What is Compliance as a Code?

Stepheni Norton
September 29, 2022

Azure and AWS have compliance blueprints, and we’ve received many questions about this new code-based configuration for compliance settings. The short answer is that blueprints alone are not enough to be compliant.

The Quality System regulation requires installation and inspection procedures (including testing where appropriate) as well as documentation of inspection and testing to demonstrate proper installation and configuration. (See 21 CFR §820.170.) Likewise, manufacturing equipment must meet specified requirements, and automated systems must be validated for their intended use. (See 21 CFR §820.70(g) and 21 CFR §820.70(i), respectively.)

Compliance as Code (CaC) (Azure BluePrints, AWS Conformance Packs, etc.)

CaC provides a general-purpose compliance framework designed to configure security, operational, or cost-optimization governance checks using managed or custom configuration rules and remediation actions. While CaC helps you assess compliance with the configuration, there often is not a one-to-one or complete match between a configured control and one or more regulatory requirements. Compliance in CaC refers only to the configuration itself; it doesn’t ensure you’re fully compliant with all regulatory requirements.

CaC is simply configuration templates (verse manually configuring the system from a configuration specification document); they are not designed to fully ensure compliance with specific governance or compliance standards. CaC is a part of your overall compliance responsibilities, ensuring the configuration of the system meets your intended use and other applicable legal and regulatory requirements.

Verifying the configuration (whether via CaC or manual) is essential to software validation. Reviewing and approving the configuration prior to provisioning and the subsequent testing of the provisioned and configured environment must be completed. USDM initial qualification and Cloud Assurance services take care of that for you.

USDM’s Cloud Assurance services for AWS or Azure include;

Vendor Assurance Report
Qualification Plan
Configuration Specification – Review and supplement AWS/Azure Conformance Pack
Functional Specification & Risk Assessment
Automated Execution Configuration Verification
Automated Execution High-Risk Test Scripts
Automated Summary Report with Trace Matrix
12 months of USDM Cloud Assurance™ continuous compliance

Please reach out to us at usdm@usdm.com to discuss this further.

Comments

There are no comments for this post, be the first one to start the conversation!

Please Sign in or Create an account to join the conversation

Resources that might interest you

Validation Requirements and Responsibilities

Who’s responsible for what in the validation process? Get the white paper for more info!

Lisa Om
- June 15, 2023

White Papers

Biotech, Medical Device, Pharma

Information Technology, Quality Assurance

Complaint Handling Integration with Salesforce Improves Patient Care

Case study on Complaint Handling Integration with Salesforce Improves Patient Care.

Jim Macdonell
- February 12, 2022

Case Studies

Medical Device

Information Technology, Regulatory

Use AI to Personalize the eSignature Experience in Life Sciences

AI delivers a user experience based on preferences, behaviors, and historical interactions. Explore opportunities for personalization in the eSignature process.

Ryan McDonald
- January 18, 2024

Blogs

Biotech, CMO, CRO, Medical Device, Pharma

Information Technology, Quality Assurance