a4cb104258
Feedback der Compliance/KB-Session (2026-07-01): die 19 verify_pending norm_ids gegen KB-v2 (bp_compliance_kb_2026_1_build) geprüft — 16/19 bestätigt (alle CRA+MaschVO-Artikel existieren). Die 3 fehlenden = Kapitel-Ebene (EU-MaschVO-KapitelIV/V/VI): der KB-Compiler mintet Artikel+Annex, KEINE Kapitel. - Artikel-norm_ids verify_pending -> article_confirmed (16 distinkt). - Kapitel-norm_ids -> chapter_no_kb_unit (danglender Join-Key) + norm_id_note (Re-Anchor auf Konstituenten-Artikel = Enhancement, KB-v2 hat sie; NICHT geraten). - 2 Kapitel-Obligations (notifizierte Stellen · Marktüberwachung/Schutzklausel, beide rein prozedural, obligation_id=None) citation_status norm_id_linked -> chapter_reanchor_pending. Joinbar bleiben 62 Obligations. - Status gesamt: 53 annex_confirmed + 10 article_confirmed + 2 chapter_no_kb_unit. - norm_id_manifest.json + Contract-Block um kb_v2_verification ergänzt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
98 lines
3.3 KiB
JSON
98 lines
3.3 KiB
JSON
{
|
|
"schema_version": "obligation_registry_v1",
|
|
"regulation": "CRA",
|
|
"regulation_code": "CRA",
|
|
"family": "core",
|
|
"theme": "CORE Security Objectives (CRA Annex I als regulierungs-agnostische Sicherheitsziele)",
|
|
"generated_by": "materialize_capabilities.py (#5b, Modell C)",
|
|
"note": "CORE Legal Obligations = Sicherheitsziele (Modell C: KEINE eigene SecurityObjective-Klasse). DOMAIN-Obligations specializes-en hierauf. objective_tags = Vorwaerts-Kompat zu Modell B.",
|
|
"citation_status": "pending_span_anchor",
|
|
"obligations": [
|
|
{
|
|
"id": "attack_surface_minimization",
|
|
"name": "Minimierung der Angriffsflaeche",
|
|
"family": "core",
|
|
"description": "Das Produkt minimiert seine Angriffsflaeche: unnoetige Funktionen/Ports/Dienste/Schnittstellen sind deaktiviert (Least Functionality).",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"source_role": "LEGAL_BASIS",
|
|
"applicability": "universal",
|
|
"objective_tags": [
|
|
"attack_surface"
|
|
],
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"anchor": "Annex I Part I (2)(j)",
|
|
"citation": "limit attack surfaces, including external interfaces",
|
|
"norm_ids": [
|
|
"EU-CRA-AnhangI"
|
|
],
|
|
"norm_id_status": "annex_confirmed"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "NIST",
|
|
"anchor": "CM-7 Least Functionality",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"specialized_by": [
|
|
"remote_access_attack_surface_min",
|
|
"component_remote_interface_security"
|
|
],
|
|
"primary_implementation": "NIST CM-7",
|
|
"citation_status": "norm_id_linked",
|
|
"review_status": "core_from_5b"
|
|
},
|
|
{
|
|
"id": "software_integrity_protection",
|
|
"name": "Schutz der Software-/Firmware-Integritaet",
|
|
"family": "core",
|
|
"description": "Das Produkt schuetzt Integritaet und Authentizitaet von Software/Firmware (Manipulationserkennung, Secure Boot, Signaturpruefung, Runtime-Integritaet).",
|
|
"tier": "LEGAL_MINIMUM",
|
|
"source_role": "LEGAL_BASIS",
|
|
"applicability": "universal",
|
|
"objective_tags": [
|
|
"integrity"
|
|
],
|
|
"legal_basis": [
|
|
{
|
|
"source": "CRA",
|
|
"anchor": "Annex I Part I (2)(f)",
|
|
"citation": "protect the integrity of stored, transmitted or processed data, software and configuration",
|
|
"norm_ids": [
|
|
"EU-CRA-AnhangI"
|
|
],
|
|
"norm_id_status": "annex_confirmed"
|
|
}
|
|
],
|
|
"guidance_basis": [
|
|
{
|
|
"source": "NIST",
|
|
"anchor": "SI-7 Software, Firmware, and Information Integrity",
|
|
"role": "best_practice"
|
|
}
|
|
],
|
|
"specialized_by": [
|
|
"signed_update_integrity",
|
|
"firmware_software_authentication"
|
|
],
|
|
"realized_by_capabilities": [
|
|
"code_signing"
|
|
],
|
|
"primary_implementation": "NIST SI-7",
|
|
"citation_status": "norm_id_linked",
|
|
"review_status": "core_from_5b"
|
|
}
|
|
],
|
|
"relationships": [],
|
|
"norm_id_contract": {
|
|
"convention": "EU-<ACT>-Anhang<ROM> (Annex-Ebene) / EU-<ACT>-Art<N> (verify) — KB-v2 bp_compliance_kb_2026_1_build",
|
|
"act_naming": "EU-MaschVO-* (NICHT MaschinenVO)",
|
|
"granularity": "annex-grob — 'Annex I Part II (1)' -> EU-CRA-AnhangI; Part/Punkt = KB-Enhancement TBD",
|
|
"article_status": "EU-<ACT>-Art<N> in KB-v2 BESTÄTIGT (16/16); Annex-IDs confirmed",
|
|
"source": "Board Compliance/KB-v2 2026-07-01",
|
|
"kb_v2_verification": "2026-07-01: 16/19 verify_pending IDs in KB-v2 bestätigt (alle Artikel); 3 Kapitel-IDs = chapter_no_kb_unit (Compiler mintet keine Kapitel)."
|
|
}
|
|
} |