Azure and AWS have compliance blueprints, and we've received many questions about this new code-based configuration for compliance settings. The short answer is that blueprints alone are not enough to be compliant.
The Quality System regulation requires installation and inspection procedures (including testing where appropriate) as well as documentation of inspection and testing to demonstrate proper installation and configuration. (See 21 CFR §820.170.) Likewise, manufacturing equipment must meet specified requirements, and automated systems must be validated for their intended use. (See 21 CFR §820.70(g) and 21 CFR §820.70(i), respectively.)
Compliance as Code (CaC) (Azure BluePrints, AWS Conformance Packs, etc.)
CaC provides a general-purpose compliance framework designed to configure security, operational, or cost-optimization governance checks using managed or custom configuration rules and remediation actions. While CaC helps you assess compliance with the configuration, there often is not a one-to-one or complete match between a configured control and one or more regulatory requirements. Compliance in CaC refers only to the configuration itself; it doesn't ensure you're fully compliant with all regulatory requirements.
CaC is simply configuration templates (verse manually configuring the system from a configuration specification document); they are not designed to fully ensure compliance with specific governance or compliance standards. CaC is a part of your overall compliance responsibilities, ensuring the configuration of the system meets your intended use and other applicable legal and regulatory requirements.
Verifying the configuration (whether via CaC or manual) is essential to software validation. Reviewing and approving the configuration prior to provisioning and the subsequent testing of the provisioned and configured environment must be completed. USDM initial qualification and Cloud Assurance services take care of that for you.
USDM's Cloud Assurance services for AWS or Azure include;
- Vendor Assurance Report
- Qualification Plan
- Configuration Specification – Review and supplement AWS/Azure Conformance Pack
- Functional Specification & Risk Assessment
- Automated Execution Configuration Verification
- Automated Execution High-Risk Test Scripts
- Automated Summary Report with Trace Matrix
- 12 months of USDM Cloud Assurance™ continuous compliance
Please reach out to us at usdm@usdm.com to discuss this further.