CFR 21 Part requirements
1
11.10 (Controls for Closed Systems)
Users of closed systems must have procedures to guarantee the authenticity, integrity, and, if needed, confidentiality of electronic records. They must also prevent signers from disowning signed records. These measures should entail:
2
11.10 (a)
Systems must be validated to guarantee accurate, reliable, and consistent performance as intended, as well as the capability to detect any invalid or altered records.
3
11.10 (b)
Enable the creation of precise and comprehensive records that can be easily read by humans or accessed in digital format.
4
11.10 (c)
Ensure records are safeguarded to allow for precise and effortless access.
5
11.10 (d)
Restricts system access to only authorized individuals.
6
11.10 (e)
Generates secure, computer-generated, and time-stamped audit trails.
7
11.10 (f)
Implement operational system checks to ensure the correct sequence of steps and events is followed, as necessary.
8
11.10 (g)
Conduct user authority verifications to monitor system activity, record signings, and record modifications.
9
11.10 (h)
Validation of data input sources can be conducted through device checks.
10
11.10 (i)
Ensure that individuals utilizing the electronic system have received the necessary training to effectively execute their designated responsibilities.
11
11.10 (j)
Establishing and following written policies that enforce accountability and responsibility for actions taken using electronic signatures is crucial to discouraging falsification of records and signatures.
12
11.10 (k)
Proper management of system documentation, including access for system operation and implementation of revision and change control procedures to track time-based system modifications, is essential
CFR 21 part
Requirement
1
11.30 (Controls for Open Systems)
Enable document encryption to secure record confidentiality, and utilize digital signatures to ensure the authenticity and integrity of records.
2
11.50(a) (Signature Manifestations)
Electronic records that have been signed are required to include the individual’s name, the date and time of the signing, as well as the intended purpose of the signature.
3
11.50(b)
Items listed in section 11.50(a) are required to be present on all human-readable versions of the electronic record.
4
11.70 (Signature/Record Linking)
Electronic signatures and handwritten signatures applied to electronic records must be connected to the corresponding electronic records.
5
11.100 (a) (General Requirements)
Each electronic signature must be exclusive to a single individual and may not be recycled or reassigned to another person.
6
11.100 (b)
Prior to an organization authorizing, designating, validating, or otherwise endorsing an individual’s electronic signature, or any component of said electronic signature, the organization must authenticate the identity of the individual.
7
11.100 (c)
Before or at the time of using electronic signatures, individuals must confirm to the agency that their electronic signatures, utilized on or after August 20, 1997, are intended to hold the same legal weight as traditional handwritten signatures.
8
11.100 (c)(1)
Please submit the certification in paper form and sign it with a traditional handwritten signature.
9
11.100 (c)(2)
When requested by the agency, individuals who utilize electronic signatures must furnish supplementary certification or testimony affirming that the said electronic signature holds the same legal weight as a handwritten signature from the signatory.
11.200 (a) (Electronic signature components and controls)
Non-biometric e-signatures require a minimum of two components, such as an identification code and password.
(1) (i) Continuous session: The initial signing should involve all components, with subsequent signings allowed to use just one component.
(1)(ii) If an individual completes multiple signings over separate sessions of controlled system access, they must utilize all electronic signature components for each signing.
Non-biometric electronic signatures should only be utilized by the legitimate owner.
Collaboration between two or more individuals is necessary when trying to use non-biometric e-signatures.
11.200 (b) (Controls for Identification codes or passwords)
Biometric e-signatures are intended for use solely by the authentic owner.
11.300 (a)
Ensure the integrity of the “ID code & password” pairing remains exclusive.
11.300 (b)
Regularly review identification code and password. Enforce password expiration policy.
11.300 (c)
Manage the loss of tokens, cards, or other devices, and handle replacements effectively.
11.300 (d)
Prevent unauthorized use of passwords and the codes; detect and immediately report any such attempts.
11.300 (e)
Verify the functionality of test devices tokens and cards both initially and at regular intervals.
