Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3bcffaf52c84e2e4c5656f76c1741328facf3690
breakpilot-compliance/obligations/cra_remote_access.json
T
Benjamin Admin 4e761c1363 feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json 
User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
  transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
  guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
  software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
  signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-26 00:54:23 +02:00

1666 lines
40 KiB
JSON
Raw Blame History

{
"schema_version": "obligation_registry_v1",
"regulation": "CRA",
"regulation_code": "CRA",
"family": "remote_access",
"theme": "Sichere Fernwartung / Remote Access (CRA Annex I)",
"generated_by": "obligation_discovery/claude-opus-4-8",
"synthesis_version": "v1",
"citation_status": "pending_span_anchor",
"curation": {
"curated_by": "obligation-registry-session 2026-06-25",
"method": "two-stage clustering (445->209 micro->27 review-units) -> Opus synthesis -> key-free re-tier",
"scope_controls": 445,
"micro_clusters": 209,
"review_units": 27,
"obligations": 18,
"tier_split": {
"LEGAL_MINIMUM": 5,
"BEST_PRACTICE": 13
},
"out_of_scope": [
"M5/M11 = physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen (MaschinenVO 2023/1230)"
],
"retier_rule": "Synthese vergab 14 LM. Kuriert nach der Auth-Regel: nur OUTCOME-Pflichten je CRA-Annex-I-Buchstabe bleiben LEGAL_MINIMUM (confidentiality/integrity, access-control/least-privilege, attack-surface-min, logging, vuln-patch); spezifische MECHANISMEN/Sub-Praktiken (MFA, Session-Timeout, VPN/TLS, insecure-protocol-block, OT-Validierung, Wartungs-Governance, temporaerer Zugriff, Daten-Export, Komponenten-Interface) -> BEST_PRACTICE + guidance_basis + supports-Kante zur Eltern-LM.",
"anchor_quality": "legal_basis-Buchstaben sind APPROXIMATIV (Opus): Verschluesselung als (b) statt (e), Logging als (g)/(k) statt (l), Attack-Surface als (a) statt (j). CRA Annex I Part I (2): (d)=Zugriffsschutz, (e)=Vertraulichkeit, (f)=Integritaet, (j)=Angriffsflaeche, (l)=Logging. Span-genaue Korrektur mit Re-Ingest. NICHT auf Buchstaben joinen.",
"borderline": [
"remote_access_data_export_protection (evtl. LM unter (g) Datenminimierung)",
"component_remote_interface_security (ueberlappt attack_surface_min)"
]
},
"obligations": [
{
"id": "remote_access_control_least_privilege",
"name": "Zugriffskontrolle und Least Privilege fuer Fernzugriff",
"description": "Fernzugriff auf Systeme ist zu konfigurieren und zu kontrollieren nach dem Prinzip der minimalen Rechtevergabe; privilegierte Befehle ueber Fernzugriff sind zu beschraenken und Zugriffsgenehmigungen pro Benutzer/Zielressource festzulegen.",
"tier": "LEGAL_MINIMUM",
"subdomain": "access_control",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (1)(2)(d)",
"citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen (Authentifizierung, Identitaets- und Zugriffsmanagement)"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-53 AC-3/AC-6/AC-17",
"role": "best_practice"
}
],
"member_review_units": [
"M0",
"M13"
],
"member_controls": [
"ACC-0404-A02",
"ACC-0404-A06",
"ACC-0405-A02",
"ACC-0406-A02",
"ACC-0406-A03",
"ACC-0406-A04",
"ACC-0406-A05",
"ACC-0407-A03",
"ACC-0407-A04",
"ACC-0409-A01",
"ACC-0409-A05",
"ACC-0409-A06",
"ACC-163-A24",
"ACC-584",
"ACC-584-A01",
"ACC-584-A02",
"ACC-584-A06",
"ACC-584-A07",
"ACC-584-A08",
"AI-067-A08",
"AI-067-A20",
"AI-084-A37",
"AI-099-A27",
"AI-101-A22",
"AI-117-A09",
"AI-117-A25",
"AI-118-A29",
"AI-120-A27",
"AI-126-A21",
"AI-1263",
"AI-195-A12",
"AUTH-1446-A03",
"AUTH-2338-A04",
"AUTH-2338-A09",
"AUTH-2386",
"AUTH-2386-A01",
"AUTH-2386-A02",
"AUTH-2413",
"AUTH-2413-A01",
"AUTH-2413-A02",
"AUTH-2419-A07",
"AUTH-2421-A01",
"AUTH-2421-A02",
"AUTH-2421-A03",
"AUTH-2421-A04",
"AUTH-2461",
"AUTH-2461-A01",
"AUTH-3825-A08",
"AUTH-3887-A01",
"AUTH-3928-A08",
"AUTH-3928-A09",
"AUTH-586",
"AUTH-586-A01",
"AUTH-586-A03",
"AUTH-586-A04",
"AUTH-909-A10",
"AUTH-909-A20",
"AUTH-909-A30",
"AUTH-909-A40",
"AUTH-909-A50",
"COMP-001-A81",
"COMP-043-A23",
"COMP-096-A26",
"COMP-1054-A08",
"COMP-1212-A13",
"COMP-1212-A27",
"COMP-1212-A39",
"COMP-1212-A53",
"COMP-1212-A69",
"COMP-1240-A31",
"COMP-372-A11",
"COMP-383-A07",
"COMP-383-A14",
"COMP-430-A09",
"COMP-449-A12",
"COMP-449-A25",
"COMP-498-A01",
"COMP-592-A09",
"COMP-592-A21",
"COMP-707-A15",
"COMP-711-A07",
"COMP-932-A11",
"COMP-932-A23",
"COMP-995-A13",
"COMP-995-A22",
"CRYP-127-A03",
"CRYP-127-A04",
"CRYP-127-A05",
"CRYP-127-A06",
"CRYP-1700-A01",
"CRYP-1700-A02",
"CRYP-1701-A01",
"CRYP-1725-A04",
"CRYP-1725-A05",
"CRYP-1725-A06",
"CRYP-1725-A07",
"CRYP-1726",
"CRYP-1726-A01",
"CRYP-182",
"CRYP-182-A01",
"CRYP-182-A03",
"CRYP-182-A04",
"CRYP-182-A05",
"CRYP-191-A04",
"CRYP-191-A05",
"CRYP-191-A06",
"CRYP-194-A07",
"CRYP-1988-A07",
"CRYP-210",
"CRYP-210-A01",
"CRYP-210-A02",
"CRYP-210-A03",
"CRYP-210-A04",
"CRYP-210-A05",
"CRYP-210-A09",
"CRYP-210-A10",
"CRYP-210-A11",
"CRYP-2191-A12",
"CRYP-245",
"CRYP-245-A01",
"CRYP-245-A02",
"CRYP-289",
"CRYP-289-A01",
"CRYP-289-A02",
"CRYP-289-A04",
"CRYP-289-A05",
"CRYP-289-A06",
"CRYP-289-A10",
"DATA-119-A23",
"DATA-4067-A03",
"DATA-554-A03",
"DATA-700-A12",
"FIN-101-A13",
"FIN-101-A29",
"FIN-101-A45",
"FIN-101-A62",
"FIN-101-A78",
"FIN-101-A95",
"FIN-258-A19",
"FIN-340-A11",
"FIN-340-A25",
"FIN-340-A39",
"FIN-340-A53",
"FIN-340-A67",
"GOV-0665-A07",
"GOV-0665-A18",
"GOV-0665-A25",
"GOV-0665-A37",
"GOV-191-A07",
"GOV-191-A17",
"GOV-277-A05",
"GOV-277-A06",
"GOV-3066",
"GOV-413-A05",
"GOV-413-A09",
"GOV-413-A14",
"GOV-413-A18",
"GOV-524-A04",
"GOV-524-A05",
"GOV-524-A31",
"GOV-561-A07",
"LOG-072-A22",
"LOG-1361-A01",
"LOG-1385-A02",
"LOG-1486-A06",
"LOG-1506-A03",
"LOG-1549-A10",
"LOG-1692",
"LOG-1692-A01",
"LOG-1692-A02",
"LOG-1692-A03",
"LOG-1692-A04",
"LOG-266",
"LOG-353-A07",
"LOG-353-A08",
"LOG-353-A13",
"LOG-353-A18",
"LOG-445-A06",
"LOG-445-A10",
"LOG-445-A16",
"LOG-445-A20",
"LOG-471-A01",
"LOG-471-A05",
"LOG-741-A24",
"NET-041-A07",
"NET-041-A17",
"NET-047-A05",
"NET-047-A06",
"NET-047-A15",
"NET-047-A16",
"NET-0673-A02",
"NET-0673-A05",
"NET-0673-A09",
"NET-073-A08",
"NET-073-A22",
"NET-078-A05",
"NET-078-A16",
"NET-082-A04",
"NET-091-A02",
"NET-091-A03",
"NET-091-A04",
"NET-091-A05",
"NET-091-A13",
"NET-091-A14",
"NET-091-A15",
"NET-091-A16",
"NET-093-A09",
"NET-093-A22",
"NET-1147-A10",
"NET-1243-A05",
"NET-1344-A05",
"NET-1356-A03",
"NET-1461-A03",
"NET-1626-A17",
"NET-266-A15",
"NET-277-A04",
"NET-277-A05",
"NET-277-A13",
"NET-277-A14",
"NET-326",
"NET-329-A10",
"NET-329-A22",
"NET-336-A03",
"NET-336-A12",
"NET-375",
"NET-375-A02",
"NET-375-A04",
"NET-375-A08",
"NET-375-A10",
"NET-382-A12",
"NET-382-A24",
"NET-416",
"NET-416-A14",
"NET-441-A01",
"NET-441-A06",
"NET-441-A07",
"NET-441-A12",
"NET-543-A04",
"NET-543-A77",
"SEC-049-A12",
"SEC-156-A16",
"SEC-156-A30",
"SEC-182-A07",
"SEC-182-A08",
"SEC-182-A16",
"SEC-182-A17",
"SEC-297-A09",
"SEC-297-A19",
"SEC-3193-A05",
"SEC-338-A11",
"SEC-338-A22",
"SEC-3855-A05",
"SEC-386",
"SEC-386-A01",
"SEC-386-A03",
"SEC-386-A05",
"SEC-386-A06",
"SEC-386-A07",
"SEC-386-A09",
"SEC-386-A11",
"SEC-386-A13",
"SEC-386-A14",
"SEC-386-A15",
"SEC-386-A16",
"SEC-4874-A03",
"SEC-4874-A05",
"SEC-5814",
"SEC-5843",
"SEC-6093-A01",
"SEC-6762",
"SEC-6762-A02",
"SEC-6795-A03",
"SEC-6795-A06",
"SEC-8179-A04",
"SEC-839-A19",
"SEC-8507",
"SEC-8885-A22"
],
"member_count": 277,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.92,
"source_meta_cluster": "M0",
"cluster_size": 274,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_confidentiality_integrity",
"name": "Vertraulichkeit und Integritaet des Fernzugriffs",
"description": "Vertraulichkeit und Integritaet von Remote-Zugriffsverbindungen sind sicherzustellen.",
"tier": "LEGAL_MINIMUM",
"subdomain": "access_control",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (1)(2)(b)(c)",
"citation": "Schutz der Vertraulichkeit und Integritaet von Daten und Befehlen"
}
],
"guidance_basis": [],
"member_review_units": [
"M0"
],
"member_controls": [
"ACC-0404-A02",
"ACC-0404-A06",
"ACC-0405-A02",
"ACC-0406-A02",
"ACC-0406-A03",
"ACC-0406-A04",
"ACC-0406-A05",
"ACC-0407-A03",
"ACC-0407-A04",
"ACC-0409-A01",
"ACC-0409-A05",
"ACC-0409-A06",
"ACC-163-A24",
"ACC-584",
"ACC-584-A01",
"ACC-584-A02",
"ACC-584-A06",
"ACC-584-A07",
"ACC-584-A08",
"AI-067-A08",
"AI-067-A20",
"AI-084-A37",
"AI-099-A27",
"AI-101-A22",
"AI-117-A09",
"AI-117-A25",
"AI-118-A29",
"AI-120-A27",
"AI-126-A21",
"AI-1263",
"AI-195-A12",
"AUTH-1446-A03",
"AUTH-2338-A04",
"AUTH-2338-A09",
"AUTH-2386",
"AUTH-2386-A01",
"AUTH-2386-A02",
"AUTH-2413",
"AUTH-2413-A01",
"AUTH-2413-A02",
"AUTH-2419-A07",
"AUTH-2421-A01",
"AUTH-2421-A02",
"AUTH-2421-A03",
"AUTH-2421-A04",
"AUTH-2461",
"AUTH-2461-A01",
"AUTH-3825-A08",
"AUTH-3887-A01",
"AUTH-3928-A08",
"AUTH-3928-A09",
"AUTH-586",
"AUTH-586-A01",
"AUTH-586-A03",
"AUTH-586-A04",
"AUTH-909-A10",
"AUTH-909-A20",
"AUTH-909-A30",
"AUTH-909-A40",
"AUTH-909-A50",
"COMP-001-A81",
"COMP-043-A23",
"COMP-096-A26",
"COMP-1054-A08",
"COMP-1212-A13",
"COMP-1212-A27",
"COMP-1212-A39",
"COMP-1212-A53",
"COMP-1212-A69",
"COMP-1240-A31",
"COMP-372-A11",
"COMP-383-A07",
"COMP-383-A14",
"COMP-430-A09",
"COMP-449-A12",
"COMP-449-A25",
"COMP-498-A01",
"COMP-592-A09",
"COMP-592-A21",
"COMP-707-A15",
"COMP-711-A07",
"COMP-932-A11",
"COMP-932-A23",
"COMP-995-A13",
"COMP-995-A22",
"CRYP-127-A03",
"CRYP-127-A04",
"CRYP-127-A05",
"CRYP-127-A06",
"CRYP-1700-A01",
"CRYP-1700-A02",
"CRYP-1701-A01",
"CRYP-1725-A04",
"CRYP-1725-A05",
"CRYP-1725-A06",
"CRYP-1725-A07",
"CRYP-1726",
"CRYP-1726-A01",
"CRYP-182",
"CRYP-182-A01",
"CRYP-182-A03",
"CRYP-182-A04",
"CRYP-182-A05",
"CRYP-191-A04",
"CRYP-191-A05",
"CRYP-191-A06",
"CRYP-194-A07",
"CRYP-1988-A07",
"CRYP-210",
"CRYP-210-A01",
"CRYP-210-A02",
"CRYP-210-A03",
"CRYP-210-A04",
"CRYP-210-A05",
"CRYP-210-A09",
"CRYP-210-A10",
"CRYP-210-A11",
"CRYP-2191-A12",
"CRYP-245",
"CRYP-245-A01",
"CRYP-245-A02",
"CRYP-289",
"CRYP-289-A01",
"CRYP-289-A02",
"CRYP-289-A04",
"CRYP-289-A05",
"CRYP-289-A06",
"CRYP-289-A10",
"DATA-119-A23",
"DATA-4067-A03",
"DATA-554-A03",
"DATA-700-A12",
"FIN-101-A13",
"FIN-101-A29",
"FIN-101-A45",
"FIN-101-A62",
"FIN-101-A78",
"FIN-101-A95",
"FIN-258-A19",
"FIN-340-A11",
"FIN-340-A25",
"FIN-340-A39",
"FIN-340-A53",
"FIN-340-A67",
"GOV-0665-A07",
"GOV-0665-A18",
"GOV-0665-A25",
"GOV-0665-A37",
"GOV-191-A07",
"GOV-191-A17",
"GOV-277-A05",
"GOV-277-A06",
"GOV-3066",
"GOV-413-A05",
"GOV-413-A09",
"GOV-413-A14",
"GOV-413-A18",
"GOV-524-A04",
"GOV-524-A05",
"GOV-524-A31",
"GOV-561-A07",
"LOG-072-A22",
"LOG-1361-A01",
"LOG-1385-A02",
"LOG-1486-A06",
"LOG-1506-A03",
"LOG-1549-A10",
"LOG-1692",
"LOG-1692-A01",
"LOG-1692-A02",
"LOG-1692-A03",
"LOG-1692-A04",
"LOG-266",
"LOG-353-A07",
"LOG-353-A08",
"LOG-353-A13",
"LOG-353-A18",
"LOG-445-A06",
"LOG-445-A10",
"LOG-445-A16",
"LOG-445-A20",
"LOG-471-A01",
"LOG-471-A05",
"LOG-741-A24",
"NET-041-A07",
"NET-041-A17",
"NET-047-A05",
"NET-047-A06",
"NET-047-A15",
"NET-047-A16",
"NET-0673-A02",
"NET-0673-A05",
"NET-0673-A09",
"NET-073-A08",
"NET-073-A22",
"NET-078-A05",
"NET-078-A16",
"NET-082-A04",
"NET-091-A02",
"NET-091-A03",
"NET-091-A04",
"NET-091-A05",
"NET-091-A13",
"NET-091-A14",
"NET-091-A15",
"NET-091-A16",
"NET-093-A09",
"NET-093-A22",
"NET-1243-A05",
"NET-1344-A05",
"NET-1461-A03",
"NET-1626-A17",
"NET-266-A15",
"NET-277-A04",
"NET-277-A05",
"NET-277-A13",
"NET-277-A14",
"NET-326",
"NET-329-A10",
"NET-329-A22",
"NET-336-A03",
"NET-336-A12",
"NET-375",
"NET-375-A02",
"NET-375-A04",
"NET-375-A08",
"NET-375-A10",
"NET-382-A12",
"NET-382-A24",
"NET-416",
"NET-416-A14",
"NET-441-A01",
"NET-441-A06",
"NET-441-A07",
"NET-441-A12",
"NET-543-A04",
"NET-543-A77",
"SEC-049-A12",
"SEC-156-A16",
"SEC-156-A30",
"SEC-182-A07",
"SEC-182-A08",
"SEC-182-A16",
"SEC-182-A17",
"SEC-297-A09",
"SEC-297-A19",
"SEC-338-A11",
"SEC-338-A22",
"SEC-3855-A05",
"SEC-386",
"SEC-386-A01",
"SEC-386-A03",
"SEC-386-A05",
"SEC-386-A06",
"SEC-386-A07",
"SEC-386-A09",
"SEC-386-A11",
"SEC-386-A13",
"SEC-386-A14",
"SEC-386-A15",
"SEC-386-A16",
"SEC-4874-A03",
"SEC-4874-A05",
"SEC-5814",
"SEC-5843",
"SEC-6093-A01",
"SEC-6762",
"SEC-6762-A02",
"SEC-6795-A03",
"SEC-6795-A06",
"SEC-8179-A04",
"SEC-839-A19",
"SEC-8507",
"SEC-8885-A22"
],
"member_count": 274,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.9,
"source_meta_cluster": "M0",
"cluster_size": 274,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_session_management",
"name": "Sitzungsmanagement und automatische Trennung",
"description": "Fernzugriffssitzungen muessen Timeouts haben und nach Abschluss bzw. Inaktivitaet automatisch getrennt werden.",
"tier": "BEST_PRACTICE",
"subdomain": "session_management",
"applicability": "universal",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-53 AC-12",
"role": "best_practice"
}
],
"member_review_units": [
"M1"
],
"member_controls": [
"AUTH-2419-A01",
"AUTH-2419-A02",
"CRYP-1700-A04",
"CRYP-1700-A05",
"CRYP-1725-A01",
"CRYP-1938-A09",
"LOG-1506-A04",
"NET-041-A06",
"NET-041-A16",
"NET-1344-A02",
"NET-1626-A01",
"NET-1626-A11",
"NET-336",
"NET-336-A09",
"NET-336-A16",
"SEC-3855-A03",
"SEC-3855-A06",
"SEC-3870-A01",
"SEC-3870-A02",
"SEC-6795-A01",
"SEC-6795-A04",
"SEC-6808-A01",
"SEC-8327-A10"
],
"member_count": 23,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.88,
"source_meta_cluster": "M1",
"cluster_size": 23,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_mfa",
"name": "Multi-Faktor-Authentifizierung fuer Fernzugriff",
"description": "Fuer alle Fernzugriffssessions, insbesondere privilegierte Konten, ist MFA zu erzwingen.",
"tier": "BEST_PRACTICE",
"subdomain": "authentication",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-53 IA-2",
"role": "best_practice"
}
],
"member_review_units": [
"M2"
],
"member_controls": [
"AUTH-2461-A05",
"AUTH-3915-A07",
"AUTH-3980-A05",
"AUTH-894-A03",
"AUTH-894-A08",
"AUTH-894-A14",
"AUTH-894-A19",
"AUTH-894-A24",
"CRYP-1700",
"CRYP-1938-A02",
"NET-082-A05",
"NET-082-A17",
"NET-082-A18",
"NET-1787",
"NET-1787-A11",
"NET-375-A07",
"SEC-3870",
"SEC-6795-A02",
"SEC-8334-A06"
],
"member_count": 19,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.93,
"source_meta_cluster": "M2",
"cluster_size": 19,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_encryption",
"name": "Verschluesselung der Fernzugriffsverbindungen",
"description": "Fernzugriffe muessen verschluesselt erfolgen (VPN/Tunnel-Modus, TLS, Client-Zertifikate).",
"tier": "BEST_PRACTICE",
"subdomain": "cryptography",
"applicability": "universal",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "BSI",
"anchor": "IT-Grundschutz NET.3.3",
"role": "best_practice"
}
],
"member_review_units": [
"M6",
"M21",
"M23",
"M25"
],
"member_controls": [
"CRYP-1700-A03",
"CRYP-1701",
"CRYP-1732-A05",
"CRYP-1988-A03",
"CRYP-2191-A03",
"CRYP-2191-A04",
"NET-053-A05",
"NET-053-A13",
"NET-122-A03",
"NET-122-A11",
"NET-1461",
"NET-1461-A01",
"NET-1461-A02",
"NET-1461-A05",
"NET-266-A16",
"NET-336-A07",
"NET-336-A15",
"SEC-3220-A05",
"SEC-5858-A01",
"SEC-5858-A05",
"SEC-6712-A03",
"SEC-8327-A04",
"SEC-8334-A13"
],
"member_count": 23,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.91,
"source_meta_cluster": "M6",
"cluster_size": 15,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "reject_insecure_remote_protocols",
"name": "Verbot unsicherer Fernzugriffsprotokolle",
"description": "Unsichere/unverschluesselte Fernzugriffsprotokolle sind zu unterlassen bzw. zu blockieren.",
"tier": "BEST_PRACTICE",
"subdomain": "cryptography",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SC-8",
"role": "best_practice"
}
],
"member_review_units": [
"M7",
"M12"
],
"member_controls": [
"CRYP-1726-A02",
"LOG-266-A10",
"NET-1461-A06",
"SEC-8593-A10"
],
"member_count": 4,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.85,
"source_meta_cluster": "M7",
"cluster_size": 1,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_logging_audit",
"name": "Protokollierung und Audit von Fernzugriffen",
"description": "Fernwartungs- und Diagnoseaktivitaeten sind mit Zeitstempel, Benutzer und Aktion zu protokollieren und Audit-Logs aufzubewahren/zu analysieren.",
"tier": "LEGAL_MINIMUM",
"subdomain": "logging_monitoring",
"applicability": "universal",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": true
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (1)(2)(g)",
"citation": "Aufzeichnung und Ueberwachung relevanter interner Aktivitaeten (Logging)"
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-53 AU-2/MA-4",
"role": "best_practice"
}
],
"member_review_units": [
"M3",
"M18",
"M26"
],
"member_controls": [
"AUTH-2788-A01",
"COMP-3332-A03",
"INC-091-A07",
"LOG-1506-A05",
"LOG-1549-A02",
"LOG-1959-A07",
"LOG-1959-A11",
"LOG-353-A19",
"NET-1626-A02",
"NET-1626-A03",
"NET-1760-A05",
"SEC-3855",
"SEC-3855-A02",
"SEC-5843-A01",
"SEC-5843-A04",
"SEC-5925-A05",
"SEC-6712",
"SEC-6712-A02",
"SEC-6712-A04",
"SEC-8327-A03",
"SEC-8327-A05",
"SEC-8327-A09"
],
"member_count": 22,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.9,
"source_meta_cluster": "M3",
"cluster_size": 14,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access",
"cross_family_ref": "event_logging_security_events (cra_logging.json)"
},
{
"id": "remote_access_user_validation_ot",
"name": "Identifizierung und Validierung von Fernzugriffsnutzern (ICS/OT)",
"description": "Benutzer mit Fernzugriff auf ICS/SCADA-Systeme sind zu identifizieren, zu validieren und Fernzugriffskanaele zu pruefen; OT-spezifische Absicherung.",
"tier": "BEST_PRACTICE",
"subdomain": "ics_ot",
"applicability": "domain:ics_ot",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "BSI",
"anchor": "ICS Security Kompendium",
"role": "best_practice"
}
],
"member_review_units": [
"M8",
"M16"
],
"member_controls": [
"CRYP-1756-A03",
"CRYP-1756-A04",
"CRYP-191",
"CRYP-2191-A11",
"NET-082-A02",
"NET-082-A03",
"NET-082-A15",
"NET-082-A16",
"NET-091",
"NET-1364-A01",
"NET-991-A02",
"SEC-4140-A02",
"SEC-5025-A08",
"SEC-5787-A01",
"SEC-5877-A03"
],
"member_count": 15,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.84,
"source_meta_cluster": "M8",
"cluster_size": 13,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_training",
"name": "Schulung zur sicheren Nutzung von Fernzugriff",
"description": "Autorisierte Nutzer sind zur sicheren Nutzung von Fernzugriff und mobilen Geraeten zu schulen.",
"tier": "BEST_PRACTICE",
"subdomain": "awareness",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": false,
"evidence": true
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "ISO",
"anchor": "ISO/IEC 27001 A.6.3",
"role": "best_practice"
}
],
"member_review_units": [
"M19"
],
"member_controls": [
"NET-1758",
"NET-1758-A01",
"NET-1758-A03",
"NET-1809",
"NET-1809-A01",
"NET-1809-A02",
"SEC-5877",
"SEC-6795-A05",
"SEC-6802-A03",
"SEC-8873-A03"
],
"member_count": 10,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.8,
"source_meta_cluster": "M19",
"cluster_size": 10,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_architecture_design",
"name": "Architektur-Design fuer sicheren Fernzugriff",
"description": "Fernzugriffsarchitektur ist sicher zu konzipieren (Gateway/Agent-basiert, Zero-Trust, dedizierte isolierte Kanaele, Segmentierung).",
"tier": "BEST_PRACTICE",
"subdomain": "architecture",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-207 Zero Trust",
"role": "best_practice"
}
],
"member_review_units": [
"M22",
"M24",
"M25"
],
"member_controls": [
"NET-543-A73",
"SEC-3867-A01",
"SEC-3867-A02",
"SEC-5858-A01",
"SEC-5858-A05",
"SEC-6712-A03",
"SEC-7969",
"SEC-8327-A04",
"SEC-8334-A13"
],
"member_count": 9,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.78,
"source_meta_cluster": "M22",
"cluster_size": 1,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_attack_surface_min",
"name": "Minimierung der Fernzugriffs-Angriffsflaeche",
"description": "Unnoetige Backdoors und Fernzugriffsschnittstellen sind zu deaktivieren; offene Ports/Schnittstellen zu inventarisieren und zu schuetzen.",
"tier": "LEGAL_MINIMUM",
"subdomain": "hardening",
"applicability": "universal",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": false
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (1)(2)(a)",
"citation": "Bereitstellung ohne bekannte ausnutzbare Schwachstellen / minimierte Angriffsflaeche"
}
],
"guidance_basis": [],
"member_review_units": [
"M15",
"M20",
"M10"
],
"member_controls": [
"DATA-4692-A04",
"LOG-1170-A08",
"LOG-1495-A07",
"NET-1363",
"NET-1626-A10",
"NET-1855",
"NET-1855-A04",
"NET-1855-A10",
"NET-908-A02",
"NET-942",
"NET-942-A02",
"SEC-476",
"SEC-5787-A02",
"SEC-6930",
"SEC-8327",
"SEC-8327-A01",
"SEC-8327-A02",
"SEC-8327-A08",
"SEC-8507-A01"
],
"member_count": 19,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.83,
"source_meta_cluster": "M15",
"cluster_size": 6,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access",
"specializes": "attack_surface_minimization",
"objective_tags": [
"attack_surface"
]
},
{
"id": "remote_access_vuln_patch_mgmt",
"name": "Schwachstellen- und Patchmanagement fuer Fernwartungssoftware",
"description": "Schwachstellen in Fernwartungssoftware sind zu beobachten und regelmaessige Patch-/Updatezyklen sicherzustellen; Penetrationstests der Fernwartungsschnittstellen.",
"tier": "LEGAL_MINIMUM",
"subdomain": "vulnerability_management",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": true
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (2)(1)",
"citation": "Behandlung und Behebung von Schwachstellen, Sicherheitsupdates"
}
],
"guidance_basis": [
{
"source": "OWASP",
"anchor": "ASVS",
"role": "best_practice"
}
],
"member_review_units": [
"M15",
"M20",
"M14"
],
"member_controls": [
"NET-1237",
"NET-1343",
"NET-1363",
"NET-1364",
"NET-1855",
"NET-1855-A04",
"NET-1855-A10",
"NET-942",
"NET-942-A02",
"SEC-476",
"SEC-4872-A13",
"SEC-5787-A02",
"SEC-5858-A08",
"SEC-8327",
"SEC-8327-A01",
"SEC-8327-A02",
"SEC-8327-A08"
],
"member_count": 17,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.82,
"source_meta_cluster": "M15",
"cluster_size": 6,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access",
"cross_family_ref": "vuln-Familie (cra.json)"
},
{
"id": "remote_access_threat_detection",
"name": "Erkennung von Bedrohungen bei Fernzugriff",
"description": "Erkennungsmechanismen fuer Remote Access Trojans und verdaechtige Remote-Zugriffsmuster (EDR-Logs, APT-Abwehr).",
"tier": "BEST_PRACTICE",
"subdomain": "detection",
"applicability": "universal",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": true
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-94",
"role": "best_practice"
}
],
"member_review_units": [
"M20"
],
"member_controls": [
"NET-1855",
"NET-1855-A04",
"NET-1855-A10",
"NET-942",
"NET-942-A02",
"SEC-5787-A02"
],
"member_count": 6,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.79,
"source_meta_cluster": "M20",
"cluster_size": 6,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_maintenance_governance",
"name": "Governance externer Fernwartung",
"description": "Permanente Fernwartung durch externe Dienstleister erfordert Genehmigung, Zeitbegrenzung, vertragliche Regelung und Dokumentation (inkl. Auftragsverarbeitung).",
"tier": "BEST_PRACTICE",
"subdomain": "maintenance_governance",
"applicability": "conditional:external_maintenance_provider",
"evidence_facets": {
"governance": true,
"capability": false,
"evidence": true
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "BSI",
"anchor": "IT-Grundschutz OPS.2.3",
"role": "best_practice"
}
],
"member_review_units": [
"M18",
"M10",
"M9"
],
"member_controls": [
"DATA-4409",
"DATA-4692-A04",
"GOV-524",
"GOV-524-A12",
"LOG-1170-A08",
"LOG-1495-A07",
"NET-1626-A03",
"NET-1626-A10",
"NET-1760-A05",
"NET-908-A02",
"SEC-3855",
"SEC-3855-A02",
"SEC-6712",
"SEC-6712-A02",
"SEC-6930",
"SEC-8507-A01"
],
"member_count": 16,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.8,
"source_meta_cluster": "M18",
"cluster_size": 6,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "temporary_remote_access_mgmt",
"name": "Verwaltung temporaerer Fernzugriffe",
"description": "Temporaere Fernzugriffe sind sicher zu verwalten, zeitlich zu begrenzen und nach Nutzung zu entziehen.",
"tier": "BEST_PRACTICE",
"subdomain": "access_control",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "AC-2(5)",
"role": "best_practice"
}
],
"member_review_units": [
"M14"
],
"member_controls": [
"NET-1237",
"NET-1343",
"NET-1364",
"SEC-4872-A13",
"SEC-5858-A08"
],
"member_count": 5,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.78,
"source_meta_cluster": "M14",
"cluster_size": 5,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
},
{
"id": "remote_access_data_export_protection",
"name": "Schutz von Datenexport ueber Support-Fernzugriff",
"description": "Download-/Export-Einschraenkungen bei Fernzugriff; Datenexport ueber Support-Fernzugriff technisch verhindern, insb. EU-Kundendaten.",
"tier": "BEST_PRACTICE",
"subdomain": "data_protection",
"applicability": "conditional:support_remote_access_to_customer_data",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "AC-4",
"role": "best_practice"
}
],
"member_review_units": [
"M17",
"M2"
],
"member_controls": [
"AUTH-2461-A05",
"AUTH-3915-A07",
"AUTH-3980-A05",
"AUTH-894-A03",
"AUTH-894-A08",
"AUTH-894-A14",
"AUTH-894-A19",
"AUTH-894-A24",
"CRYP-1700",
"CRYP-1938-A02",
"NET-082-A05",
"NET-082-A17",
"NET-082-A18",
"NET-1547",
"NET-1547-A01",
"NET-1547-A03",
"NET-1787",
"NET-1787-A11",
"NET-375-A07",
"SEC-3870",
"SEC-6795-A02",
"SEC-8334-A06"
],
"member_count": 22,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.77,
"source_meta_cluster": "M17",
"cluster_size": 3,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access",
"tier_note": "Bleibt BEST_PRACTICE (NICHT LM) bis Data-Act/Export-Scope sauber ist (User #5b.6). Evtl. Capability-or-Procedure statt Obligation."
},
{
"id": "component_remote_interface_security",
"name": "Sicherheit von Komponenten mit Fernzugriffsschnittstellen",
"description": "Komponenten mit Fernzugriffs- oder lokalen IT-Schnittstellen sind hinsichtlich Sicherheit zu pruefen und abzusichern.",
"tier": "BEST_PRACTICE",
"subdomain": "product_security",
"applicability": "conditional:component_with_remote_interface",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "CM-7",
"role": "best_practice"
}
],
"member_review_units": [
"M4"
],
"member_controls": [
"COMP-1727-A01",
"NET-925-A04",
"SEC-3155-A02"
],
"member_count": 3,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "curated_retier_mechanism",
"provenance": {
"discovery_confidence": 0.75,
"source_meta_cluster": "M4",
"cluster_size": 3,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access",
"specializes": "attack_surface_minimization",
"objective_tags": [
"attack_surface"
]
},
{
"id": "remote_access_fallback_concept",
"name": "Betriebskonzept mit Fallback fuer Fernzugriff",
"description": "Betriebskonzept mit Fallback-Szenarien und alternativen Kommunikationswegen bei Ausfall des Fernzugriffs.",
"tier": "BEST_PRACTICE",
"subdomain": "resilience",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": false,
"evidence": false
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "ISO",
"anchor": "ISO/IEC 27001 A.5.30",
"role": "best_practice"
}
],
"member_review_units": [
"M24"
],
"member_controls": [
"SEC-3867-A01",
"SEC-3867-A02",
"SEC-7969"
],
"member_count": 3,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.72,
"source_meta_cluster": "M24",
"cluster_size": 3,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "remote_access"
}
],
"relationships": [
{
"type": "supports",
"from": "remote_access_encryption",
"to": "remote_access_confidentiality_integrity",
"note": "Verschluesselung realisiert Vertraulichkeit/Integritaet"
},
{
"type": "supports",
"from": "remote_access_mfa",
"to": "remote_access_control_least_privilege",
"note": "MFA unterstuetzt Zugriffskontrolle"
},
{
"type": "implements",
"from": "reject_insecure_remote_protocols",
"to": "remote_access_encryption",
"note": "Verbot unsicherer Protokolle setzt Verschluesselungspflicht durch"
},
{
"type": "produces_evidence_for",
"from": "remote_access_logging_audit",
"to": "remote_maintenance_governance",
"note": "Logs belegen genehmigte Fernwartung"
},
{
"type": "supports",
"from": "remote_access_threat_detection",
"to": "remote_access_logging_audit",
"note": "Detection nutzt Logdaten"
},
{
"type": "supports",
"from": "remote_access_architecture_design",
"to": "remote_access_control_least_privilege",
"note": "Zero-Trust/Segmentierung unterstuetzt Least Privilege"
},
{
"type": "depends_on",
"from": "temporary_remote_access_mgmt",
"to": "remote_maintenance_governance",
"note": "Temporaere Zugriffe oft fuer externe Wartung"
},
{
"type": "supports",
"from": "remote_session_management",
"to": "remote_access_control_least_privilege",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "implements",
"from": "remote_access_encryption",
"to": "remote_access_confidentiality_integrity",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "supports",
"from": "reject_insecure_remote_protocols",
"to": "remote_access_confidentiality_integrity",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "supports",
"from": "remote_access_user_validation_ot",
"to": "remote_access_control_least_privilege",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "supports",
"from": "remote_maintenance_governance",
"to": "remote_access_control_least_privilege",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "supports",
"from": "temporary_remote_access_mgmt",
"to": "remote_access_control_least_privilege",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "supports",
"from": "remote_access_data_export_protection",
"to": "remote_access_confidentiality_integrity",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "supports",
"from": "component_remote_interface_security",
"to": "remote_access_attack_surface_min",
"note": "Mechanismus/Umsetzung der LM-Pflicht (CRA fordert Outcome, nicht Mechanismus)"
},
{
"type": "out_of_scope",
"review_units": [
"M5",
"M11"
],
"note": "Physische Maschinen-Fernsteuerung/Ergonomie/Gefahrenzonen-Sicherheit (MaschinenVO 2023/1230), keine Cybersecurity-Fernwartung"
}
]
}
Reference in New Issue View Git Blame Copy Permalink