breakpilot-compliance/obligations/controls_for_obligation_mapping.json

{
 "schema_version": "controls_for_obligation_mapping_v1",
 "purpose": "Accepted CRA->Framework controls (Compliance Execution Graph) for the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join. Fill proposed_obligation_id per control, then we adopt it into control_mapping.obligation_id.",
 "source": "ai-compliance-sdk control_mappings, mapping_status=accepted, reviewed_by=benjamin 2026-06-25. OWASP ASVS (7, gefuellt) + NIST SP 800-53 (3, pending).",
 "filled_by": "obligation-registry-session 2026-06-25. OWASP 7/7 (4 auth/crypto + 3 logging). NIST 3/3 GEFUELLT (Obligation-Session): SI-2->provide_security_updates (stark, (2)(c)/Art.13) · SI-7->signed_update_integrity (update-scoped; SI-7 breiter) · CM-7->remote_access_attack_surface_min (remote-scoped; CM-7 breiter). GAP-BEFUND (Cross-Domain-Review): generische Parent-Obligations software_integrity_protection + attack_surface_minimization FEHLEN — SI-7/CM-7 sind breiter als die domaenen-scoped Treffer. Kandidaten fuer neue generische Obligations (User-Entscheidung). Damit 10/10 proposed_obligation_id gefuellt.",
 "join_principle": "SEMANTISCH via obligation_id, NICHT via citation_unit/legal_basis-Anker. Die CRA-Anker sind im Registry teils approximativ (siehe anchor_quality_note) — daher ist obligation_id der stabile Primaerschluessel, nicht der Anker.",
 "anchor_quality_note": "Registry-legal_basis-Anker sind teils CRA-Part-I-fehlzugeordnet (Opus-Synthese): user_authentication_required steht auf (2)(d) statt (2)(c); Crypto-Obligations auf (2)(e) statt (2)(d). CRA Annex I Part I: (2)(c)=Zugriffsschutz, (2)(d)=Vertraulichkeit, (2)(e)=Integritaet. Korrektur kommt mit dem zitierfaehigen Re-Ingest (span-genau). Deshalb: NICHT auf Anker joinen. ABER: der Logging-Cut (V16.*) ist korrekt auf (2)(k) verankert (echte Logging-Subsektion, kein Fehl-Anker).",
 "mapping_type_note": "NEU: mapping_type=primary_implementation = die kanonische Primaer-Control einer Anforderung (genau eine), staerker als implements/supports. related-Controls (SC-3(3), RA-5, AC-6, SI-16, SA-10, ...) folgen separat als supports. Eine Obligation kann mehrere Controls haben, aber genau einen primary_implementation-Einstieg.",
 "count": 10,
 "controls": [
  {
   "framework": "OWASP ASVS", "control": "V6.3.1",
   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
   "citation_unit": "Annex I (2)(c)", "family": "auth", "mapping_type": "supports",
   "proposed_obligation_id": "user_authentication_required",
   "mapping_method": "semantic",
   "mapping_note": "Zugriffsschutz/Authentisierung-vor-Zugriff = Nutzer-Auth (NICHT firmware, trotz strukturellem (2)(c)-Join)"
  },
  {
   "framework": "OWASP ASVS", "control": "V6.1.1",
   "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff",
   "citation_unit": "Annex I (2)(c)", "family": "auth", "mapping_type": "supports",
   "proposed_obligation_id": "user_authentication_required",
   "mapping_method": "semantic",
   "mapping_note": "wie V6.3.1"
  },
  {
   "framework": "OWASP ASVS", "control": "V11.2.1",
   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
   "citation_unit": "Annex I (2)(d)", "family": "crypto", "mapping_type": "supports",
   "proposed_obligation_id": "credential_confidentiality_protection",
   "mapping_method": "semantic",
   "mapping_note": "Vertraulichkeit von Auth-Daten. ALT: encrypted_auth_channel, falls V11.2.1 transit-/kanal-spezifisch ist — bitte aus eurem Control-Text bestaetigen."
  },
  {
   "framework": "OWASP ASVS", "control": "V11.7.1",
   "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung",
   "citation_unit": "Annex I (2)(d)", "family": "crypto", "mapping_type": "supports",
   "proposed_obligation_id": "auth_key_management",
   "mapping_method": "semantic",
   "mapping_note": "Key Management = Schluessel erzeugen/speichern/HSM"
  },
  {
   "framework": "OWASP ASVS", "control": "V16.3.3",
   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
   "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports",
   "proposed_obligation_id": "event_logging_security_events",
   "mapping_method": "semantic",
   "mapping_note": "Umbrella-LM 'Produkt protokolliert sicherheitsrelevante Ereignisse' (CRA (2)(k)). ALT bei access-decision-spezifischem Control-Text: access_control_event_logging — bitte aus eurem ASVS-V16.3-Text bestaetigen."
  },
  {
   "framework": "OWASP ASVS", "control": "V16.3.4",
   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
   "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports",
   "proposed_obligation_id": "event_logging_security_events",
   "mapping_method": "semantic",
   "mapping_note": "Umbrella-LM (CRA (2)(k)). ALT bei admin-/privileg-spezifischem Control-Text: audit_trail_admin_actions — bitte aus eurem ASVS-V16.3-Text bestaetigen."
  },
  {
   "framework": "OWASP ASVS", "control": "V16.1.1",
   "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging",
   "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports",
   "proposed_obligation_id": "event_logging_security_events",
   "mapping_method": "semantic",
   "mapping_note": "V16.1 = allgemeine Logging-Anforderung -> Umbrella-LM event_logging_security_events. Hohe Konfidenz."
  },
  {
   "framework": "NIST SP 800-53", "control": "SI-7",
   "source_norm": "CRA Annex I Part I (2)(e) — Integritaet",
   "citation_unit": "Annex I (2)(e)", "family": "integrity", "mapping_type": "primary_implementation",
   "proposed_obligation_id": "signed_update_integrity",
   "mapping_method": "semantic",
   "mapping_note": "NIST SI-7 = Software/Firmware/Information Integrity (Signaturpruefung, Manipulationserkennung, Secure Boot, Runtime-Integritaet). Naechster vorhandener Treffer (93-Stand): signed_update_integrity (updates-Familie, Annex I (1)(3)(f)) — deckt aber NUR Update-Signatur. SI-7 ist BREITER (gesamte Produkt-Integritaet). Falls keine generische Integritaets-Obligation existiert: neue noetig (Vorschlag software_integrity_protection); sonst SI-7 primary_implementation fuer signed_update_integrity (update-scoped) + supports fuers Breitere. NICHT log_integrity_immutability (Audit-Log-Schutz, andere Ebene)."
  },
  {
   "framework": "NIST SP 800-53", "control": "SI-2",
   "source_norm": "CRA Annex I Part I (2)(l) — Sichere Updates",
   "citation_unit": "Annex I (2)(l)", "family": "update", "mapping_type": "primary_implementation",
   "proposed_obligation_id": "provide_security_updates",
   "mapping_method": "semantic",
   "mapping_note": "NIST SI-2 = Flaw Remediation. STARKER Treffer in eurer NEUEN updates-Familie (93-Stand): provide_security_updates (LEGAL_MINIMUM, Annex I (2)(c) + Art. 13) = DAS sichere-Update-LM. -> SI-2 primary_implementation = provide_security_updates. Verwandt (supports): vuln_remediation_patching (Part II Remediations-PROZESS), support_period_maintenance, update_testing_validation, update_rollback. Mein source_norm-Anker (2)(l) ist approximativ -> bitte (2)(c)/Art.13 via provide_security_updates nutzen."
  },
  {
   "framework": "NIST SP 800-53", "control": "CM-7",
   "source_norm": "CRA Annex I Part I (2)(i) — Angriffsflaeche minimieren",
   "citation_unit": "Annex I (2)(i)", "family": "attack_surface", "mapping_type": "primary_implementation",
   "proposed_obligation_id": "remote_access_attack_surface_min",
   "mapping_method": "semantic",
   "mapping_note": "NIST CM-7 = Least Functionality (deaktivierte Ports/Dienste/Funktionen, GESAMTE Angriffsflaeche). Naechster vorhandener Treffer (93-Stand): remote_access_attack_surface_min (remote_access-Familie) — deckt aber NUR Remote-Access-Flaeche. CM-7 ist BREITER. Vermutlich generische Obligation noetig (Vorschlag attack_surface_minimization); sonst CM-7 supports fuer remote_access_attack_surface_min. related (supports): SC-3(3)/AC-6/SI-16."
  }
 ]
}