Automated Evidence Collection for Life Sciences Continuous Compliance Solutions Using AWS Audit Manager

More Info

In the inaugural post of this two-part series, we examined how Life Sciences organizations can establish an effective change management process utilizing AWS Systems Manager Change Manager and AWS Config. This initial solution illustrated how to adhere to your Standard Operating Procedures (SOPs) by incorporating approval mechanisms for resource modifications. Such measures are essential for organizations striving to comply with FDA 21 CFR Part 11. In this follow-up article, we will walk you through the final steps of the continuous compliance cycle, focusing on automating evidence collection for the FDA 21 CFR Part 11 framework, which is crucial for many Life Sciences entities. Throughout this discussion, we will collectively refer to Good Laboratory Practices (GLP), Good Clinical Practices (GCP), and Good Manufacturing Practices (GMP) as GxP.

Implementing a highly automated continuous compliance solution is one of the most efficient ways for customers to achieve compliance at scale in the cloud. To realize this, you must (1) consistently monitor and assess resource configurations, (2) automatically flag and rectify any non-compliant resources, and (3) document changes and evidence before re-evaluating. In our first post, we described how to fulfill the first two steps of the continuous compliance cycle by employing AWS Systems Manager Change Manager and AWS Config to establish a change control process for non-compliant resources. If AWS Config identifies a resource as non-compliant, Change Manager will initiate a remediation action, including an approval process, to ensure that the remediation does not adversely impact downstream operations.

Now, we will delve into the third step, where we will leverage AWS Audit Manager to automate the collection of evidence regarding the compliance status of our resources. AWS Audit Manager is a fully managed service that facilitates ongoing auditing and evaluation of compliance with widely recognized industry standards. This blog will concentrate on Life Sciences and the GxP framework, but the procedures outlined are applicable to other standards like PCI-DSS, FedRAMP (Moderate), or NIST-CSF. You can explore a list of available prebuilt frameworks in the Audit Manager Framework Library.

Solution Overview

This solution employs AWS Config to continually assess the configurations of your resources, sending evidence of the results to AWS Audit Manager. If Config identifies a resource as non-compliant with your desired configuration, it will utilize AWS Systems Manager Change Manager for remediation. Change Manager will notify an approver to review the change request before carrying out the remediation. Once the request receives approval, the automation in the specified change template will remediate the resource. After Change Manager has addressed the non-compliant resource, its compliance state will be updated, and the evidence will be sent to Audit Manager for reporting.

Implementation Walkthrough

We will outline the high-level steps needed to implement evidence collection for the GxP framework, thus completing the continuous compliance cycle.

1. Create an assessment for the GxP framework to initiate evidence collection.
2. Generate an assessment report.

Prerequisites

Before deploying this solution, ensure the following prerequisites are met:

• Activate AWS Config in your AWS account.
• Complete the setup steps for AWS Audit Manager.
• Follow the configuration steps for AWS Systems Manager Change Manager.

Step 1: Create an Assessment for the GxP Framework

1. Access the AWS Audit Manager console and select “Create assessment.”
2. In the Assessment details section, assign a name to your assessment, such as GxP 21 CFR Part 11 for this blog.
3. Provide a brief description of the assessment, indicating it is for GxP 21 CFR Part 11.
4. In the Assessment report destination section, choose an existing (or create a new) Amazon S3 bucket for saving your assessment reports. The selections in your console should reflect this.
5. Search for the GxP 21 CFR Part 11 framework in the Frameworks search bar.
6. If you wish to add tags associated with your assessment, select “Add new tag.” When finished, click “Next.”
7. Select the AWS accounts to include in the assessment scope. You can specify multiple AWS accounts, as AWS Audit Manager supports multiple account integration through AWS Organizations.
8. Review the AWS services included and select “Next.” Prebuilt frameworks will automatically include the necessary AWS services.
9. Designate audit owners responsible for managing the Audit Manager assessment.
10. Click “Create assessment.”

Step 2: Generate an Assessment Report for the GxP Framework

Collecting evidence may take some time. If evidence is not visible in your controls, allow some time for it to be compiled before moving on.

1. From the AWS Audit Manager console, select “Assessments” from the left panel menu, then choose the GxP framework assessment you created.
2. The Controls tab provides a summary of the controls in the assessment, alongside a detailed list. Each assessment can comprise multiple control sets.
3. Expand the first control set (Controls for closed systems) by selecting the “+”.
4. Select the first control, which should be 11.10, and add the evidence collected for this control to your assessment report. The Evidence folders tab displays the evidence automatically collected, organized daily.
5. Choose the latest evidence folder and select “Add to assessment report.” Repeat this process for any additional controls you wish to include.
6. After selecting the evidence, proceed to generate and download your assessment report.

For further insights, you can read another blog post here. Additionally, for authoritative information on this topic, check out this link. Lastly, if you’re looking for community perspectives, this Reddit discussion is an excellent resource.