FDA 21 CFR Part 11 — Electronic Records; Electronic Signatures
US federal regulation establishing criteria for acceptance of electronic records and electronic signatures by the FDA. 30 requirements across electronic records (validation, audit trails, system access controls, authority checks, device checks, education and training, documentation, open and closed system controls), electronic signatures (uniqueness, identity verification, signature manifestations, signature/record linking), and biometric and non-biometric authentication controls. Applies to all FDA-regulated industries including pharmaceuticals, medical devices, biologics, and food.
Controls: 92
Total Mappings: 155
Publisher: U.S. Food and Drug Administration (FDA) Version: 1997 (updated guidance 2003) AC (12) AT (4) AU (13) CA (3) CM (8) CP (3) IA (11) IR (1) MP (1) PE (2) PL (3) PM (3) PS (5) RA (4) SA (7) SC (8) SI (4)
AC Access Control
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | §11.10(d) |
| AC-02 | Account Management | §11.10(d)§11.10(g)§11.100(a)§11.200(a)(2)§11.300(a)§11.300(b)§11.300(c) |
| AC-03 | Access Enforcement | §11.10(d)§11.10(g) |
| AC-05 | Separation Of Duties | §11.10(d)§11.10(g) |
| AC-06 | Least Privilege | §11.10(d)§11.10(g) |
| AC-07 | Unsuccessful Login Attempts | §11.10(d)§11.200(a)(1)(ii) |
| AC-11 | Session Lock | §11.10(d)§11.200(a)(1)(i)§11.200(a)(1)(ii) |
| AC-12 | Session Termination | §11.10(d)§11.200(a)(1)(i) |
| AC-16 | Automated Labeling | §11.10(g) |
| AC-17 | Remote Access | §11.30§11.300(d) |
| AC-19 | Access Control For Portable And Mobile Devices | §11.10(h) |
| AC-24 | Access Control Decisions | §11.10(g) |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | §11.10(e) |
| AU-02 | Auditable Events | §11.10(e)§11.50 |
| AU-03 | Content Of Audit Records | §11.10(e)§11.50 |
| AU-04 | Audit Storage Capacity | §11.10(e) |
| AU-05 | Response To Audit Processing Failures | §11.10(e) |
| AU-06 | Audit Monitoring, Analysis, And Reporting | §11.10(e) |
| AU-07 | Audit Reduction And Report Generation | §11.10(e) |
| AU-08 | Time Stamps | §11.10(e) |
| AU-09 | Protection Of Audit Information | §11.10(b)§11.10(e) |
| AU-10 | Non-Repudiation | §11.10(e)§11.30§11.50§11.70 |
| AU-11 | Audit Record Retention | §11.10(b)§11.10(c)§11.10(e) |
| AU-12 | Audit Record Generation | §11.10(e)§11.50 |
| AU-14 | Session Audit | §11.10(e) |
CA Security Assessment and Authorization
CM Configuration Management
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| CM-02 | Baseline Configuration | §11.10(f) |
| CM-03 | Configuration Change Control | §11.10(k) |
| CM-04 | Monitoring Configuration Changes | §11.10(a) |
| CM-05 | Access Restrictions For Change | §11.10(k) |
| CM-06 | Configuration Settings | §11.10(f) |
| CM-07 | Least Functionality | §11.10(f) |
| CM-08 | Information System Component Inventory | §11.10(h) |
| CM-09 | Configuration Management Plan | §11.10(k) |
CP Contingency Planning
IA Identification and Authentication
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | §11.10(d) |
| IA-02 | User Identification And Authentication | §11.10(d)§11.100(a)§11.200(a)(1)§11.200(a)(1)(ii)§11.200(a)(2)§11.200(a)(3) |
| IA-03 | Device Identification And Authentication | §11.10(h) |
| IA-04 | Identifier Management | §11.10(d)§11.100(a)§11.100(b)§11.200(a)(2)§11.300(a)§11.300(c) |
| IA-05 | Authenticator Management | §11.10(d)§11.100(a)§11.100(b)§11.200(a)(1)§11.200(a)(1)(ii)§11.200(a)(2)§11.300(a)§11.300(b)§11.300(c)§11.300(e) |
| IA-06 | Authenticator Feedback | §11.200(a)(1)§11.300(d) |
| IA-07 | Cryptographic Module Authentication | §11.200(a)(1) |
| IA-08 | Identification and Authentication (Non-Organizational Users) | §11.100(a) |
| IA-09 | Service Identification and Authentication | §11.10(h) |
| IA-11 | Re-authentication | §11.200(a)(1)(i)§11.200(a)(1)(ii) |
| IA-12 | Identity Proofing | §11.100(b)§11.200(a)(3) |
IR Incident Response
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| IR-06 | Incident Reporting | §11.300(c) |
MP Media Protection
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| MP-04 | Media Storage | §11.10(c) |
PE Physical and Environmental Protection
PL Planning
PM Program Management
PS Personnel Security
RA Risk Assessment
SA System and Services Acquisition
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| SA-03 | Life Cycle Support | §11.10(a) |
| SA-05 | Information System Documentation | §11.10(k) |
| SA-08 | Security Engineering Principles | §11.10(a) |
| SA-10 | Developer Configuration Management | §11.10(a) |
| SA-11 | Developer Security Testing | §11.10(a)§11.10(f) |
| SA-15 | Development Process, Standards, and Tools | §11.10(a) |
| SA-17 | Developer Security and Privacy Architecture and Design | §11.10(a) |
SC System and Communications Protection
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| SC-07 | Boundary Protection | §11.30 |
| SC-08 | Transmission Integrity | §11.30§11.300(d)§11.70 |
| SC-10 | Network Disconnect | §11.200(a)(1)(i) |
| SC-12 | Cryptographic Key Establishment And Management | §11.30 |
| SC-13 | Use Of Cryptography | §11.30§11.300(d) |
| SC-17 | Public Key Infrastructure Certificates | §11.30 |
| SC-23 | Session Authenticity | §11.30§11.300(d) |
| SC-28 | Protection of Information at Rest | §11.10(b)§11.10(c)§11.70 |
SI System and Information Integrity
| Control | Name | FDA 21 CFR Part 11 References |
|---|---|---|
| SI-06 | Security Functionality Verification | §11.10(a)§11.300(e) |
| SI-07 | Software And Information Integrity | §11.10(b)§11.10(f)§11.70 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | §11.10(f) |
| SI-12 | Information Output Handling And Retention | §11.10(c)§11.10(k) |