Difference between revisions of "User:Shawndouglas/sandbox/sublevel22"

From LIMSWiki
Jump to navigationJump to search
Line 8: Line 8:
==Sandbox begins below==
==Sandbox begins below==


==32. System Validation and Commission==
==33. System Validation and Commission==
{|  
{|  
  | STYLE="vertical-align:top;"|
  | STYLE="vertical-align:top;"|
Line 19: Line 19:
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-1]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.8]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-1]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.8]
   | style="background-color:white;" |'''32.1''' The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications.
   | style="background-color:white;" |'''33.1''' The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-2]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-2]
   | style="background-color:white;" |'''32.2''' The vendor should be willing to provide access to source code through a suitable escrow.
   | style="background-color:white;" |'''33.2''' The vendor should be willing to provide access to source code through a suitable escrow.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-3]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-3]
   | style="background-color:white;" |'''32.3''' The system should be able to document a summary and evaluation of enterprise performance markers and processes.
   | style="background-color:white;" |'''33.3''' The system should be able to document a summary and evaluation of enterprise performance markers and processes.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-4]<br />[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.5]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-4]<br />[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.5]
   | style="background-color:white;" |'''32.4''' The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting.
   | style="background-color:white;" |'''33.4''' The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 40: Line 40:
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.2]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.2]<br />
[http://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 4.1]
[http://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 4.1]
   | style="background-color:white;" |'''32.5''' The system shall be validated initially and periodically, with those validation activities being documented, to ensure the accuracy, consistency, and reliability of system performance and its electronic records.
   | style="background-color:white;" |'''33.5''' The system shall be validated initially and periodically, with those validation activities being documented, to ensure the accuracy, consistency, and reliability of system performance and its electronic records.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-2]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-4]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-2-2]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-4]
   | style="background-color:white;" |'''32.6''' The documentation associated with system validation shall discuss all applicable steps of the life cycle, justify applied methods and standards, and include change control records and observed deviations during validation, if applicable.
   | style="background-color:white;" |'''33.6''' The documentation associated with system validation shall discuss all applicable steps of the life cycle, justify applied methods and standards, and include change control records and observed deviations during validation, if applicable.
  |-  
  |-  
|}
|}
|}
|}


==33. System Administration==
==34. System Administration==
{|  
{|  
  | STYLE="vertical-align:top;"|
  | STYLE="vertical-align:top;"|
Line 64: Line 64:
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-1]<br />
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.5]
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.5]
   | style="background-color:white;" |'''33.1''' The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials.
   | style="background-color:white;" |'''34.1''' The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-2]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-2]
   | style="background-color:white;" |'''33.2''' The system should provide a means for modifying personnel data in a batch.
   | style="background-color:white;" |'''34.2''' The system should provide a means for modifying personnel data in a batch.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-3]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-3]
   | style="background-color:white;" |'''33.3''' The system should support the storage of standard and industry-specific data formats.
   | style="background-color:white;" |'''34.3''' The system should support the storage of standard and industry-specific data formats.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 90: Line 90:
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.5.1.2]
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.5.1.2]
   | style="background-color:white;" |'''33.4''' The system shall support the ability to define, record, and change the level of access for individual users to system groups, roles, machines, processes, and objects based on their responsibilities, including when those responsibilities change. The system should be able to provide a list of individuals assigned to a given system group, role, machine, process, or object.
   | style="background-color:white;" |'''34.4''' The system shall support the ability to define, record, and change the level of access for individual users to system groups, roles, machines, processes, and objects based on their responsibilities, including when those responsibilities change. The system should be able to provide a list of individuals assigned to a given system group, role, machine, process, or object.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-8]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-8]
   | style="background-color:white;" |'''33.5''' The vendor should provide maintenance agreements and support services for its applications and services.
   | style="background-color:white;" |'''34.5''' The vendor should provide maintenance agreements and support services for its applications and services.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-9]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-3.3]<br />[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-9]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-3.3]<br />[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]
   | style="background-color:white;" |'''33.6''' The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled.
   | style="background-color:white;" |'''34.6''' The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 116: Line 116:
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]
   | style="background-color:white;" |'''33.7''' The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.)
   | style="background-color:white;" |'''34.7''' The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.)
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]
   | style="background-color:white;" |'''33.8''' The system shall be able to tag and document an individual, group, and system account as having been validated for regulatory purposes, and remind the administrator or authorized personnel on a configurable schedule when the account should be validated again.
   | style="background-color:white;" |'''34.8''' The system shall be able to tag and document an individual, group, and system account as having been validated for regulatory purposes, and remind the administrator or authorized personnel on a configurable schedule when the account should be validated again.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 126: Line 126:
[https://www.law.cornell.edu/cfr/text/42/73.17 42 CFR Part 73.17]<br />
[https://www.law.cornell.edu/cfr/text/42/73.17 42 CFR Part 73.17]<br />
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-10]
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-10]
   | style="background-color:white;" |'''33.9''' The system should provide a means of integrating with an enterprise personnel security directory, as well as physical security systems.
   | style="background-color:white;" |'''34.9''' The system should provide a means of integrating with an enterprise personnel security directory, as well as physical security systems.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 135: Line 135:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.4.1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.4.1]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]
   | style="background-color:white;" |'''33.10''' The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back.
   | style="background-color:white;" |'''34.10''' The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-12]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-12]
   | style="background-color:white;" |'''33.11''' The system shall provide a means for migrating data to a new release upon system upgrade.
   | style="background-color:white;" |'''34.11''' The system shall provide a means for migrating data to a new release upon system upgrade.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-13]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-13]
   | style="background-color:white;" |'''33.12''' The system should be expedient with the retrieval of stored items.
   | style="background-color:white;" |'''34.12''' The system should be expedient with the retrieval of stored items.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (b)]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-5]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-8.1]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (b)]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-5]<br />[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-8.1]
   | style="background-color:white;" |'''33.13''' The system shall allow the printing of stored electronic records in a complete, accurate, and human-readable format.
   | style="background-color:white;" |'''34.13''' The system shall allow the printing of stored electronic records in a complete, accurate, and human-readable format.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-14]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-14]
   | style="background-color:white;" |'''33.14''' The system should provide some sort of support for use on mobile technologies, particularly for the purpose of receiving notifications and monitoring processes.
   | style="background-color:white;" |'''34.14''' The system should provide some sort of support for use on mobile technologies, particularly for the purpose of receiving notifications and monitoring processes.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-15]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]
   | style="padding:5px; width:500px;" |[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-3-15]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]
   | style="background-color:white;" |'''33.15''' The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment.
   | style="background-color:white;" |'''34.15''' The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment.
  |-  
  |-  
|}
|}
|}
|}


==34. Cybersecurity==
==35. Cybersecurity==
{|  
{|  
  | STYLE="vertical-align:top;"|
  | STYLE="vertical-align:top;"|
Line 174: Line 174:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]
   | style="background-color:white;" |'''34.1''' The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption.
   | style="background-color:white;" |'''35.1''' The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption.
  |-  
  |-  
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 184: Line 184:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]
   | style="background-color:white;" |'''34.2''' The system should support database encryption and be capable of recording the encryption status of the data contained within.
   | style="background-color:white;" |'''35.2''' The system should support database encryption and be capable of recording the encryption status of the data contained within.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/42/493.1231 42 CFR Part 493.1231]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.2.2.1]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/42/493.1231 42 CFR Part 493.1231]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.2.2.1]
   | style="background-color:white;" |'''34.3''' The system should be able to support multifactor authentication.
   | style="background-color:white;" |'''35.3''' The system should be able to support multifactor authentication.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/170.202 45 CFR Part 170.202]<br />[https://www.law.cornell.edu/cfr/text/45/170.315 45 CFR Part 170.315 (h)]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/170.202 45 CFR Part 170.202]<br />[https://www.law.cornell.edu/cfr/text/45/170.315 45 CFR Part 170.315 (h)]
   | style="background-color:white;" |'''34.4''' The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information.
   | style="background-color:white;" |'''35.4''' The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information.
  |-
  |-
|}
|}
|}
|}


==35. Information Privacy==
==36. Information Privacy==
{|  
{|  
  | STYLE="vertical-align:top;"|
  | STYLE="vertical-align:top;"|
Line 206: Line 206:
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-5-1]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-5-1]
   | style="background-color:white;" |'''35.1''' The system shall comply with privacy protection compliance like that found in HIPAA provisions.
   | style="background-color:white;" |'''36.1''' The system shall comply with privacy protection compliance like that found in HIPAA provisions.
  |-
  |-
   | style="padding:5px; width:500px;" |
   | style="padding:5px; width:500px;" |
Line 213: Line 213:
[https://www.law.cornell.edu/cfr/text/45/170.315 45 CFR Part 170.315 (d)]<br />
[https://www.law.cornell.edu/cfr/text/45/170.315 45 CFR Part 170.315 (d)]<br />
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-5-2]
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 S-5-2]
   | style="background-color:white;" |'''35.2''' The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.
   | style="background-color:white;" |'''36.2''' The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/164.514 45 CFR Part 164.514]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/164.514 45 CFR Part 164.514]
   | style="background-color:white;" |'''35.3''' The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
   | style="background-color:white;" |'''36.3''' The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]
   | style="background-color:white;" |'''35.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
   | style="background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
  |-
  |-
|}
|}
|}
|}

Revision as of 18:22, 19 September 2019

Sandbox begins below

33. System Validation and Commission

Regulation, Specification, or Guidance Requirement
ASTM E1578-18 S-2-1
CJIS Security Policy Appendix G.8
33.1 The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications.
ASTM E1578-18 S-2-2 33.2 The vendor should be willing to provide access to source code through a suitable escrow.
ASTM E1578-18 S-2-3 33.3 The system should be able to document a summary and evaluation of enterprise performance markers and processes.
ASTM E1578-18 S-2-4
ISO 15189:2012 5.10.3
ISO/IEC 17025:2017 7.11.5
33.4 The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting.

21 CFR Part 11.10 (a)
21 CFR Part 820.70 (i)
E.U. Annex 11-11
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
E.U. Commission Directive 2003/94/EC Article 9.2
ISO 15189:2012 5.10.3
ISO/IEC 17025:2017 7.11.2
OECD GLP Principles 4.1

33.5 The system shall be validated initially and periodically, with those validation activities being documented, to ensure the accuracy, consistency, and reliability of system performance and its electronic records.
ASTM E1578-18 S-2-2
E.U. Annex 11-4
33.6 The documentation associated with system validation shall discuss all applicable steps of the life cycle, justify applied methods and standards, and include change control records and observed deviations during validation, if applicable.

34. System Administration

Regulation, Specification, or Guidance Requirement

21 CFR Part 11.200 (a)
45 CFR Part 164.312
45 CFR Part 170.315 (d-5)
ASTM E1578-18 S-3-1
CJIS Security Policy 5.5.5

34.1 The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials.
ASTM E1578-18 S-3-2 34.2 The system should provide a means for modifying personnel data in a batch.
ASTM E1578-18 S-3-3 34.3 The system should support the storage of standard and industry-specific data formats.

7 CFR Part 331.11
9 CFR Part 121.11
21 CFR Part 11.10 (d)
21 CFR Part 211.68 (b)
42 CFR Part 73.11
45 CFR Part 164.308
45 CFR Part 164.514
ASTM E1578-18 S-3-7
CJIS Security Policy 5.5.1
CJIS Security Policy 5.5.2.4
CJIS Security Policy Appendix G.5
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
EPA ERLN Laboratory Requirements 4.1.14–15
ISO 15189:2012 5.10.2
USDA Administrative Procedures for the PDP 5.2.4
USDA Administrative Procedures for the PDP 5.5.1.2

34.4 The system shall support the ability to define, record, and change the level of access for individual users to system groups, roles, machines, processes, and objects based on their responsibilities, including when those responsibilities change. The system should be able to provide a list of individuals assigned to a given system group, role, machine, process, or object.
ASTM E1578-18 S-3-8 34.5 The vendor should provide maintenance agreements and support services for its applications and services.
ASTM E1578-18 S-3-9
E.U. Annex 11-3.3
USDA Administrative Procedures for the PDP 5.2.4
34.6 The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled.

7 CFR Part 331.11
9 CFR Part 121.11
21 CFR Part 11.10 (c)
42 CFR Part 73.11
45 CFR Part 164.310
AAVLD Requirements for an AVMDL Sec. 5.4.4.3
ABFT Accreditation Manual Sec. D-5–D-8
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.4.7.2.1
ASTM E1492-11 4.2.4
CJIS Security Policy 5.5.2
CJIS Security Policy 5.8.1
EPA ERLN Laboratory Requirements 4.9.6
E.U. Annex 11-7.1
E.U. Annex 11-12
ISO 15189:2012 5.10.2
ISO/IEC 17025:2017 7.11.3
USDA Administrative Procedures for the PDP 5.2.1

34.7 The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.)
CJIS Security Policy 5.5.1 34.8 The system shall be able to tag and document an individual, group, and system account as having been validated for regulatory purposes, and remind the administrator or authorized personnel on a configurable schedule when the account should be validated again.

7 CFR Part 331.17
9 CFR Part 121.17
42 CFR Part 73.17
ASTM E1578-18 S-3-10

34.9 The system should provide a means of integrating with an enterprise personnel security directory, as well as physical security systems.

7 CFR Part 331.11
9 CFR Part 121.11
42 CFR Part 73.11
ASTM E1578-18 S-3-11
CJIS Security Policy 5.10.4.1
EPA ERLN Laboratory Requirements 4.9.13

34.10 The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back.
ASTM E1578-18 S-3-12 34.11 The system shall provide a means for migrating data to a new release upon system upgrade.
ASTM E1578-18 S-3-13 34.12 The system should be expedient with the retrieval of stored items.
21 CFR Part 11.10 (b)
E.U. Annex 11-5
E.U. Annex 11-8.1
34.13 The system shall allow the printing of stored electronic records in a complete, accurate, and human-readable format.
ASTM E1578-18 S-3-14 34.14 The system should provide some sort of support for use on mobile technologies, particularly for the purpose of receiving notifications and monitoring processes.
ASTM E1578-18 S-3-15
EPA ERLN Laboratory Requirements 4.9.13
34.15 The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment.

35. Cybersecurity

Regulation, Specification, or Guidance Requirement

42 CFR Part 493.1231
45 CFR Part 164.312
45 CFR Part 170.315 (d-9)
ASTM E1578-18 S-4-1
CJIS Security Policy 5.6.4
CJIS Security Policy 5.8.2.1
CJIS Security Policy 5.10.1.2
CJIS Security Policy Appendix G.6

35.1 The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption.

42 CFR Part 493.1231
45 CFR Part 164.312
45 CFR Part 170.315 (d)
ASTM E1578-18 S-4-2
CJIS Security Policy 5.5.2.4
CJIS Security Policy 5.10.1.2
CJIS Security Policy Appendix G.6

35.2 The system should support database encryption and be capable of recording the encryption status of the data contained within.
42 CFR Part 493.1231
CJIS Security Policy 5.6.2.2.1
35.3 The system should be able to support multifactor authentication.
45 CFR Part 170.202
45 CFR Part 170.315 (h)
35.4 The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information.

36. Information Privacy

Regulation, Specification, or Guidance Requirement
45 CFR Part 164 Subpart E
ASTM E1578-18 S-5-1
36.1 The system shall comply with privacy protection compliance like that found in HIPAA provisions.

45 CFR Part 164.105
45 CFR Part 164 Subpart C
45 CFR Part 170.315 (d)
ASTM E1578-18 S-5-2

36.2 The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.
45 CFR Part 164.514 36.3 The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
45 CFR Part 164 Subpart E 36.4 The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.