Difference between revisions of "User:Shawndouglas/sandbox/sublevel25"

From LIMSWiki
Jump to navigationJump to search
Line 18: Line 18:
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.6]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.6]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.1 and 4.9.7]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.1 and 4.9.7]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-12]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SI-12]
   | style="background-color:white;" |'''31.2''' The system shall protect entered data so as to prevent it from being obscured by new data, keeping both the old and current data available for review.
   | style="background-color:white;" |'''31.2''' The system shall protect entered data so as to prevent it from being obscured by new data, keeping both the old and current data available for review.
  |-  
  |-  
Line 33: Line 33:
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.9]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.9]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.9]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.9]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-12]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SI-12]<br />
[https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br />
[https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]<br />
Line 114: Line 114:
[https://www.iso.org/standard/56115.html ISO 15189:2012 4.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 4.3]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 8.4.2]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 8.4.2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AT-4]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AT-4]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AU-11 and AU-11(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AU-11 and AU-11(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-12]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SI-12]<br />
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br />
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br />
[https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br />
[https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br />
Line 124: Line 124:
   | style="background-color:white;" |'''31.4''' The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.
   | style="background-color:white;" |'''31.4''' The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 E-17-6]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.4]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AU-8]
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 E-17-6]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.4]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AU-8]
   | style="background-color:white;" |'''31.5''' The system shall accurately reflect the system date and time in its use of electronic record time stamps.
   | style="background-color:white;" |'''31.5''' The system shall accurately reflect the system date and time in its use of electronic record time stamps.
  |-  
  |-  
Line 135: Line 135:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.5]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.5]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-9]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-9]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AU-9]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AU-9]
   | style="background-color:white;" |'''31.7''' The system shall prevent the modification, deletion, or disabling of its audit trail, as well as record such attempts.
   | style="background-color:white;" |'''31.7''' The system shall prevent the modification, deletion, or disabling of its audit trail, as well as record such attempts.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.2]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AU-5]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-4]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.2]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AU-5]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SI-4]
   | style="background-color:white;" |'''31.8''' The system shall be capable of identifying instances of audit processing failure (e.g., write errors, general failure of the audit tool, etc.), sending alerts or notifications to appropriate personnel in such cases.
   | style="background-color:white;" |'''31.8''' The system shall be capable of identifying instances of audit processing failure (e.g., write errors, general failure of the audit tool, etc.), sending alerts or notifications to appropriate personnel in such cases.
  |-  
  |-  
Line 214: Line 214:
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-17]<br />
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-17]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.7.1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.7.1]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-6(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-6(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, CM-7]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, CM-7]
   | style="background-color:white;" |'''32.18''' The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems.
   | style="background-color:white;" |'''32.18''' The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems.
  |-  
  |-  
Line 227: Line 227:
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-20]<br />
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-20]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, CM-5(1)]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, CM-5(1)]
   | style="background-color:white;" |'''32.21''' The system should support rules governing electronic records and electronic signatures in regulated environments.
   | style="background-color:white;" |'''32.21''' The system should support rules governing electronic records and electronic signatures in regulated environments.
  |-  
  |-  
Line 257: Line 257:
[https://ichgcp.net/ ICH GCP 2.10]<br />
[https://ichgcp.net/ ICH GCP 2.10]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, CM-5 and CM-5(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, CM-5 and CM-5(1)]<br />
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br />
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
Line 264: Line 264:
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2–3]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br />
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2–3]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-2(11)]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-2(11)]
   | style="background-color:white;" |'''32.23''' The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information.
   | style="background-color:white;" |'''32.23''' The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-22]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-2(10)]
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-22]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-2(10)]
   | style="background-color:white;" |'''32.24''' The system should support single sign-on such that a user can log in once and access all permitted functions and data.
   | style="background-color:white;" |'''32.24''' The system should support single sign-on such that a user can log in once and access all permitted functions and data.
  |-  
  |-  
Line 285: Line 285:
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.4]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.4]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-2(7) and AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-2(7) and AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-2, IA-5, and IA-8]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-2, IA-5, and IA-8]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, MA-4]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, MA-4]<br />
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9]
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9]
   | style="background-color:white;" |'''32.25''' The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user.
   | style="background-color:white;" |'''32.25''' The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user.
Line 297: Line 297:
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. VI, Sec. 8.6]<br />
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. VI, Sec. 8.6]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-4 and IA-5]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-4 and IA-5]
   | style="background-color:white;" |'''32.26''' The system shall prevent the same combination of identification components from being used across more than one account.
   | style="background-color:white;" |'''32.26''' The system shall prevent the same combination of identification components from being used across more than one account.
  |-  
  |-  
Line 305: Line 305:
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br />
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-5 and IA-5(1)]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-5 and IA-5(1)]
   | style="background-color:white;" |'''32.27''' The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password.
   | style="background-color:white;" |'''32.27''' The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.1]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-2(3)]<br />
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.1]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-2(3)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-4 and IA-5(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-4 and IA-5(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, PS-4]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, PS-4]
   | style="background-color:white;" |'''32.28''' The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived.
   | style="background-color:white;" |'''32.28''' The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-10]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-10]
   | style="background-color:white;" |'''32.29''' The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user.
   | style="background-color:white;" |'''32.29''' The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.4]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-8]
   | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.4]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-8]
   | style="background-color:white;" |'''32.30''' The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user.
   | style="background-color:white;" |'''32.30''' The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user.
  |-  
  |-  
Line 333: Line 333:
[https://eur-lex.europa.eu/eli/dir/2003/94/oj E.U. Commission Directive 2003/94/EC Article 9.2]<br />
[https://eur-lex.europa.eu/eli/dir/2003/94/oj E.U. Commission Directive 2003/94/EC Article 9.2]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, CM-5(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, CM-5(1)]<br />
[https://www.who.int/medicines/areas/quality_safety/quality_assurance/expert_committee/trs_986/en/ WHO Technical Report Series, #986, Annex 2, 15.9]
[https://www.who.int/medicines/areas/quality_safety/quality_assurance/expert_committee/trs_986/en/ WHO Technical Report Series, #986, Annex 2, 15.9]
   | style="background-color:white;" |'''32.31''' The system shall keep an accurate audit trail of login activities, including failed login attempts, unauthorized logins, and electronic signings.
   | style="background-color:white;" |'''32.31''' The system shall keep an accurate audit trail of login activities, including failed login attempts, unauthorized logins, and electronic signings.
Line 342: Line 342:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.3]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-7]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-7]
   | style="background-color:white;" |'''32.32''' The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out.
   | style="background-color:white;" |'''32.32''' The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out.
  |-  
  |-  
Line 359: Line 359:
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-1]<br />
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.2]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-5]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-5]
   | style="background-color:white;" |'''32.34''' The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed.
   | style="background-color:white;" |'''32.34''' The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed.
  |-  
  |-  
Line 374: Line 374:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-2, IA-5, and IA-8]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-2, IA-5, and IA-8]
   | style="background-color:white;" |'''32.35''' The system shall support the ability to initially assign new individual users to system groups, roles, or both.
   | style="background-color:white;" |'''32.35''' The system shall support the ability to initially assign new individual users to system groups, roles, or both.
  |-  
  |-  
Line 394: Line 394:
   | style="background-color:white;" |'''32.39''' The system should provide a means to migrate static data into the system.
   | style="background-color:white;" |'''32.39''' The system should provide a means to migrate static data into the system.
  |-   
  |-   
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-5(1) and IA-5(4)]<br />[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-5(1) and IA-5(4)]<br />[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]
   | style="background-color:white;" |'''32.40''' The system should provide a means for automatically authenticating if a user's proposed password meets the length, complexity, minimum number of changed characters, and other requirements as configured by the administrator or another authorized system user.
   | style="background-color:white;" |'''32.40''' The system should provide a means for automatically authenticating if a user's proposed password meets the length, complexity, minimum number of changed characters, and other requirements as configured by the administrator or another authorized system user.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-6]
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-6]
   | style="background-color:white;" |'''32.41''' The system should provide a means for obscuring authentication feedback as it is entered into the system, e.g., displaying asterisks rather than the typed password or displaying actual typed feedback for a distinctly short period of time before obscuring it.
   | style="background-color:white;" |'''32.41''' The system should provide a means for obscuring authentication feedback as it is entered into the system, e.g., displaying asterisks rather than the typed password or displaying actual typed feedback for a distinctly short period of time before obscuring it.
  |-  
  |-  
Line 412: Line 412:
   ! style="color:brown; background-color:#ffffee; width:700px;"| Requirement
   ! style="color:brown; background-color:#ffffee; width:700px;"| Requirement
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-1]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.8]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SA-4(3)]
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-1]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.8]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SA-4(3)]
   | style="background-color:white;" |'''33.1''' The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications.
   | style="background-color:white;" |'''33.1''' The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-2]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SA-4(2)]
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-2]<br />[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SA-4(2)]
   | style="background-color:white;" |'''33.2''' The vendor should be willing to provide access to source code through a suitable escrow.
   | style="background-color:white;" |'''33.2''' The vendor should be willing to provide access to source code through a suitable escrow.
  |-  
  |-  
Line 426: Line 426:
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.5]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.5]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SA-4(1), SA-4(2), and SA-5]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SA-4(1), SA-4(2), and SA-5]
   | style="background-color:white;" |'''33.4''' The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting.
   | style="background-color:white;" |'''33.4''' The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting.
  |-  
  |-  
Line 469: Line 469:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.5]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.5]<br />
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br />
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-11]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-11 and AC-12]
   | style="background-color:white;" |'''34.1''' The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials.
   | style="background-color:white;" |'''34.1''' The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials. The system shall also be able to display an explicit message indicating how much time remains before the user session terminates.
  |-  
  |-  
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-2]
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-2]
Line 496: Line 496:
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-2(7) and AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-2(7) and AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-2 and IA-8]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-2 and IA-8]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, MA-4]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, MA-4]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, PS-4 and PS-5]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, PS-4 and PS-5]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.5.1.2]
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.5.1.2]
Line 509: Line 509:
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-9]<br />
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-9]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-3.3]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-3.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SA-16]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SA-16]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]
   | style="background-color:white;" |'''34.6''' The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled.
   | style="background-color:white;" |'''34.6''' The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled.
Line 530: Line 530:
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, MA-5]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, MA-5]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, MP-2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, MP-2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, PE-3, PE-3(1), PE-6, PE-6(1), and PE-6(4)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, PE-3, PE-3(1), PE-6, PE-6(1), and PE-6(4)]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]
   | style="background-color:white;" |'''34.7''' The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.)
   | style="background-color:white;" |'''34.7''' The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.)
Line 557: Line 557:
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.6.1]<br />
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.6.1]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-2(5)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SI-2(5)]<br />
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]
   | style="background-color:white;" |'''34.10''' The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back.
   | style="background-color:white;" |'''34.10''' The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back.
Line 579: Line 579:
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-15]<br />
   | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-15]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, CM-3(2)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, CM-3(2)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-2]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SI-2]
   | style="background-color:white;" |'''34.15''' The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment.
   | style="background-color:white;" |'''34.15''' The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment.
  |-  
  |-  
Line 606: Line 606:
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.2.3.2]<br />
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.2.3.2]<br />
[https://www.ema.europa.eu/en/human-regulatory/research-development/compliance/good-manufacturing-practice/guidance-good-manufacturing-practice-good-distribution-practice-questions-answers EMA Guidance on Good Manufacturing Practice and Good Distribution Practice]<br />
[https://www.ema.europa.eu/en/human-regulatory/research-development/compliance/good-manufacturing-practice/guidance-good-manufacturing-practice-good-distribution-practice-questions-answers EMA Guidance on Good Manufacturing Practice and Good Distribution Practice]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-17(2)]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-17(2)]
   | style="background-color:white;" |'''35.1''' The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption.
   | style="background-color:white;" |'''35.1''' The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption.
  |-  
  |-  
Line 618: Line 618:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SC-13 and SC-28(1)]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SC-13 and SC-28(1)]
   | style="background-color:white;" |'''35.2''' The system should support database encryption and be capable of recording the encryption status of the data contained within.
   | style="background-color:white;" |'''35.2''' The system should support database encryption and be capable of recording the encryption status of the data contained within.
  |-  
  |-  
Line 624: Line 624:
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.2.2.1]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.2.2.1]<br />
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2.2]<br />
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2.2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-3]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-2, IA-2(1–4), and IA-8]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-2, IA-2(1–4), and IA-8]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, MA-4]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, MA-4]
   | style="background-color:white;" |'''35.3''' The system should be able to support multifactor authentication.
   | style="background-color:white;" |'''35.3''' The system should be able to support multifactor authentication.
  |-
  |-
Line 632: Line 632:
   | style="background-color:white;" |'''35.4''' The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information.
   | style="background-color:white;" |'''35.4''' The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, IA-7]
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, IA-7]
   | style="background-color:white;" |'''35.5''' The system should provide a means for authenticating an individual seeking to access any embedded cryptographic module within the system, as well as the individual's role in performing services within the module.
   | style="background-color:white;" |'''35.5''' The system should provide a means for authenticating an individual seeking to access any embedded cryptographic module within the system, as well as the individual's role in performing services within the module.
  |-
  |-
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SC-15]
   | style="padding:5px; width:500px;" |[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, SC-15]
   | style="background-color:white;" |'''35.6''' The system should prevent connected collaborative computing devices (e.g., cameras, microphones, interactive whiteboards) from being activated without explicit permission from the end user, and it should provide a clear indication of any activation to the end user.
   | style="background-color:white;" |'''35.6''' The system should prevent connected collaborative computing devices (e.g., cameras, microphones, interactive whiteboards) from being activated without explicit permission from the end user, and it should provide a clear indication of any activation to the end user.
  |-  
  |-  
Line 667: Line 667:
  |-
  |-
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />
   | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AC-6]
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 5, AC-6]
   | style="background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
   | style="background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
  |-
  |-
|}
|}
|}
|}

Revision as of 22:49, 3 May 2022

Regulation, Specification, or Guidance Requirement
ASTM E1578-18 E-17-1
EMA Guidance on Good Manufacturing Practice and Good Distribution Practice 		31.1 System functionality should support ALCOA principles.

ASTM E1578-18 E-17-2
EPA 815-R-05-004 Chap. IV, Sec. 8
A2LA C211 4.13.2.3
EMA Guidance on Good Manufacturing Practice and Good Distribution Practice
EPA ERLN Laboratory Requirements 4.8.6
EPA ERLN Laboratory Requirements 4.9.1 and 4.9.7
NIST 800-53, Rev. 5, SI-12

31.2 The system shall protect entered data so as to prevent it from being obscured by new data, keeping both the old and current data available for review.

ASTM E1578-18 E-17-3
21 CFR Part 58.190
42 CFR Part 93.305
42 CFR Part 93.310
CLSI QMS22 2.2.2.2
EMA Guidance on Good Manufacturing Practice and Good Distribution Practice
EPA 815-R-05-004 Chap. IV, Sec. 8
EPA ERLN Laboratory Requirements 4.3.4.1
EPA ERLN Laboratory Requirements 4.8.6
EPA ERLN Laboratory Requirements 4.8.9
EPA ERLN Laboratory Requirements 4.9.9
NIST 800-53, Rev. 5, SI-12
OECD GLP Principles 10
USDA Administrative Procedures for the PDP 5.2.1
USDA Data and Instrumentation for PDP 8.1.3

31.3 The system shall securely maintain a true, readable copy of an instrument's original (raw) data for on-demand review.

7 CFR Part 91.30
7 CFR Part 331.17 (c)
9 CFR Part 2.35
9 CFR Part 121.17 (c)
10 CFR Part 20.2103–10
10 CFR Part 30.34 (g)
10 CFR Part 30.51–2
21 CFR Part 11.10 (c)
21 CFR Part 58.195
21 CFR Part 211.180
21 CFR Part 212.110 (c)
21 CFR Part 225.42 (b-8)
21 CFR Part 225.58 (c–d)
21 CFR Part 225.102
21 CFR Part 225.110
21 CFR Part 225.158
21 CFR Part 225.202
21 CFR Part 226.42 (a)
21 CFR Part 226.58 (f)
21 CFR Part 226.102
21 CFR Part 226.115
21 CFR Part 312.57
21 CFR Part 312.62
21 CFR Part 606.160 (d)
21 CFR Part 812.140 (d)
21 CFR Part 820.180 (b)
29 CFR Part 1910.1030 (h-2)
40 CFR Part 141.33
40 CFR Part 141.722
40 CFR Part 262.11 (f)
40 CFR Part 262.40
40 CFR Part 262.213
40 CFR Part 704 Subpart A
40 CFR Part 717.15 (d)
42 CFR Part 73.17 (c)
42 CFR Part 93.313 (h)
42 CFR Part 93.317
42 CFR Part 493.1105
42 CFR Part 493.1283
45 CFR Part 164.105
45 CFR Part 164.316
45 CFR Part 164.530
A2LA C223 5.4
A2LA C223 5.9
AAFCO QA/QC Guidelines for Feed Laboratories Sec. 2.4.4 or 3.1
AAVLD Requirements for an AVMDL Sec. 4.10.1.2
AAVLD Requirements for an AVMDL Sec. 4.10.2.1
AAVLD Requirements for an AVMDL Sec. 5.4.3.2
ABFT Accreditation Manual Sec. E-33
ACMG Technical Standards for Clinical Genetics Laboratories C1.5
ACMG Technical Standards for Clinical Genetics Laboratories C5.6
ACMG Technical Standards for Clinical Genetics Laboratories E2.1
AIHA-LAP Policies 2022 2A.7.5.1
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 4.14.1.2 and 4.15.1.2
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.9.3.6 and 5.9.7
ASTM E1578-18 E-17-4
CAP Laboratory Accreditation Manual
CDC Biosafety in Microbiological and Biomedical Laboratories (BMBL), 6th Edition
CJIS Security Policy 5.3.4
CJIS Security Policy 5.4.6–7
CJIS Security Policy 5.5.2.1
CLSI QMS22 2.8.3
EMA Guidance on Good Manufacturing Practice and Good Distribution Practice
E.U. Annex 11-7.1
E.U. Commission Directive 2003/94/EC Article 9.1
E.U. Commission Directive 2003/94/EC Article 11.4
EPA 815-R-05-004 Chap. III, Sec. 15
EPA 815-R-05-004 Chap. IV, Sec. 8
EPA ERLN Laboratory Requirements 4.9.18
EPA ERLN Laboratory Requirements 4.11.17
EPA QA/G-5 2.1.9
ICH GCP 4.9.5
ISO 15189:2012 4.3
ISO/IEC 17025:2017 8.4.2
NIST 800-53, Rev. 5, AT-4
NIST 800-53, Rev. 5, AU-11 and AU-11(1)
NIST 800-53, Rev. 5, SI-12
NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards
OECD GLP Principles 10
USDA Administrative Procedures for the PDP 5.4
USDA Sampling Procedures for PDP 6.5
WHO Technical Report Series, #986, Annex 2, 15.8–9

31.4 The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.
ASTM E1578-18 E-17-6
CJIS Security Policy 5.4.4
NIST 800-53, Rev. 5, AU-8 		31.5 The system shall accurately reflect the system date and time in its use of electronic record time stamps.
APHL 2019 LIS Project Management Guidebook
ASTM E1578-18 E-17-7
CJIS Security Policy 5.6.1 		31.6 The system shall require each and every user to be assigned a unique user ID.

ASTM E1578-18 E-17-8
21 CFR Part 11.10 (e)
CJIS Security Policy 5.4.5
E.U. Annex 11-9
NIST 800-53, Rev. 5, AU-9

31.7 The system shall prevent the modification, deletion, or disabling of its audit trail, as well as record such attempts.
CJIS Security Policy 5.4.2
NIST 800-53, Rev. 5, AU-5
NIST 800-53, Rev. 5, SI-4 		31.8 The system shall be capable of identifying instances of audit processing failure (e.g., write errors, general failure of the audit tool, etc.), sending alerts or notifications to appropriate personnel in such cases.
Regulation, Specification, or Guidance Requirement
ASTM E1578-18 S-1-1
APHL 2019 LIS Project Management Guidebook 		32.1 The system shall provide tools to enter and manage user-configurable lookup or master data.
ASTM E1578-18 S-1-2 32.2 The system shall allow authorized users to configure the specification limits for sample and instrument tests.
45 CFR Part 162.1002
USDA Sampling Procedures for PDP 6.3.2 		32.3 The system shall allow system nomenclature to be configured to use specific data code sets—such as the International Classification of Diseases or the Healthcare Common Procedure Coding System—or mandated terminology to support regulatory requirements.
ASTM E1578-18 S-1-3 32.4 The system should allow authorized personnel to configure the review and approval of multiple tests at the sample, batch, project, and experiment levels.
ASTM E1578-18 S-1-4 32.5 The system should allow warning and material specification limits to be entered and configured so as to allow their comparison against entered results and determinations for determining whether the results meet those specifications or limits.
21 CFR Part 211.100 (b)
21 CFR Part 211.160 (a) 		32.6 The system should provide a configurable means of allowing the system to automatically save after each entry to help meet ALCOA, CGMP, and other requirements to contemporaneously record data into records.

40 CFR Part 3.10
40 CFR Part 3.2000
ACMG Technical Standards for Clinical Genetics Laboratories C13.3
ASTM E1578-18 S-1-5

32.7 The system should provide a configurable (based on sample, test, or both) means of permitting electronic signatures for both entered results and approved reports.
ASTM E1578-18 S-1-6 32.8 The system should be capable of providing a complete list of all pending tests loaded in the system, the amount of material required for each test, and to which location the associated samples are to be sent for testing.
ASTM E1578-18 S-1-7 32.9 The system shall support configurable laboratory workflows based on appropriate laboratory process and procedure.
ASTM E1578-18 S-1-8 32.10 The system shall allow authorized personnel to assign status values for purposes of tracking sample progress or other portions of laboratory workflow.
21 CFR Part 211.68
APHL 2019 LIS Project Management Guidebook
ASTM E1578-18 S-1-9 		32.11 The system should allow authorized personnel to perform revision control of lookup or master data.
ASTM E1578-18 S-1-10
APHL 2019 LIS Project Management Guidebook 		32.12 The system should provide a means for importing lookup or master data.

AIHA-LAP Policies 2022 2A.7.8.4
ASTM E1578-18 S-1-11
EPA ERLN Laboratory Requirements 4.11.6
USDA Data and Instrumentation for PDP 9.1

32.13 The system shall be able to define the number of significant figures (i.e., set rounding rules) for reported numeric data.
ASTM E1578-18 S-1-12 32.14 The system should allow calculated limits to be created and managed based on test results and relevant metadata.
ASTM E1578-18 S-1-13
EPA ERLN Laboratory Requirements 3.2.6
EPA ERLN Laboratory Requirements 4.9.11 		32.15 The system should provide a clear alert or notification upon entry of out-of-specification results.
ASTM E1578-18 S-1-14 32.16 The system shall allow authorized personnel to update static and dynamic data.
ASTM E1578-18 S-1-15 32.17 The system should allow workflow events and status changes to trigger one or more user-defined actions.
ASTM E1578-18 S-1-17

CJIS Security Policy 5.7.1
NIST 800-53, Rev. 5, AC-6(1)
NIST 800-53, Rev. 5, CM-7

32.18 The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems.
ASTM E1578-18 S-1-18
CAP Laboratory Accreditation Manual 		32.19 The system should allow administrators to programmatically customize system modules or build calculations within the application, while also accurately documenting those system modifications.
ASTM E1578-18 S-1-19 32.20 The system should provide a multiuser interface that can be configured to local user needs, including display language, character sets, and time zones.
21 CFR Part 11.100 (a)

ASTM E1578-18 S-1-20
E.U. Annex 11-14
NIST 800-53, Rev. 5, CM-5(1)

32.21 The system should support rules governing electronic records and electronic signatures in regulated environments.

7 CFR Part 331.11
9 CFR Part 121.11
10 CFR Part 20.2110
10 CFR Part 30.51 (c-1
21 CFR Part 11.10 (d)
21 CFR Part 211.68
42 CFR Part 73.11
45 CFR Part 164.308
A2LA C211 4.13.1.4
A2LA C211 5.4.7.2
AAVLD Requirements for an AVMDL Sec. 4.10.1.3–4
AAVLD Requirements for an AVMDL Sec. 5.4.4.1
ACMG Technical Standards for Clinical Genetics Laboratories C5.3
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.4.7.2.1
ASTM E1492-11 4.2.4
ASTM E1578-18 S-1-16
ASTM E1578-18 S-1-21
CJIS Security Policy 5.5.2
CLSI QMS22 2.4.3
E.U. Annex 11-12
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
EPA ERLN Laboratory Requirements 4.1.14–15
EPA ERLN Laboratory Requirements 4.9.4 and 4.9.14
ICH GCP 2.10
ISO/IEC 17025:2017 7.11.3
NIST 800-53, Rev. 5, CM-5 and CM-5(1)
NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards
USDA Administrative Procedures for the PDP 5.2.4
WHO Technical Report Series, #986, Annex 2, 15.9

32.22 The system shall provide a security interface usable across all modules of the system that secures data and operations and prevents unauthorized access to data and functions.
CJIS Security Policy 5.5.2.2–3
EPA ERLN Laboratory Requirements 4.1.14–15

NIST 800-53, Rev. 5, AC-2(11)

32.23 The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information.
ASTM E1578-18 S-1-22
NIST 800-53, Rev. 5, IA-2(10) 		32.24 The system should support single sign-on such that a user can log in once and access all permitted functions and data.

21 CFR Part 11.200 (a)
45 CFR Part 164.312
45 CFR Part 170.315 (d)
APHL 2019 LIS Project Management Guidebook
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.4.7.2.1
ASTM E1578-18 E17-5 and S-3-1
CJIS Security Policy 5.6.1
CLSI QMS22 2.4.2.2
E.U. Annex 11-14
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 7.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
EPA ERLN Laboratory Requirements 4.9.4
ISO 15189:2012 5.10.3
NIST 800-53, Rev. 5, AC-2(7) and AC-3
NIST 800-53, Rev. 5, IA-2, IA-5, and IA-8
NIST 800-53, Rev. 5, MA-4
WHO Technical Report Series, #986, Annex 2, 15.9

32.25 The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user.

21 CFR Part 11.300 (a)
ASTM E1578-18 E17-5 and S-3-1
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
ISO 15189:2012 5.10.3
NIST 800-53, Rev. 5, IA-4 and IA-5

32.26 The system shall prevent the same combination of identification components from being used across more than one account.

21 CFR Part 11.300 (b)
ASTM E1578-18 E17-5 and S-3-1
CLSI QMS22 2.4.2
ISO 15189:2012 5.10.3
NIST 800-53, Rev. 5, IA-5 and IA-5(1)

32.27 The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password.
CJIS Security Policy 5.6.3.1
NIST 800-53, Rev. 5, AC-2(3)

NIST 800-53, Rev. 5, IA-4 and IA-5(1)
NIST 800-53, Rev. 5, PS-4

32.28 The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived.
CJIS Security Policy 5.5.2.2
NIST 800-53, Rev. 5, AC-10 		32.29 The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user.
CJIS Security Policy 5.5.4
NIST 800-53, Rev. 5, AC-8 		32.30 The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user.

21 CFR Part 11.300 (d)
21 CFR Part 211.68
21 CFR Part 211.100
21 CFR Part 211.160 (a)
21 CFR Part 211.188
21 CFR Part 211.194
A2LA C211 4.13.2.1
ASTM E1578-18 E17-5 and S-3-1
CAP Laboratory Accreditation Manual
CJIS Security Policy 5.4.1.1
CLSI QMS22 2.4.4
E.U. Commission Directive 2003/94/EC Article 9.2
ISO 15189:2012 5.10.3
NIST 800-53, Rev. 5, CM-5(1)
WHO Technical Report Series, #986, Annex 2, 15.9

32.31 The system shall keep an accurate audit trail of login activities, including failed login attempts, unauthorized logins, and electronic signings.

21 CFR Part 11.300 (d)
ASTM E1578-18 E17-5 and S-3-1
CJIS Security Policy 5.5.3
ISO 15189:2012 5.10.3
NIST 800-53, Rev. 5, AC-7

32.32 The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out.
21 CFR Part 11.200 (a)
ASTM E1578-18 S-3-1 		32.33 The system shall require at least one unique identification component for additional electronic signings (beyond initial login) during a single, continuous session.

7 CFR Part 331.11
9 CFR Part 121.11
21 CFR Part 11.200 (a)
21 CFR Part 211.68 (b)
21 CFR Part 211.188 (b-11)
21 CFR Part 211.194 (a-7 and a-8)
21 CFR Part 212.50 (c-10)
42 CFR Part 73.11
ASTM E1578-18 S-3-1
CJIS Security Policy 5.6.3.2
NIST 800-53, Rev. 5, IA-5

32.34 The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed.

7 CFR Part 331.11
9 CFR Part 121.11
21 CFR Part 11.10 (d)
42 CFR Part 73.11
42 CFR Part 493.1231
45 CFR Part 164.308
45 CFR Part 164.514
45 CFR Part 170.315 (d)
ASTM E1578-18 S-1-25
CJIS Security Policy 5.5.1
EPA ERLN Laboratory Requirements 4.1.14–15
NIST 800-53, Rev. 5, AC-3
NIST 800-53, Rev. 5, IA-2, IA-5, and IA-8

32.35 The system shall support the ability to initially assign new individual users to system groups, roles, or both.

21 CFR Part 11.100 (a)
45 CFR Part 164.312
ASTM E1578-18 S-1-24
E.U. Annex 11-14

32.36 The system shall force a user's electronic signature to be unique and traceable to a specific user's account.
21 CFR Part 11.100 (a)
ASTM E1578-18 S-1-24
 32.37 The system shall prevent the reuse or reassignment of a user's electronic signature.
21 CFR Part 11.50
E.U. Annex 11-14 		32.38 When the system generates a complete and accurate copy of an electronically signed record, it shall also display the printed name of the signer, the date and time of signature execution, and any applicable meaning associated with the signature. This shall be applicable for both electronically displayed and printed copies of the electronic record.
ASTM E1578-18 S-1-26
APHL 2019 LIS Project Management Guidebook
CLSI QMS22 2.8.5.3 		32.39 The system should provide a means to migrate static data into the system.
NIST 800-53, Rev. 5, IA-5(1) and IA-5(4)
CLSI QMS22 2.4.2 		32.40 The system should provide a means for automatically authenticating if a user's proposed password meets the length, complexity, minimum number of changed characters, and other requirements as configured by the administrator or another authorized system user.
NIST 800-53, Rev. 5, IA-6 32.41 The system should provide a means for obscuring authentication feedback as it is entered into the system, e.g., displaying asterisks rather than the typed password or displaying actual typed feedback for a distinctly short period of time before obscuring it.
Regulation, Specification, or Guidance Requirement
ASTM E1578-18 S-2-1
CJIS Security Policy Appendix G.8
NIST 800-53, Rev. 5, SA-4(3) 		33.1 The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications.
ASTM E1578-18 S-2-2
NIST 800-53, Rev. 5, SA-4(2) 		33.2 The vendor should be willing to provide access to source code through a suitable escrow.
ASTM E1578-18 S-2-3 33.3 The system should be able to document a summary and evaluation of enterprise performance markers and processes.

A2LA C211 5.4.7.2
ASTM E1578-18 S-2-4
ISO 15189:2012 5.10.3
ISO/IEC 17025:2017 7.11.5
NIST 800-53, Rev. 5, SA-4(1), SA-4(2), and SA-5

33.4 The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting.

21 CFR Part 11.10 (a)
21 CFR Part 820.70 (i)
A2LA C211 5.4.7.2
ACMG Technical Standards for Clinical Genetics Laboratories C5.7
CAP Laboratory Accreditation Manual
CLSI QMS22 2.5
EMA Guidance on Good Manufacturing Practice and Good Distribution Practice
E.U. Annex 11-11
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
E.U. Commission Directive 2003/94/EC Article 9.2
ISO 15189:2012 5.10.3
ISO/IEC 17025:2017 7.11.2
NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards
OECD GLP Principles 4.1

33.5 The system shall be validated initially and periodically, with those validation activities being documented, to ensure the accuracy, consistency, and reliability of system performance and its electronic records.
ASTM E1578-18 S-2-2
CLSI QMS22 2.5
E.U. Annex 11-4 		33.6 The documentation associated with system validation shall discuss all applicable steps of the life cycle, justify applied methods and standards, and include change control records and observed deviations during validation, if applicable.
Regulation, Specification, or Guidance Requirement

21 CFR Part 11.200 (a)
45 CFR Part 164.312
45 CFR Part 170.315 (d-5)
ASTM E1578-18 S-3-1
CJIS Security Policy 5.5.5
CLSI QMS22 2.4.2
NIST 800-53, Rev. 5, AC-11 and AC-12

34.1 The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials. The system shall also be able to display an explicit message indicating how much time remains before the user session terminates.
ASTM E1578-18 S-3-2 34.2 The system should provide a means for modifying personnel data in a batch.
ASTM E1578-18 S-3-3 34.3 The system should support the storage of standard and industry-specific data formats.

7 CFR Part 331.11
9 CFR Part 121.11
21 CFR Part 11.10 (d)
21 CFR Part 211.68 (b)
42 CFR Part 73.11
45 CFR Part 164.308
45 CFR Part 164.514
APHL 2019 LIS Project Management Guidebook
ASTM E1578-18 S-3-7
CJIS Security Policy 5.5.1
CJIS Security Policy 5.5.2.4
CJIS Security Policy Appendix G.5
CLSI QMS22 2.4.2
EPA 815-R-05-004 Chap. IV, Sec. 8.6
EPA 815-R-05-004 Chap. VI, Sec. 8.6
EPA ERLN Laboratory Requirements 4.1.14–15
ISO 15189:2012 5.10.2
NIST 800-53, Rev. 5, AC-2(7) and AC-3
NIST 800-53, Rev. 5, IA-2 and IA-8
NIST 800-53, Rev. 5, MA-4
NIST 800-53, Rev. 5, PS-4 and PS-5
USDA Administrative Procedures for the PDP 5.2.4
USDA Administrative Procedures for the PDP 5.5.1.2

34.4 The system shall support the ability to define, record, and change the level of access for individual users to system groups, roles, machines, processes, and objects based on their responsibilities, including when those responsibilities change. The system should be able to provide a list of individuals assigned to a given system group, role, machine, process, or object.
ASTM E1578-18 S-3-8 34.5 The vendor should provide maintenance agreements and support services for its applications and services.
ASTM E1578-18 S-3-9

E.U. Annex 11-3.3
NIST 800-53, Rev. 5, SA-16
USDA Administrative Procedures for the PDP 5.2.4

34.6 The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled.

7 CFR Part 331.11
9 CFR Part 121.11
21 CFR Part 11.10 (c)
42 CFR Part 73.11
45 CFR Part 164.310
AAVLD Requirements for an AVMDL Sec. 5.4.4.3
ABFT Accreditation Manual Sec. D-5–D-8
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.4.7.2.1
ASTM E1492-11 4.2.4
CJIS Security Policy 5.5.2
CJIS Security Policy 5.8.1
EPA ERLN Laboratory Requirements 4.9.6
E.U. Annex 11-7.1
E.U. Annex 11-12
ISO 15189:2012 5.10.2
ISO/IEC 17025:2017 7.11.3
NIST 800-53, Rev. 5, MA-5
NIST 800-53, Rev. 5, MP-2
NIST 800-53, Rev. 5, PE-3, PE-3(1), PE-6, PE-6(1), and PE-6(4)
USDA Administrative Procedures for the PDP 5.2.1

34.7 The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.)
CJIS Security Policy 5.5.1 34.8 The system shall be able to tag and document an individual, group, and system account as having been validated for regulatory purposes, and remind the administrator or authorized personnel on a configurable schedule when the account should be validated again.

7 CFR Part 331.17
9 CFR Part 121.17
42 CFR Part 73.17
ASTM E1578-18 S-3-10

34.9 The system should provide a means of integrating with an enterprise personnel security directory, as well as physical security systems.

7 CFR Part 331.11
9 CFR Part 121.11
42 CFR Part 73.11
ACMG Technical Standards for Clinical Genetics Laboratories C5.7
APHL 2019 LIS Project Management Guidebook
ASTM E1578-18 S-3-11
CJIS Security Policy 5.10.4.1
CLSI QMS22 2.1.4
CLSI QMS22 2.6.1
EPA ERLN Laboratory Requirements 4.9.13
NIST 800-53, Rev. 5, SI-2(5)
NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards

34.10 The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back.
ASTM E1578-18 S-3-12 34.11 The system shall provide a means for migrating data to a new release upon system upgrade.
ASTM E1578-18 S-3-13 34.12 The system should be expedient with the retrieval of stored items.

21 CFR Part 11.10 (b)
APHL 2019 LIS Project Management Guidebook
E.U. Annex 11-5
E.U. Annex 11-8.1

34.13 The system shall allow the printing of stored electronic records in a complete, accurate, and human-readable format.
ASTM E1578-18 S-3-14 34.14 The system should provide some sort of support for use on mobile technologies, particularly for the purpose of receiving notifications and monitoring processes.
ASTM E1578-18 S-3-15

EPA ERLN Laboratory Requirements 4.9.13
NIST 800-53, Rev. 5, CM-3(2)
NIST 800-53, Rev. 5, SI-2

34.15 The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment.
Regulation, Specification, or Guidance Requirement

42 CFR Part 493.1231
45 CFR Part 164.312
45 CFR Part 170.315 (d-9)
ASTM E1578-18 S-4-1
CJIS Security Policy 5.6.4
CJIS Security Policy 5.8.2.1
CJIS Security Policy 5.10.1.2
CJIS Security Policy Appendix G.6
CLSI QMS22 2.2.3.2
EMA Guidance on Good Manufacturing Practice and Good Distribution Practice
NIST 800-53, Rev. 5, AC-17(2)

35.1 The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption.

42 CFR Part 493.1231
45 CFR Part 164.312
45 CFR Part 170.315 (d)
ACMG Technical Standards for Clinical Genetics Laboratories C1.6
ASTM E1578-18 S-4-2
CJIS Security Policy 5.5.2.4
CJIS Security Policy 5.10.1.2
CJIS Security Policy Appendix G.6
NIST 800-53, Rev. 5, SC-13 and SC-28(1)

35.2 The system should support database encryption and be capable of recording the encryption status of the data contained within.
42 CFR Part 493.1231

CJIS Security Policy 5.6.2.2.1
CLSI QMS22 2.4.2.2
NIST 800-53, Rev. 5, AC-3
NIST 800-53, Rev. 5, IA-2, IA-2(1–4), and IA-8
NIST 800-53, Rev. 5, MA-4

35.3 The system should be able to support multifactor authentication.
45 CFR Part 170.202
45 CFR Part 170.315 (h) 		35.4 The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information.
NIST 800-53, Rev. 5, IA-7 35.5 The system should provide a means for authenticating an individual seeking to access any embedded cryptographic module within the system, as well as the individual's role in performing services within the module.
NIST 800-53, Rev. 5, SC-15 35.6 The system should prevent connected collaborative computing devices (e.g., cameras, microphones, interactive whiteboards) from being activated without explicit permission from the end user, and it should provide a clear indication of any activation to the end user.
Regulation, Specification, or Guidance Requirement
45 CFR Part 164 Subpart E
ACMG Technical Standards for Clinical Genetics Laboratories G17.2
ASTM E1578-18 S-5-1
CAP Laboratory Accreditation Manual 		36.1 The system shall comply with privacy protection compliance like that found in HIPAA provisions.

10 CFR Part 20.2106 (d)
45 CFR Part 164.105
45 CFR Part 164 Subpart C
45 CFR Part 170.315 (d)
ASTM E1578-18 S-5-2
ICH GCP 2.11
NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards

36.2 The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.
45 CFR Part 164.514
ACMG Technical Standards for Clinical Genetics Laboratories C5.5
CAP Laboratory Accreditation Manual 		36.3 The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
45 CFR Part 164 Subpart E

NIST 800-53, Rev. 5, AC-6

36.4 The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
Retrieved from "https://www.limswiki.org/index.php?title=User:Shawndouglas/sandbox/sublevel25&oldid=47608"