-082-A17", "NET-082-A18", "NET-1787", "NET-1787-A11", "NET-375-A07", "SEC-3870", "SEC-6795-A02", "SEC-8334-A06" ], "member_count": 19, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.93, "source_meta_cluster": "M2", "cluster_size": 19, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_encryption", "name": "Verschluesselung der Fernzugriffsverbindungen", "description": "Fernzugriffe muessen verschluesselt erfolgen (VPN/Tunnel-Modus, TLS, Client-Zertifikate).", "tier": "BEST_PRACTICE", "subdomain": "cryptography", "applicability": "universal", "evidence_facets": { "governance": false, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "BSI", "anchor": "IT-Grundschutz NET.3.3", "role": "best_practice" } ], "member_review_units": [ "M6", "M21", "M23", "M25" ], "member_controls": [ "CRYP-1700-A03", "CRYP-1701", "CRYP-1732-A05", "CRYP-1988-A03", "CRYP-2191-A03", "CRYP-2191-A04", "NET-053-A05", "NET-053-A13", "NET-122-A03", "NET-122-A11", "NET-1461", "NET-1461-A01", "NET-1461-A02", "NET-1461-A05", "NET-266-A16", "NET-336-A07", "NET-336-A15", "SEC-3220-A05", "SEC-5858-A01", "SEC-5858-A05", "SEC-6712-A03", "SEC-8327-A04", "SEC-8334-A13" ], "member_count": 23, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.91, "source_meta_cluster": "M6", "cluster_size": 15, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "reject_insecure_remote_protocols", "name": "Verbot unsicherer Fernzugriffsprotokolle", "description": "Unsichere/unverschluesselte Fernzugriffsprotokolle sind zu unterlassen bzw. zu blockieren.", "tier": "BEST_PRACTICE", "subdomain": "cryptography", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "SC-8", "role": "best_practice" } ], "member_review_units": [ "M7", "M12" ], "member_controls": [ "CRYP-1726-A02", "LOG-266-A10", "NET-1461-A06", "SEC-8593-A10" ], "member_count": 4, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.85, "source_meta_cluster": "M7", "cluster_size": 1, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_logging_audit", "name": "Protokollierung und Audit von Fernzugriffen", "description": "Fernwartungs- und Diagnoseaktivitaeten sind mit Zeitstempel, Benutzer und Aktion zu protokollieren und Audit-Logs aufzubewahren/zu analysieren.", "tier": "LEGAL_MINIMUM", "subdomain": "logging_monitoring", "applicability": "universal", "evidence_facets": { "governance": false, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (1)(2)(g)", "citation": "Aufzeichnung und Ueberwachung relevanter interner Aktivitaeten (Logging)" } ], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-53 AU-2/MA-4", "role": "best_practice" } ], "member_review_units": [ "M3", "M18", "M26" ], "member_controls": [ "AUTH-2788-A01", "COMP-3332-A03", "INC-091-A07", "LOG-1506-A05", "LOG-1549-A02", "LOG-1959-A07", "LOG-1959-A11", "LOG-353-A19", "NET-1626-A02", "NET-1626-A03", "NET-1760-A05", "SEC-3855", "SEC-3855-A02", "SEC-5843-A01", "SEC-5843-A04", "SEC-5925-A05", "SEC-6712", "SEC-6712-A02", "SEC-6712-A04", "SEC-8327-A03", "SEC-8327-A05", "SEC-8327-A09" ], "member_count": 22, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.9, "source_meta_cluster": "M3", "cluster_size": 14, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access", "cross_family_ref": "event_logging_security_events (cra_logging.json)" }, { "id": "remote_access_user_validation_ot", "name": "Identifizierung und Validierung von Fernzugriffsnutzern (ICS/OT)", "description": "Benutzer mit Fernzugriff auf ICS/SCADA-Systeme sind zu identifizieren, zu validieren und Fernzugriffskanaele zu pruefen; OT-spezifische Absicherung.", "tier": "BEST_PRACTICE", "subdomain": "ics_ot", "applicability": "domain:ics_ot", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "BSI", "anchor": "ICS Security Kompendium", "role": "best_practice" } ], "member_review_units": [ "M8", "M16" ], "member_controls": [ "CRYP-1756-A03", "CRYP-1756-A04", "CRYP-191", "CRYP-2191-A11", "NET-082-A02", "NET-082-A03", "NET-082-A15", "NET-082-A16", "NET-091", "NET-1364-A01", "NET-991-A02", "SEC-4140-A02", "SEC-5025-A08", "SEC-5787-A01", "SEC-5877-A03" ], "member_count": 15, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.84, "source_meta_cluster": "M8", "cluster_size": 13, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_training", "name": "Schulung zur sicheren Nutzung von Fernzugriff", "description": "Autorisierte Nutzer sind zur sicheren Nutzung von Fernzugriff und mobilen Geraeten zu schulen.", "tier": "BEST_PRACTICE", "subdomain": "awareness", "applicability": "universal", "evidence_facets": { "governance": true, "capability": false, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "ISO", "anchor": "ISO/IEC 27001 A.6.3", "role": "best_practice" } ], "member_review_units": [ "M19" ], "member_controls": [ "NET-1758", "NET-1758-A01", "NET-1758-A03", "NET-1809", "NET-1809-A01", "NET-1809-A02", "SEC-5877", "SEC-6795-A05", "SEC-6802-A03", "SEC-8873-A03" ], "member_count": 10, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.8, "source_meta_cluster": "M19", "cluster_size": 10, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_architecture_design", "name": "Architektur-Design fuer sicheren Fernzugriff", "description": "Fernzugriffsarchitektur ist sicher zu konzipieren (Gateway/Agent-basiert, Zero-Trust, dedizierte isolierte Kanaele, Segmentierung).", "tier": "BEST_PRACTICE", "subdomain": "architecture", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-207 Zero Trust", "role": "best_practice" } ], "member_review_units": [ "M22", "M24", "M25" ], "member_controls": [ "NET-543-A73", "SEC-3867-A01", "SEC-3867-A02", "SEC-5858-A01", "SEC-5858-A05", "SEC-6712-A03", "SEC-7969", "SEC-8327-A04", "SEC-8334-A13" ], "member_count": 9, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.78, "source_meta_cluster": "M22", "cluster_size": 1, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_attack_surface_min", "name": "Minimierung der Fernzugriffs-Angriffsflaeche", "description": "Unnoetige Backdoors und Fernzugriffsschnittstellen sind zu deaktivieren; offene Ports/Schnittstellen zu inventarisieren und zu schuetzen.", "tier": "LEGAL_MINIMUM", "subdomain": "hardening", "applicability": "universal", "evidence_facets": { "governance": false, "capability": true, "evidence": false }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (1)(2)(a)", "citation": "Bereitstellung ohne bekannte ausnutzbare Schwachstellen / minimierte Angriffsflaeche" } ], "guidance_basis": [], "member_review_units": [ "M15", "M20", "M10" ], "member_controls": [ "DATA-4692-A04", "LOG-1170-A08", "LOG-1495-A07", "NET-1363", "NET-1626-A10", "NET-1855", "NET-1855-A04", "NET-1855-A10", "NET-908-A02", "NET-942", "NET-942-A02", "SEC-476", "SEC-5787-A02", "SEC-6930", "SEC-8327", "SEC-8327-A01", "SEC-8327-A02", "SEC-8327-A08", "SEC-8507-A01" ], "member_count": 19, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.83, "source_meta_cluster": "M15", "cluster_size": 6, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_vuln_patch_mgmt", "name": "Schwachstellen- und Patchmanagement fuer Fernwartungssoftware", "description": "Schwachstellen in Fernwartungssoftware sind zu beobachten und regelmaessige Patch-/Updatezyklen sicherzustellen; Penetrationstests der Fernwartungsschnittstellen.", "tier": "LEGAL_MINIMUM", "subdomain": "vulnerability_management", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": true }, "source_role": "LEGAL_BASIS", "legal_basis": [ { "source": "CRA", "anchor": "Annex I (2)(1)", "citation": "Behandlung und Behebung von Schwachstellen, Sicherheitsupdates" } ], "guidance_basis": [ { "source": "OWASP", "anchor": "ASVS", "role": "best_practice" } ], "member_review_units": [ "M15", "M20", "M14" ], "member_controls": [ "NET-1237", "NET-1343", "NET-1363", "NET-1364", "NET-1855", "NET-1855-A04", "NET-1855-A10", "NET-942", "NET-942-A02", "SEC-476", "SEC-4872-A13", "SEC-5787-A02", "SEC-5858-A08", "SEC-8327", "SEC-8327-A01", "SEC-8327-A02", "SEC-8327-A08" ], "member_count": 17, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.82, "source_meta_cluster": "M15", "cluster_size": 6, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access", "cross_family_ref": "vuln-Familie (cra.json)" }, { "id": "remote_access_threat_detection", "name": "Erkennung von Bedrohungen bei Fernzugriff", "description": "Erkennungsmechanismen fuer Remote Access Trojans und verdaechtige Remote-Zugriffsmuster (EDR-Logs, APT-Abwehr).", "tier": "BEST_PRACTICE", "subdomain": "detection", "applicability": "universal", "evidence_facets": { "governance": false, "capability": true, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "SP 800-94", "role": "best_practice" } ], "member_review_units": [ "M20" ], "member_controls": [ "NET-1855", "NET-1855-A04", "NET-1855-A10", "NET-942", "NET-942-A02", "SEC-5787-A02" ], "member_count": 6, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.79, "source_meta_cluster": "M20", "cluster_size": 6, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_maintenance_governance", "name": "Governance externer Fernwartung", "description": "Permanente Fernwartung durch externe Dienstleister erfordert Genehmigung, Zeitbegrenzung, vertragliche Regelung und Dokumentation (inkl. Auftragsverarbeitung).", "tier": "BEST_PRACTICE", "subdomain": "maintenance_governance", "applicability": "conditional:external_maintenance_provider", "evidence_facets": { "governance": true, "capability": false, "evidence": true }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "BSI", "anchor": "IT-Grundschutz OPS.2.3", "role": "best_practice" } ], "member_review_units": [ "M18", "M10", "M9" ], "member_controls": [ "DATA-4409", "DATA-4692-A04", "GOV-524", "GOV-524-A12", "LOG-1170-A08", "LOG-1495-A07", "NET-1626-A03", "NET-1626-A10", "NET-1760-A05", "NET-908-A02", "SEC-3855", "SEC-3855-A02", "SEC-6712", "SEC-6712-A02", "SEC-6930", "SEC-8507-A01" ], "member_count": 16, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.8, "source_meta_cluster": "M18", "cluster_size": 6, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "temporary_remote_access_mgmt", "name": "Verwaltung temporaerer Fernzugriffe", "description": "Temporaere Fernzugriffe sind sicher zu verwalten, zeitlich zu begrenzen und nach Nutzung zu entziehen.", "tier": "BEST_PRACTICE", "subdomain": "access_control", "applicability": "universal", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "AC-2(5)", "role": "best_practice" } ], "member_review_units": [ "M14" ], "member_controls": [ "NET-1237", "NET-1343", "NET-1364", "SEC-4872-A13", "SEC-5858-A08" ], "member_count": 5, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.78, "source_meta_cluster": "M14", "cluster_size": 5, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_data_export_protection", "name": "Schutz von Datenexport ueber Support-Fernzugriff", "description": "Download-/Export-Einschraenkungen bei Fernzugriff; Datenexport ueber Support-Fernzugriff technisch verhindern, insb. EU-Kundendaten.", "tier": "BEST_PRACTICE", "subdomain": "data_protection", "applicability": "conditional:support_remote_access_to_customer_data", "evidence_facets": { "governance": true, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "AC-4", "role": "best_practice" } ], "member_review_units": [ "M17", "M2" ], "member_controls": [ "AUTH-2461-A05", "AUTH-3915-A07", "AUTH-3980-A05", "AUTH-894-A03", "AUTH-894-A08", "AUTH-894-A14", "AUTH-894-A19", "AUTH-894-A24", "CRYP-1700", "CRYP-1938-A02", "NET-082-A05", "NET-082-A17", "NET-082-A18", "NET-1547", "NET-1547-A01", "NET-1547-A03", "NET-1787", "NET-1787-A11", "NET-375-A07", "SEC-3870", "SEC-6795-A02", "SEC-8334-A06" ], "member_count": 22, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.77, "source_meta_cluster": "M17", "cluster_size": 3, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "component_remote_interface_security", "name": "Sicherheit von Komponenten mit Fernzugriffsschnittstellen", "description": "Komponenten mit Fernzugriffs- oder lokalen IT-Schnittstellen sind hinsichtlich Sicherheit zu pruefen und abzusichern.", "tier": "BEST_PRACTICE", "subdomain": "product_security", "applicability": "conditional:component_with_remote_interface", "evidence_facets": { "governance": false, "capability": true, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "NIST", "anchor": "CM-7", "role": "best_practice" } ], "member_review_units": [ "M4" ], "member_controls": [ "COMP-1727-A01", "NET-925-A04", "SEC-3155-A02" ], "member_count": 3, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "curated_retier_mechanism", "provenance": { "discovery_confidence": 0.75, "source_meta_cluster": "M4", "cluster_size": 3, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" }, { "id": "remote_access_fallback_concept", "name": "Betriebskonzept mit Fallback fuer Fernzugriff", "description": "Betriebskonzept mit Fallback-Szenarien und alternativen Kommunikationswegen bei Ausfall des Fernzugriffs.", "tier": "BEST_PRACTICE", "subdomain": "resilience", "applicability": "universal", "evidence_facets": { "governance": true, "capability": false, "evidence": false }, "source_role": "GUIDANCE", "legal_basis": [], "guidance_basis": [ { "source": "ISO", "anchor": "ISO/IEC 27001 A.5.30", "role": "best_practice" } ], "member_review_units": [ "M24" ], "member_controls": [ "SEC-3867-A01", "SEC-3867-A02", "SEC-7969" ], "member_count": 3, "relationships": [], "citation_anchor_ids": [], "citation_status": "pending_span_anchor", "review_status": "draft", "provenance": { "discovery_confidence": 0.72, "source_meta_cluster": "M24", "cluster_size": 3, "llm_model": "claude-opus-4-8", "synthesis_version": "v1" }, "family": "remote_access" } ], "relationships": [ { "type": "supports", "from": "remote_access_encryption", "to": "remote_access_confidentiality_integrity", "note": "Verschluesselung realisiert Vertraulichkeit/Integritaet" }, { "type": "supports", "from": "remote_access_mfa", "to": "remote_access_control_least_privilege", "note": "MFA unterstuetzt Zugriffskontrolle" }, { "type": "implements", "from": "reject_insecure_remote_protocols", "to": "remote_access_encryption", "note": "Verbot unsicherer Protokolle setzt Verschluesselungspflicht durch" }, { "type": "produces_evidence_for", "from": "remote_access_logging_audit", "to": "remote_maintenance_governance", "note": "Logs belegen genehmigte Fernwartung" }, { "type": "supports", "from": "remote_access_threat_detection", "to": "remote_access_logging_audit", "note": "Detection nutzt Logdaten" }, { "type": "supports", "from": "remote_access_architecture_design", "to": "remote_access_control_least_privilege", "note": "Zero-Trust/Segmentierung unterstuetzt Least Privilege" }, { "type": "depends_on", "from": "temporary_remote_access_mgmt", "to": "remote_maintenance_governance", "note": "Temporaere Zugriffe oft fuer externe Wartung" }, { "type": "supports", "from": "remote_session_management", "to": "remote_access_control_least_privilege", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "implements", "from": "remote_access_encryption", "to": "remote_access_confidentiality_integrity", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "supports", "from": "reject_insecure_remote_protocols", "to": "remote_access_confidentiality_integrity", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "supports", "from": "remote_access_user_validation_ot", "to": "remote_access_control_least_privilege", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "supports", "from": "remote_maintenance_governance", "to": "remote_access_control_least_privilege", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "supports", "from": "temporary_remote_access_mgmt", "to": "remote_access_control_least_privilege", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "supports", "from": "remote_access_data_export_protection", "to": "remote_access_confidentiality_integrity", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "supports", "from": "component_remote_interface_security", "to": "remote_access_attack_surface_min", "note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)" }, { "type": "out_of_scope", "review_units": [ "M5", "M11" ], "note": "Physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen-Sicherheit (MaschinenVO 2023/1230), keine Cybersecurity-Fernwartung" } ] }