Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e761c13637feb1bae5bfb9f7b2db7d2a0a8b8c7
breakpilot-compliance/obligations/cra_updates.json
T
Benjamin Admin 4e761c1363 feat: #5b materialize capability layer (Modell C) — capabilities.json + cra_core.json 
User-Entscheidung Modell C + objective_tags-Safeguard (Tags, keine Klasse). Deterministisch
via materialize_capabilities.py:
- obligations/capabilities.json: 5 Capabilities (multi_factor_authentication/session_management/
  transport_encryption/code_signing/security_monitoring_alerting), realized_by (n:m) +
  guidance_basis KANONISCH hochgezogen. access_control gedroppt (OVERLAP).
- obligations/cra_core.json: 2 CORE-Sicherheitsziele (attack_surface_minimization (2)(j)/CM-7 +
  software_integrity_protection (2)(f)/SI-7) -> fuellt den #4-NIST-Gap.
- DOMAIN specializes->CORE (remote_access_attack_surface_min, component_remote_interface_security,
  signed_update_integrity, firmware_software_authentication) + objective_tags.
- Merge: vuln_remediation_patching -> deprecated_alias von provide_security_updates.
- remote_access_data_export_protection bleibt BEST_PRACTICE (pending Data-Act-Scope).
- join_keys 93->95 (core 2). Bidirektional validiert.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-26 00:54:23 +02:00

1820 lines
40 KiB
JSON
Raw Blame History

{
"schema_version": "obligation_registry_v1",
"regulation": "CRA",
"regulation_code": "CRA",
"family": "updates",
"theme": "Security Updates / Patch Management (CRA Annex I (2)(c), Art 13)",
"generated_by": "obligation_discovery/claude-opus-4-8",
"synthesis_version": "v1",
"citation_status": "pending_span_anchor",
"curation": {
"curated_by": "obligation-registry-session 2026-06-25",
"method": "two-stage clustering (670->318 micro->15 review-units) -> Opus synthesis -> LIGHT review (keine Hart-Re-Tier)",
"scope_controls": 670,
"micro_clusters": 318,
"review_units": 15,
"obligations": 9,
"tier_split": {
"LEGAL_MINIMUM": 6,
"BEST_PRACTICE": 3
},
"out_of_scope": [
"M4 (allg. digitale Veraenderungen)",
"M7 (TLS-Proxy-Kanalverwaltung)"
],
"tiering_note": "Synthese DIESMAL gut kalibriert (6 LM / 3 BP) -> KEINE Hart-Kuration noetig (vs Auth 14->6, Remote-Access 14->5). LM mehrheitlich echte CRA-Update-Outcomes: provide_security_updates ((2)(c)/Art13) · support_period_maintenance (Art13(8)) · automatic_updates_optout (steht WOERTLICH in (2)(c): Auto-Updates als Default mit Opt-out) · update_risk_assessment.",
"borderline_deferred": "signed_update_integrity + trusted_update_source = OUTCOME(Integritaet/Authentizitaet)+MECHANISMUS(Signatur/Quelle)-Mischung. Tier-Linie im Cross-Domain-Review final ziehen, NICHT jetzt (User-Methodik: borderline nicht vorzeitig tiern).",
"capability_candidates": [
"signed_update_integrity",
"trusted_update_source",
"automatic_updates_optout",
"update_rollback",
"update_testing_validation"
],
"capability_signal": "STARKES Signal fuer die Capability-Hypothese: signed/trusted/automatic/rollback/testing sind technische FAEHIGKEITEN, die das eine LM-Outcome provide_security_updates erfuellen. Das LLM tiert sie INKONSISTENT (signed/trusted/automatic->LM, rollback/testing->BP), genau weil Outcome vs Capability nicht sauber trennbar ist (User-Diagnose). Phase 4: Regulation->Obligation->CAPABILITY->Procedure->Control->Evidence.",
"anchor_quality": "Anker approximativ (Opus): '(1)(3)(f)'/'(1)(3)(d)' entsprechen keiner exakten CRA-Annex-I-Struktur (Part I (2) hat Buchstaben a-m, kein Punkt (3)). support_period korrekt Art 13(8); provide_security_updates korrekt (2)(c). Span-genau mit Re-Ingest. NICHT auf Anker joinen."
},
"obligations": [
{
"id": "provide_security_updates",
"name": "Bereitstellung von Sicherheitsupdates",
"description": "Hersteller stellen wirksame Sicherheitsupdates und Patches zur Behebung von Schwachstellen ueber den gesamten Support-Zeitraum regelmaessig und kostenlos bereit, inkl. strukturiertem Patch-Management-Verfahren.",
"tier": "LEGAL_MINIMUM",
"subdomain": "patch_provisioning",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": true
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (2)(c)",
"citation": "Schwachstellen durch Sicherheitsupdates ohne Verzug behandeln, einschliesslich automatischer Updates und Benachrichtigung."
},
{
"source": "CRA",
"anchor": "Art. 13",
"citation": "Pflicht zur Bereitstellung von Sicherheitsupdates waehrend des Support-Zeitraums."
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-40 Patch Management",
"role": "best_practice"
},
{
"source": "BSI",
"anchor": "OPS.1.1.3 Patch- und Aenderungsmanagement",
"role": "best_practice"
}
],
"member_review_units": [
"M0",
"M2",
"M6",
"M14"
],
"member_controls": [
"ACC-605-A06",
"ACC-650-A06",
"AI-1827-A04",
"AI-462-A06",
"AI-462-A07",
"AI-462-A17",
"AI-810-A12",
"AI-810-A19",
"AUTH-101-A19",
"AUTH-101-A22",
"AUTH-1086-A02",
"AUTH-1086-A04",
"AUTH-1090-A04",
"AUTH-1520-A03",
"AUTH-1538-A02",
"AUTH-1538-A03",
"AUTH-1538-A11",
"AUTH-1630-A03",
"AUTH-1630-A07",
"AUTH-1710-A03",
"AUTH-1742",
"AUTH-1742-A02",
"AUTH-1742-A03",
"AUTH-1742-A04",
"AUTH-1742-A05",
"AUTH-1742-A06",
"AUTH-1742-A07",
"AUTH-1746",
"AUTH-182",
"AUTH-187-A05",
"AUTH-1925-A02",
"AUTH-1925-A06",
"AUTH-197-A13",
"AUTH-2480",
"AUTH-2543",
"AUTH-2563-A01",
"AUTH-2563-A02",
"AUTH-2679-A08",
"AUTH-2868",
"AUTH-2913-A08",
"AUTH-2942",
"AUTH-2942-A01",
"AUTH-2942-A06",
"AUTH-2959",
"AUTH-2998-A01",
"AUTH-2998-A04",
"AUTH-2998-A08",
"AUTH-3009-A15",
"AUTH-3169-A01",
"AUTH-3169-A07",
"AUTH-3649-A09",
"AUTH-3704-A03",
"AUTH-3704-A04",
"AUTH-3823",
"AUTH-3960",
"AUTH-3961-A01",
"AUTH-3974-A07",
"AUTH-4034",
"AUTH-4034-A01",
"AUTH-4034-A04",
"AUTH-4048-A02",
"AUTH-513",
"COMP-074-A05",
"COMP-1052",
"COMP-1123-A06",
"COMP-1261-A01",
"COMP-1907-A08",
"COMP-2768-A01",
"COMP-2969-A01",
"COMP-2969-A02",
"COMP-2969-A05",
"COMP-2969-A06",
"COMP-2969-A07",
"COMP-2970-A03",
"COMP-2970-A04",
"COMP-2970-A05",
"COMP-2991-A09",
"COMP-3030-A09",
"COMP-3360-A04",
"COMP-3411-A04",
"COMP-3411-A07",
"COMP-3548-A07",
"COMP-3990-A01",
"COMP-4063-A10",
"COMP-4119",
"COMP-652",
"COMP-652-A01",
"COMP-652-A05",
"COMP-995-A14",
"COMP-995-A15",
"CRYP-1332",
"CRYP-1332-A03",
"CRYP-1624",
"CRYP-1805-A06",
"CRYP-1805-A12",
"CRYP-1886-A03",
"CRYP-2073-A03",
"CRYP-2289-A10",
"CRYP-2359-A02",
"CRYP-2359-A07",
"CRYP-2361-A12",
"CRYP-415-A07",
"CRYP-415-A30",
"CRYP-415-A41",
"CRYP-415-A49",
"CRYP-723-A14",
"CRYP-882-A05",
"CRYP-882-A06",
"CRYP-882-A14",
"CRYP-882-A15",
"CRYP-898-A03",
"DATA-1435-A10",
"DATA-1435-A11",
"DATA-2374-A06",
"DATA-2486-A02",
"DATA-265-A07",
"DATA-3995-A04",
"DATA-4193-A01",
"DATA-4193-A07",
"DATA-4674-A07",
"DATA-4679",
"DATA-673-A05",
"DATA-673-A10",
"GOV-2281-A04",
"GOV-2540-A07",
"GOV-3106-A03",
"GOV-3108-A01",
"GOV-3108-A05",
"HLT-018-A13",
"HLT-114-A05",
"HLT-114-A41",
"HLT-372-A03",
"HLT-519-A04",
"HLT-519-A09",
"INC-241",
"LOG-1409-A04",
"LOG-1410",
"LOG-1410-A10",
"LOG-1511-A10",
"LOG-1547-A11",
"LOG-1730-A05",
"LOG-1730-A09",
"LOG-1741-A01",
"LOG-1741-A02",
"LOG-1741-A05",
"LOG-1741-A06",
"LOG-1741-A08",
"LOG-1749",
"LOG-1759-A13",
"LOG-1760",
"LOG-1760-A01",
"LOG-1760-A06",
"LOG-1770-A06",
"LOG-1774-A06",
"LOG-1774-A11",
"LOG-1838-A06",
"LOG-2074-A06",
"LOG-2074-A09",
"LOG-2075",
"LOG-2078",
"LOG-2078-A03",
"LOG-903-A06",
"LOG-904-A02",
"NET-077-A05",
"NET-077-A23",
"NET-1196-A12",
"NET-1196-A13",
"NET-125-A09",
"NET-125-A17",
"NET-1306-A04",
"NET-1317-A02",
"NET-1351-A10",
"NET-1465-A05",
"NET-1482-A12",
"NET-1494-A12",
"NET-1626-A12",
"NET-1637-A03",
"NET-1744",
"NET-1744-A01",
"NET-1841-A04",
"NET-1841-A05",
"NET-1856-A02",
"NET-1858-A02",
"NET-1864-A09",
"NET-1864-A13",
"NET-1868",
"NET-1868-A07",
"NET-248-A06",
"NET-248-A12",
"NET-373-A02",
"NET-373-A10",
"NET-476-A14",
"NET-476-A83",
"NET-892-A04",
"NET-904-A05",
"NET-981-A01",
"NET-981-A09",
"NET-981-A10",
"OPS-003",
"OPS-003-A01",
"OPS-003-A02",
"OPS-003-A05",
"OPS-003-A06",
"OPS-003-A09",
"PCM-003",
"PCM-003-A01",
"PCM-003-A02",
"SEC-1041",
"SEC-1041-A01",
"SEC-1041-A02",
"SEC-1041-A03",
"SEC-1041-A04",
"SEC-1041-A05",
"SEC-1041-A06",
"SEC-1041-A07",
"SEC-1042",
"SEC-1042-A01",
"SEC-1042-A02",
"SEC-1042-A03",
"SEC-1042-A04",
"SEC-1042-A06",
"SEC-110-A02",
"SEC-110-A03",
"SEC-110-A06",
"SEC-120-A07",
"SEC-120-A18",
"SEC-1218-A03",
"SEC-1218-A12",
"SEC-1243-A03",
"SEC-1243-A04",
"SEC-1247-A02",
"SEC-1252",
"SEC-1254-A04",
"SEC-1254-A07",
"SEC-126",
"SEC-126-A05",
"SEC-132",
"SEC-132-A05",
"SEC-132-A12",
"SEC-150",
"SEC-171-A10",
"SEC-171-A28",
"SEC-171-A41",
"SEC-179-A02",
"SEC-179-A07",
"SEC-182-A01",
"SEC-182-A12",
"SEC-195-A07",
"SEC-195-A13",
"SEC-279-A05",
"SEC-279-A10",
"SEC-295",
"SEC-3019-A01",
"SEC-3150-A02",
"SEC-3150-A03",
"SEC-3166-A01",
"SEC-3166-A05",
"SEC-3166-A06",
"SEC-3167-A01",
"SEC-3167-A02",
"SEC-3169-A03",
"SEC-3175",
"SEC-3175-A01",
"SEC-3175-A04",
"SEC-3175-A06",
"SEC-3175-A10",
"SEC-3325-A08",
"SEC-339-A08",
"SEC-339-A09",
"SEC-339-A19",
"SEC-342-A10",
"SEC-342-A26",
"SEC-349",
"SEC-3665",
"SEC-3665-A01",
"SEC-3665-A02",
"SEC-3665-A05",
"SEC-3676-A06",
"SEC-3680-A04",
"SEC-3680-A10",
"SEC-3719-A05",
"SEC-3725",
"SEC-3725-A01",
"SEC-3725-A02",
"SEC-3725-A03",
"SEC-3725-A04",
"SEC-3740-A02",
"SEC-3740-A05",
"SEC-3740-A06",
"SEC-3740-A07",
"SEC-376",
"SEC-3789-A01",
"SEC-3789-A02",
"SEC-3829-A01",
"SEC-3829-A02",
"SEC-3829-A03",
"SEC-3829-A04",
"SEC-3834-A01",
"SEC-3834-A02",
"SEC-3834-A03",
"SEC-3834-A04",
"SEC-3834-A06",
"SEC-3834-A07",
"SEC-3835-A04",
"SEC-3838-A01",
"SEC-3838-A02",
"SEC-3838-A07",
"SEC-3838-A08",
"SEC-3838-A09",
"SEC-3839-A04",
"SEC-3839-A07",
"SEC-3845-A10",
"SEC-3847",
"SEC-3847-A02",
"SEC-3847-A05",
"SEC-3858",
"SEC-3875-A05",
"SEC-3885-A01",
"SEC-3885-A02",
"SEC-3885-A04",
"SEC-3928",
"SEC-3928-A05",
"SEC-3928-A06",
"SEC-3931-A04",
"SEC-3931-A11",
"SEC-3936-A03",
"SEC-3949-A05",
"SEC-3963-A03",
"SEC-3963-A04",
"SEC-3963-A05",
"SEC-3963-A06",
"SEC-3970",
"SEC-3970-A03",
"SEC-3972-A01",
"SEC-3972-A02",
"SEC-3972-A06",
"SEC-3972-A07",
"SEC-3972-A09",
"SEC-3972-A10",
"SEC-3972-A13",
"SEC-3974-A06",
"SEC-3985-A02",
"SEC-3995",
"SEC-3995-A01",
"SEC-3995-A02",
"SEC-3995-A03",
"SEC-3995-A04",
"SEC-3995-A05",
"SEC-3999",
"SEC-3999-A01",
"SEC-3999-A03",
"SEC-4005-A01",
"SEC-4005-A02",
"SEC-4018-A03",
"SEC-4081-A02",
"SEC-4081-A03",
"SEC-4191",
"SEC-4191-A02",
"SEC-4195",
"SEC-4195-A02",
"SEC-4195-A08",
"SEC-4209-A03",
"SEC-445",
"SEC-4559-A01",
"SEC-4567-A01",
"SEC-4567-A06",
"SEC-462-A12",
"SEC-470",
"SEC-4945-A04",
"SEC-4966-A01",
"SEC-4966-A09",
"SEC-4970-A04",
"SEC-4970-A17",
"SEC-4988-A04",
"SEC-5109",
"SEC-5109-A01",
"SEC-5109-A02",
"SEC-5528",
"SEC-5528-A01",
"SEC-5532-A02",
"SEC-5541-A03",
"SEC-5640-A08",
"SEC-5640-A09",
"SEC-5748",
"SEC-5767-A02",
"SEC-5769-A05",
"SEC-5770",
"SEC-5804-A07",
"SEC-5818",
"SEC-5818-A10",
"SEC-5835",
"SEC-5835-A01",
"SEC-5835-A05",
"SEC-5850-A03",
"SEC-5850-A06",
"SEC-5851-A01",
"SEC-5851-A02",
"SEC-5851-A03",
"SEC-5851-A04",
"SEC-5851-A12",
"SEC-5908",
"SEC-5909",
"SEC-5912-A01",
"SEC-5912-A03",
"SEC-5921-A02",
"SEC-5921-A07",
"SEC-5923-A04",
"SEC-5923-A05",
"SEC-5924-A02",
"SEC-5925-A02",
"SEC-5930-A08",
"SEC-5931",
"SEC-5934-A04",
"SEC-5941-A02",
"SEC-5941-A03",
"SEC-5941-A06",
"SEC-5941-A07",
"SEC-5941-A08",
"SEC-5947-A06",
"SEC-5947-A07",
"SEC-5954-A04",
"SEC-6092-A03",
"SEC-6096-A03",
"SEC-6098",
"SEC-6105-A01",
"SEC-6105-A03",
"SEC-6105-A04",
"SEC-6105-A08",
"SEC-6105-A12",
"SEC-6224",
"SEC-6431-A07",
"SEC-6431-A08",
"SEC-6440-A02",
"SEC-6815-A03",
"SEC-6889-A01",
"SEC-6890-A01",
"SEC-691",
"SEC-6913-A02",
"SEC-6918",
"SEC-6928-A04",
"SEC-6928-A10",
"SEC-6928-A13",
"SEC-6991-A01",
"SEC-6993-A01",
"SEC-6996",
"SEC-7016",
"SEC-7018-A05",
"SEC-7024-A02",
"SEC-7026-A01",
"SEC-7026-A06",
"SEC-7037-A04",
"SEC-7037-A06",
"SEC-7044",
"SEC-7049",
"SEC-7056-A05",
"SEC-7056-A10",
"SEC-7056-A11",
"SEC-7060-A02",
"SEC-7060-A07",
"SEC-7067-A01",
"SEC-7077",
"SEC-7077-A01",
"SEC-7082-A01",
"SEC-7084",
"SEC-7097-A01",
"SEC-710",
"SEC-7100-A01",
"SEC-7109-A01",
"SEC-7109-A06",
"SEC-7110-A01",
"SEC-7113",
"SEC-7117-A02",
"SEC-7117-A08",
"SEC-7128-A07",
"SEC-7237-A03",
"SEC-7577-A02",
"SEC-7581-A01",
"SEC-7621-A04",
"SEC-7678",
"SEC-7803-A08",
"SEC-8324",
"SEC-8324-A09",
"SEC-8326",
"SEC-8326-A01",
"SEC-8326-A02",
"SEC-8326-A06",
"SEC-8326-A07",
"SEC-8327-A01",
"SEC-8334-A01",
"SEC-8334-A02",
"SEC-8334-A10",
"SEC-8801-A05",
"SEC-8801-A08",
"SEC-8801-A09",
"SEC-8801-A10",
"SEC-8806",
"SEC-8829-A03",
"SEC-8839",
"SEC-8842",
"SEC-8842-A01",
"SEC-8842-A03",
"SEC-8842-A04",
"SEC-8842-A05",
"SEC-8842-A08",
"SEC-8842-A09",
"SEC-8842-A10",
"SEC-8842-A11",
"SEC-8842-A12",
"SEC-8842-A14",
"SEC-8871",
"SEC-8871-A01",
"SEC-8871-A04",
"SEC-8871-A06",
"SEC-8871-A07",
"SEC-8871-A08",
"SEC-8871-A09",
"SEC-8880",
"SEC-8888-A01",
"SEC-8888-A11",
"SEC-8923",
"SEC-8991-A02",
"SEC-8991-A09",
"SEC-8997",
"SEC-8997-A03",
"SEC-8998-A02",
"SEC-8998-A04",
"SEC-8999",
"SEC-8999-A01",
"SEC-8999-A03",
"SEC-8999-A06",
"SEC-9002-A01",
"SEC-9002-A06",
"SEC-9003",
"SEC-9003-A01",
"SEC-9007",
"SEC-9007-A02",
"SEC-9007-A05",
"SEC-9009-A03",
"SEC-9009-A04",
"SEC-9009-A05",
"SEC-9009-A06",
"SEC-9019-A04",
"SEC-9027",
"SEC-9029",
"SEC-9033-A01",
"SEC-9033-A02",
"SEC-9033-A04",
"SEC-9033-A05",
"SEC-9033-A06",
"SEC-9035-A01",
"SEC-9035-A06",
"SEC-9036",
"SEC-9039",
"SEC-9039-A01",
"SEC-9039-A04",
"SEC-9045-A06",
"SEC-9055",
"SEC-9055-A01",
"SEC-9062-A04",
"SEC-9073-A10",
"SEC-9107",
"SEC-9107-A02",
"SEC-9107-A03",
"SEC-9110-A04",
"SEC-9115",
"SEC-9116-A01",
"SEC-9116-A02",
"SEC-9116-A03",
"SEC-9116-A04",
"SEC-9129",
"SEC-9129-A07",
"SEC-9129-A08",
"SEC-9129-A09",
"SEC-9135-A09",
"SYS-002",
"SYS-002-A05",
"VUL-001",
"VUL-001-A05"
],
"member_count": 578,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.95,
"source_meta_cluster": "M0",
"cluster_size": 574,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates"
},
{
"id": "support_period_maintenance",
"name": "Wartung waehrend des Support-Zeitraums",
"description": "Festlegung und Umsetzung von Wartungs- und Pflegemassnahmen inkl. Haeufigkeit ueber den definierten Support-Zeitraum.",
"tier": "LEGAL_MINIMUM",
"subdomain": "support_period",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": true
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Art. 13(8)",
"citation": "Bestimmung des Support-Zeitraums entsprechend der erwarteten Nutzungsdauer."
}
],
"guidance_basis": [],
"member_review_units": [
"M0"
],
"member_controls": [
"ACC-605-A06",
"ACC-650-A06",
"AI-1827-A04",
"AI-462-A06",
"AI-462-A07",
"AI-462-A17",
"AI-810-A12",
"AI-810-A19",
"AUTH-101-A19",
"AUTH-101-A22",
"AUTH-1086-A02",
"AUTH-1086-A04",
"AUTH-1090-A04",
"AUTH-1520-A03",
"AUTH-1538-A02",
"AUTH-1538-A03",
"AUTH-1538-A11",
"AUTH-1630-A03",
"AUTH-1630-A07",
"AUTH-1710-A03",
"AUTH-1742",
"AUTH-1742-A02",
"AUTH-1742-A03",
"AUTH-1742-A04",
"AUTH-1742-A05",
"AUTH-1742-A06",
"AUTH-1742-A07",
"AUTH-1746",
"AUTH-182",
"AUTH-187-A05",
"AUTH-1925-A02",
"AUTH-1925-A06",
"AUTH-197-A13",
"AUTH-2480",
"AUTH-2543",
"AUTH-2563-A01",
"AUTH-2563-A02",
"AUTH-2679-A08",
"AUTH-2913-A08",
"AUTH-2942",
"AUTH-2942-A01",
"AUTH-2942-A06",
"AUTH-2959",
"AUTH-2998-A01",
"AUTH-2998-A04",
"AUTH-2998-A08",
"AUTH-3009-A15",
"AUTH-3169-A01",
"AUTH-3169-A07",
"AUTH-3649-A09",
"AUTH-3704-A03",
"AUTH-3704-A04",
"AUTH-3823",
"AUTH-3960",
"AUTH-3961-A01",
"AUTH-3974-A07",
"AUTH-4034",
"AUTH-4034-A01",
"AUTH-4034-A04",
"AUTH-4048-A02",
"AUTH-513",
"COMP-074-A05",
"COMP-1052",
"COMP-1123-A06",
"COMP-1261-A01",
"COMP-1907-A08",
"COMP-2768-A01",
"COMP-2969-A01",
"COMP-2969-A02",
"COMP-2969-A05",
"COMP-2969-A06",
"COMP-2969-A07",
"COMP-2970-A03",
"COMP-2970-A04",
"COMP-2970-A05",
"COMP-2991-A09",
"COMP-3030-A09",
"COMP-3360-A04",
"COMP-3411-A04",
"COMP-3411-A07",
"COMP-3548-A07",
"COMP-3990-A01",
"COMP-4063-A10",
"COMP-4119",
"COMP-652",
"COMP-652-A01",
"COMP-652-A05",
"COMP-995-A14",
"COMP-995-A15",
"CRYP-1332",
"CRYP-1332-A03",
"CRYP-1805-A06",
"CRYP-1805-A12",
"CRYP-1886-A03",
"CRYP-2073-A03",
"CRYP-2289-A10",
"CRYP-2359-A02",
"CRYP-2359-A07",
"CRYP-2361-A12",
"CRYP-415-A07",
"CRYP-415-A30",
"CRYP-415-A41",
"CRYP-415-A49",
"CRYP-723-A14",
"CRYP-882-A05",
"CRYP-882-A06",
"CRYP-882-A14",
"CRYP-882-A15",
"CRYP-898-A03",
"DATA-1435-A10",
"DATA-1435-A11",
"DATA-2374-A06",
"DATA-2486-A02",
"DATA-265-A07",
"DATA-3995-A04",
"DATA-4193-A01",
"DATA-4193-A07",
"DATA-4674-A07",
"DATA-4679",
"DATA-673-A05",
"DATA-673-A10",
"GOV-2281-A04",
"GOV-2540-A07",
"GOV-3106-A03",
"GOV-3108-A01",
"GOV-3108-A05",
"HLT-018-A13",
"HLT-114-A05",
"HLT-114-A41",
"HLT-372-A03",
"HLT-519-A04",
"HLT-519-A09",
"INC-241",
"LOG-1409-A04",
"LOG-1410",
"LOG-1410-A10",
"LOG-1511-A10",
"LOG-1547-A11",
"LOG-1730-A05",
"LOG-1730-A09",
"LOG-1741-A01",
"LOG-1741-A02",
"LOG-1741-A05",
"LOG-1741-A06",
"LOG-1741-A08",
"LOG-1749",
"LOG-1759-A13",
"LOG-1760",
"LOG-1760-A01",
"LOG-1760-A06",
"LOG-1770-A06",
"LOG-1774-A06",
"LOG-1774-A11",
"LOG-1838-A06",
"LOG-2074-A06",
"LOG-2074-A09",
"LOG-2075",
"LOG-2078",
"LOG-2078-A03",
"LOG-903-A06",
"LOG-904-A02",
"NET-077-A05",
"NET-077-A23",
"NET-1196-A12",
"NET-1196-A13",
"NET-125-A09",
"NET-125-A17",
"NET-1306-A04",
"NET-1317-A02",
"NET-1351-A10",
"NET-1465-A05",
"NET-1482-A12",
"NET-1494-A12",
"NET-1626-A12",
"NET-1637-A03",
"NET-1744",
"NET-1744-A01",
"NET-1841-A04",
"NET-1841-A05",
"NET-1856-A02",
"NET-1858-A02",
"NET-1864-A09",
"NET-1864-A13",
"NET-1868",
"NET-1868-A07",
"NET-248-A06",
"NET-248-A12",
"NET-373-A02",
"NET-373-A10",
"NET-476-A14",
"NET-476-A83",
"NET-892-A04",
"NET-904-A05",
"NET-981-A01",
"NET-981-A09",
"NET-981-A10",
"OPS-003",
"OPS-003-A01",
"OPS-003-A02",
"OPS-003-A05",
"OPS-003-A06",
"OPS-003-A09",
"PCM-003",
"PCM-003-A01",
"PCM-003-A02",
"SEC-1041",
"SEC-1041-A01",
"SEC-1041-A02",
"SEC-1041-A03",
"SEC-1041-A04",
"SEC-1041-A05",
"SEC-1041-A06",
"SEC-1041-A07",
"SEC-1042",
"SEC-1042-A01",
"SEC-1042-A02",
"SEC-1042-A03",
"SEC-1042-A04",
"SEC-1042-A06",
"SEC-110-A02",
"SEC-110-A03",
"SEC-110-A06",
"SEC-120-A07",
"SEC-120-A18",
"SEC-1218-A03",
"SEC-1218-A12",
"SEC-1243-A03",
"SEC-1243-A04",
"SEC-1247-A02",
"SEC-1252",
"SEC-1254-A04",
"SEC-1254-A07",
"SEC-126",
"SEC-126-A05",
"SEC-132",
"SEC-132-A05",
"SEC-132-A12",
"SEC-150",
"SEC-171-A10",
"SEC-171-A28",
"SEC-171-A41",
"SEC-179-A02",
"SEC-179-A07",
"SEC-182-A01",
"SEC-182-A12",
"SEC-195-A07",
"SEC-195-A13",
"SEC-279-A05",
"SEC-279-A10",
"SEC-295",
"SEC-3019-A01",
"SEC-3150-A02",
"SEC-3150-A03",
"SEC-3166-A01",
"SEC-3166-A05",
"SEC-3166-A06",
"SEC-3167-A01",
"SEC-3167-A02",
"SEC-3169-A03",
"SEC-3175",
"SEC-3175-A01",
"SEC-3175-A04",
"SEC-3175-A06",
"SEC-3175-A10",
"SEC-3325-A08",
"SEC-339-A08",
"SEC-339-A09",
"SEC-339-A19",
"SEC-342-A10",
"SEC-342-A26",
"SEC-349",
"SEC-3665",
"SEC-3665-A01",
"SEC-3665-A02",
"SEC-3665-A05",
"SEC-3676-A06",
"SEC-3680-A04",
"SEC-3680-A10",
"SEC-3719-A05",
"SEC-3725",
"SEC-3725-A01",
"SEC-3725-A02",
"SEC-3725-A03",
"SEC-3725-A04",
"SEC-3740-A02",
"SEC-3740-A05",
"SEC-3740-A06",
"SEC-3740-A07",
"SEC-376",
"SEC-3789-A01",
"SEC-3789-A02",
"SEC-3829-A01",
"SEC-3829-A02",
"SEC-3829-A03",
"SEC-3829-A04",
"SEC-3834-A01",
"SEC-3834-A02",
"SEC-3834-A03",
"SEC-3834-A04",
"SEC-3834-A06",
"SEC-3834-A07",
"SEC-3835-A04",
"SEC-3838-A01",
"SEC-3838-A02",
"SEC-3838-A07",
"SEC-3838-A08",
"SEC-3838-A09",
"SEC-3839-A04",
"SEC-3839-A07",
"SEC-3845-A10",
"SEC-3847",
"SEC-3847-A02",
"SEC-3847-A05",
"SEC-3858",
"SEC-3875-A05",
"SEC-3885-A01",
"SEC-3885-A02",
"SEC-3885-A04",
"SEC-3928",
"SEC-3928-A05",
"SEC-3928-A06",
"SEC-3931-A04",
"SEC-3931-A11",
"SEC-3936-A03",
"SEC-3949-A05",
"SEC-3963-A03",
"SEC-3963-A04",
"SEC-3963-A05",
"SEC-3963-A06",
"SEC-3970",
"SEC-3970-A03",
"SEC-3972-A01",
"SEC-3972-A02",
"SEC-3972-A06",
"SEC-3972-A07",
"SEC-3972-A09",
"SEC-3972-A10",
"SEC-3972-A13",
"SEC-3974-A06",
"SEC-3985-A02",
"SEC-3995",
"SEC-3995-A01",
"SEC-3995-A02",
"SEC-3995-A03",
"SEC-3995-A04",
"SEC-3995-A05",
"SEC-3999",
"SEC-3999-A01",
"SEC-3999-A03",
"SEC-4005-A01",
"SEC-4005-A02",
"SEC-4018-A03",
"SEC-4081-A02",
"SEC-4081-A03",
"SEC-4191",
"SEC-4191-A02",
"SEC-4195",
"SEC-4195-A02",
"SEC-4195-A08",
"SEC-4209-A03",
"SEC-445",
"SEC-4559-A01",
"SEC-4567-A01",
"SEC-4567-A06",
"SEC-462-A12",
"SEC-470",
"SEC-4945-A04",
"SEC-4966-A01",
"SEC-4966-A09",
"SEC-4970-A04",
"SEC-4970-A17",
"SEC-4988-A04",
"SEC-5109",
"SEC-5109-A01",
"SEC-5109-A02",
"SEC-5528",
"SEC-5528-A01",
"SEC-5532-A02",
"SEC-5541-A03",
"SEC-5640-A08",
"SEC-5640-A09",
"SEC-5748",
"SEC-5767-A02",
"SEC-5769-A05",
"SEC-5770",
"SEC-5804-A07",
"SEC-5818",
"SEC-5818-A10",
"SEC-5835",
"SEC-5835-A01",
"SEC-5835-A05",
"SEC-5850-A03",
"SEC-5850-A06",
"SEC-5851-A01",
"SEC-5851-A02",
"SEC-5851-A03",
"SEC-5851-A04",
"SEC-5851-A12",
"SEC-5908",
"SEC-5909",
"SEC-5912-A01",
"SEC-5912-A03",
"SEC-5921-A02",
"SEC-5921-A07",
"SEC-5923-A04",
"SEC-5923-A05",
"SEC-5924-A02",
"SEC-5925-A02",
"SEC-5930-A08",
"SEC-5931",
"SEC-5934-A04",
"SEC-5941-A02",
"SEC-5941-A03",
"SEC-5941-A06",
"SEC-5941-A07",
"SEC-5941-A08",
"SEC-5947-A06",
"SEC-5947-A07",
"SEC-5954-A04",
"SEC-6092-A03",
"SEC-6096-A03",
"SEC-6098",
"SEC-6105-A01",
"SEC-6105-A03",
"SEC-6105-A04",
"SEC-6105-A08",
"SEC-6105-A12",
"SEC-6224",
"SEC-6431-A07",
"SEC-6431-A08",
"SEC-6440-A02",
"SEC-6815-A03",
"SEC-6889-A01",
"SEC-6890-A01",
"SEC-691",
"SEC-6913-A02",
"SEC-6928-A04",
"SEC-6928-A10",
"SEC-6928-A13",
"SEC-6991-A01",
"SEC-6993-A01",
"SEC-6996",
"SEC-7016",
"SEC-7018-A05",
"SEC-7024-A02",
"SEC-7026-A01",
"SEC-7026-A06",
"SEC-7037-A04",
"SEC-7037-A06",
"SEC-7044",
"SEC-7049",
"SEC-7056-A05",
"SEC-7056-A10",
"SEC-7056-A11",
"SEC-7060-A02",
"SEC-7060-A07",
"SEC-7067-A01",
"SEC-7077",
"SEC-7077-A01",
"SEC-7082-A01",
"SEC-7084",
"SEC-7097-A01",
"SEC-710",
"SEC-7100-A01",
"SEC-7109-A01",
"SEC-7109-A06",
"SEC-7110-A01",
"SEC-7113",
"SEC-7117-A02",
"SEC-7117-A08",
"SEC-7128-A07",
"SEC-7237-A03",
"SEC-7577-A02",
"SEC-7581-A01",
"SEC-7621-A04",
"SEC-7678",
"SEC-7803-A08",
"SEC-8324",
"SEC-8324-A09",
"SEC-8326",
"SEC-8326-A01",
"SEC-8326-A02",
"SEC-8326-A06",
"SEC-8326-A07",
"SEC-8327-A01",
"SEC-8334-A01",
"SEC-8334-A02",
"SEC-8334-A10",
"SEC-8801-A05",
"SEC-8801-A08",
"SEC-8801-A09",
"SEC-8801-A10",
"SEC-8806",
"SEC-8829-A03",
"SEC-8839",
"SEC-8842",
"SEC-8842-A01",
"SEC-8842-A03",
"SEC-8842-A04",
"SEC-8842-A05",
"SEC-8842-A08",
"SEC-8842-A09",
"SEC-8842-A10",
"SEC-8842-A11",
"SEC-8842-A12",
"SEC-8842-A14",
"SEC-8871",
"SEC-8871-A01",
"SEC-8871-A04",
"SEC-8871-A06",
"SEC-8871-A07",
"SEC-8871-A08",
"SEC-8871-A09",
"SEC-8880",
"SEC-8888-A01",
"SEC-8888-A11",
"SEC-8923",
"SEC-8991-A02",
"SEC-8991-A09",
"SEC-8997",
"SEC-8997-A03",
"SEC-8998-A02",
"SEC-8998-A04",
"SEC-8999",
"SEC-8999-A01",
"SEC-8999-A03",
"SEC-8999-A06",
"SEC-9002-A01",
"SEC-9002-A06",
"SEC-9003",
"SEC-9003-A01",
"SEC-9007",
"SEC-9007-A02",
"SEC-9007-A05",
"SEC-9009-A03",
"SEC-9009-A04",
"SEC-9009-A05",
"SEC-9009-A06",
"SEC-9019-A04",
"SEC-9029",
"SEC-9033-A01",
"SEC-9033-A02",
"SEC-9033-A04",
"SEC-9033-A05",
"SEC-9033-A06",
"SEC-9035-A01",
"SEC-9035-A06",
"SEC-9036",
"SEC-9039",
"SEC-9039-A01",
"SEC-9039-A04",
"SEC-9045-A06",
"SEC-9055",
"SEC-9055-A01",
"SEC-9062-A04",
"SEC-9073-A10",
"SEC-9107",
"SEC-9107-A02",
"SEC-9107-A03",
"SEC-9110-A04",
"SEC-9115",
"SEC-9116-A01",
"SEC-9116-A02",
"SEC-9116-A03",
"SEC-9116-A04",
"SEC-9129",
"SEC-9129-A07",
"SEC-9129-A08",
"SEC-9129-A09",
"SEC-9135-A09",
"SYS-002",
"SYS-002-A05",
"VUL-001",
"VUL-001-A05"
],
"member_count": 574,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.85,
"source_meta_cluster": "M0",
"cluster_size": 574,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates"
},
{
"id": "signed_update_integrity",
"name": "Signierte und integritaetsgeschuetzte Update-Pakete",
"description": "Update-Pakete werden digital signiert; Integritaet und Authentizitaet (inkl. Boot-/Firmware) werden vor der Installation verifiziert; unsignierte oder manipulierte Updates werden abgelehnt.",
"tier": "LEGAL_MINIMUM",
"subdomain": "update_integrity",
"applicability": "universal",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": true
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (1)(3)(f)",
"citation": "Schutz der Integritaet von Daten, Befehlen und Konfigurationen vor Manipulation."
}
],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-147 BIOS Protection",
"role": "best_practice"
}
],
"member_review_units": [
"M8",
"M5",
"M11",
"M13"
],
"member_controls": [
"CRYP-127-A10",
"FWU-003",
"FWU-003-A01",
"FWU-003-A04",
"LOG-1782-A02",
"NET-981-A07",
"SEC-1083-A01",
"SEC-1083-A04",
"SEC-1083-A06",
"SEC-1083-A09",
"SEC-1083-A10",
"SEC-1170-A02",
"SEC-1170-A12",
"SEC-1170-A18",
"SEC-1170-A28",
"SEC-1170-A34",
"SEC-1170-A44",
"SEC-1170-A50",
"SEC-1170-A60",
"SEC-1170-A66",
"SEC-3150-A04",
"SEC-3169",
"SEC-3175-A07",
"SEC-3740-A01",
"SEC-3740-A03",
"SEC-3740-A04",
"SEC-3740-A08",
"SEC-3740-A09",
"SEC-3834",
"SEC-3838",
"SEC-3838-A10",
"SEC-3838-A11",
"SEC-3839",
"SEC-3854",
"SEC-3885",
"SEC-3885-A05",
"SEC-3933-A01",
"SEC-3936",
"SEC-3936-A01",
"SEC-3936-A02",
"SEC-3937-A01",
"SEC-3963",
"SEC-3963-A01",
"SEC-3972-A05",
"SEC-3972-A12",
"SEC-3999-A04",
"SEC-4005",
"SEC-4018-A02",
"SEC-6993-A02",
"SEC-7077-A03",
"SEC-7109",
"SEC-7109-A02",
"SEC-7621-A08",
"SEC-8998-A01",
"SEC-9002-A10",
"SEC-9007-A01",
"SEC-9007-A04",
"UPD-004-A07"
],
"member_count": 58,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.9,
"source_meta_cluster": "M8",
"cluster_size": 37,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates",
"capability_candidate": true,
"specializes": "software_integrity_protection",
"objective_tags": [
"integrity"
]
},
{
"id": "trusted_update_source",
"name": "Vertrauenswuerdige und zugriffsbeschraenkte Update-Quelle",
"description": "Firmware-/Software-Updates werden nur aus vertrauenswuerdigen Quellen bezogen; der Update-Bereitstellungskanal und die Quelle sind zugriffsbeschraenkt und abgesichert; Versions-Downgrades werden verhindert.",
"tier": "LEGAL_MINIMUM",
"subdomain": "update_channel_security",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (1)(3)(d)",
"citation": "Schutz vor unbefugtem Zugriff durch geeignete Kontrollmechanismen."
}
],
"guidance_basis": [
{
"source": "BSI",
"anchor": "SYS.4.4 IoT",
"role": "best_practice"
}
],
"member_review_units": [
"M8",
"M13"
],
"member_controls": [
"FWU-003",
"FWU-003-A01",
"FWU-003-A04",
"LOG-1782-A02",
"SEC-1083-A01",
"SEC-1083-A04",
"SEC-1083-A06",
"SEC-1083-A09",
"SEC-1083-A10",
"SEC-3150-A04",
"SEC-3169",
"SEC-3175-A07",
"SEC-3740-A01",
"SEC-3740-A03",
"SEC-3740-A04",
"SEC-3740-A08",
"SEC-3740-A09",
"SEC-3834",
"SEC-3838",
"SEC-3838-A10",
"SEC-3838-A11",
"SEC-3839",
"SEC-3885",
"SEC-3885-A05",
"SEC-3933-A01",
"SEC-3936",
"SEC-3936-A01",
"SEC-3936-A02",
"SEC-3937-A01",
"SEC-3963",
"SEC-3963-A01",
"SEC-3972-A05",
"SEC-3972-A12",
"SEC-4005",
"SEC-6993-A02",
"SEC-7109-A02",
"SEC-7621-A08",
"SEC-8998-A01",
"SEC-9002-A10",
"SEC-9007-A01",
"SEC-9007-A04",
"UPD-004-A07"
],
"member_count": 42,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.85,
"source_meta_cluster": "M8",
"cluster_size": 37,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates",
"capability_candidate": true
},
{
"id": "update_testing_validation",
"name": "Test und Validierung von Updates",
"description": "Updates werden vor Verteilung in isolierten Testumgebungen getestet und validiert; manipulierte und unvollstaendige Update-Pakete werden in Tests erkannt; Funktionsfaehigkeit nach Update wird geprueft.",
"tier": "BEST_PRACTICE",
"subdomain": "update_testing",
"applicability": "universal",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": true
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-40 Test before deploy",
"role": "best_practice"
},
{
"source": "ISO",
"anchor": "ISO/IEC 27001 A.8.32",
"role": "best_practice"
}
],
"member_review_units": [
"M1",
"M13"
],
"member_controls": [
"AUTH-1742-A10",
"COMP-2768-A06",
"COMP-2768-A07",
"CRYP-1332-A08",
"CRYP-504-A07",
"CRYP-504-A17",
"CRYP-504-A24",
"GOV-2540-A08",
"HSM-003-A01",
"HSM-003-A08",
"ROT-005-A01",
"SEC-3665-A06",
"SEC-3847-A03",
"SEC-3885-A03",
"SEC-3928-A01",
"SEC-3970-A09",
"SEC-3972",
"SEC-430-A29",
"SEC-7067-A11",
"SEC-7621-A08",
"SEC-8998-A01",
"SEC-9002-A10",
"SEC-9007-A01",
"SEC-9019-A06",
"UPD-004-A07"
],
"member_count": 25,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.8,
"source_meta_cluster": "M1",
"cluster_size": 20,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates",
"capability_candidate": true
},
{
"id": "update_rollback",
"name": "Rollback-Prozess fuer Updates",
"description": "Dokumentierter und getesteter Rollback-Prozess fuer fehlerhafte Firmware-/Software-Updates; unvollstaendige Updates werden blockiert und Update-Ereignisse explizit bestaetigt.",
"tier": "BEST_PRACTICE",
"subdomain": "update_rollback",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": true
},
"source_role": "GUIDANCE",
"legal_basis": [],
"guidance_basis": [
{
"source": "NIST",
"anchor": "SP 800-40 Rollback",
"role": "best_practice"
}
],
"member_review_units": [
"M1",
"M11"
],
"member_controls": [
"AUTH-1742-A10",
"COMP-2768-A06",
"COMP-2768-A07",
"CRYP-1332-A08",
"CRYP-504-A07",
"CRYP-504-A17",
"CRYP-504-A24",
"GOV-2540-A08",
"HSM-003-A01",
"HSM-003-A08",
"ROT-005-A01",
"SEC-3665-A06",
"SEC-3847-A03",
"SEC-3885-A03",
"SEC-3928-A01",
"SEC-3970-A09",
"SEC-3972",
"SEC-3999-A04",
"SEC-4018-A02",
"SEC-430-A29",
"SEC-7067-A11",
"SEC-7077-A03",
"SEC-9019-A06"
],
"member_count": 23,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.75,
"source_meta_cluster": "M1",
"cluster_size": 20,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates",
"capability_candidate": true
},
{
"id": "automatic_updates_optout",
"name": "Automatische Updates mit Standardaktivierung und Opt-out",
"description": "Automatische Sicherheitsupdates sind standardmaessig aktiviert mit sicherer Standardkonfiguration; eine Funktion zur Deaktivierung (Opt-out) wird bereitgestellt.",
"tier": "LEGAL_MINIMUM",
"subdomain": "automatic_updates",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": true,
"evidence": false
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (2)(c)",
"citation": "Sicherheitsupdates werden, soweit moeglich, automatisch installiert mit Opt-out-Moeglichkeit des Nutzers."
}
],
"guidance_basis": [],
"member_review_units": [
"M12",
"M9"
],
"member_controls": [
"SEC-1494-A02",
"SEC-4195-A01",
"SEC-4984-A03",
"SEC-580",
"SEC-9025",
"SEC-9110-A01"
],
"member_count": 6,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.9,
"source_meta_cluster": "M12",
"cluster_size": 5,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates",
"capability_candidate": true
},
{
"id": "update_risk_assessment",
"name": "Risikobeurteilung der Update-Pflicht",
"description": "Risikobeurteilung des Herstellers zur Bestimmung notwendiger Sicherheitsupdates, einschliesslich Behandlung von Software ohne Sicherheitsupdates.",
"tier": "LEGAL_MINIMUM",
"subdomain": "risk_assessment",
"applicability": "universal",
"evidence_facets": {
"governance": true,
"capability": false,
"evidence": true
},
"source_role": "LEGAL_BASIS",
"legal_basis": [
{
"source": "CRA",
"anchor": "Annex I (1)(2)",
"citation": "Cybersicherheits-Risikobeurteilung als Grundlage fuer Schwachstellenbehandlung."
}
],
"guidance_basis": [],
"member_review_units": [
"M3"
],
"member_controls": [
"COMP-745",
"NET-790-A02"
],
"member_count": 2,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.8,
"source_meta_cluster": "M3",
"cluster_size": 2,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates"
},
{
"id": "secure_modification_control",
"name": "Kontrolle sicherheitsrelevanter Updates an Lifecycle-Objekten",
"description": "Schreibzugriff auf sicherheitskritische Lifecycle-Objekte (z.B. EF.SecModLifeCycle) ist nur im Rahmen validierter Firmware-Updates moeglich; Schreibzugriff ohne Update wird abgelehnt.",
"tier": "BEST_PRACTICE",
"subdomain": "lifecycle_access_control",
"applicability": "conditional:secure_element_or_smartcard",
"evidence_facets": {
"governance": false,
"capability": true,
"evidence": true
},
"source_role": "IMPLEMENTATION",
"legal_basis": [],
"guidance_basis": [
{
"source": "BSI",
"anchor": "TR-03110 / SecMod Lifecycle",
"role": "best_practice"
}
],
"member_review_units": [
"M10"
],
"member_controls": [
"SEC-3738-A03",
"SEC-3738-A08",
"SEC-3738-A09"
],
"member_count": 3,
"relationships": [],
"citation_anchor_ids": [],
"citation_status": "pending_span_anchor",
"review_status": "draft",
"provenance": {
"discovery_confidence": 0.7,
"source_meta_cluster": "M10",
"cluster_size": 3,
"llm_model": "claude-opus-4-8",
"synthesis_version": "v1"
},
"family": "updates"
}
],
"relationships": [
{
"type": "supports",
"from": "signed_update_integrity",
"to": "provide_security_updates",
"note": "Integritaetsschutz sichert die Update-Bereitstellung ab."
},
{
"type": "supports",
"from": "trusted_update_source",
"to": "provide_security_updates",
"note": "Vertrauenswuerdige Quelle als Voraussetzung sicherer Updates."
},
{
"type": "produces_evidence_for",
"from": "update_testing_validation",
"to": "provide_security_updates",
"note": "Testnachweise belegen Wirksamkeit der Updates."
},
{
"type": "supports",
"from": "update_rollback",
"to": "provide_security_updates",
"note": "Rollback sichert Update-Prozess gegen Fehler ab."
},
{
"type": "implements",
"from": "automatic_updates_optout",
"to": "provide_security_updates",
"note": "Automatische Installation konkretisiert Bereitstellungspflicht."
},
{
"type": "depends_on",
"from": "provide_security_updates",
"to": "update_risk_assessment",
"note": "Updatebedarf folgt aus Risikobeurteilung."
},
{
"type": "depends_on",
"from": "support_period_maintenance",
"to": "provide_security_updates",
"note": "Wartung definiert den Bereitstellungszeitraum."
},
{
"type": "derived_from",
"from": "secure_modification_control",
"to": "signed_update_integrity",
"note": "Spezialfall validierter Schreibzugriff via Firmware-Update."
},
{
"type": "out_of_scope",
"review_units": [
"M4",
"M7"
],
"note": "M4 (digitale Veraenderungen allgemein) und M7 (TLS-Proxy-Kanalverwaltung) betreffen Konfigurations-/Netzwerkmanagement, nicht die Update-/Patch-Pflicht im engeren Sinne."
}
]
}
Reference in New Issue View Git Blame Copy Permalink