Quick summary: Compliance as Code (CaC) frameworks such as Azure Blueprints and AWS Conformance Packs let you configure security, operational, and cost-governance checks through managed or custom rules. They are a powerful part of a compliance program, but configuration is not the same as regulatory compliance. For FDA-regulated systems, you still need to verify the configuration, validate the system for its intended use, and document inspection and testing. This article explains the distinction and how USDM Cloud Assurance closes the gap.
Compliance blueprints alone are not enough
Azure and AWS have compliance blueprints, and we've received many questions about this new code-based configuration for compliance settings. The short answer is that blueprints alone are not enough to be compliant.
The Quality System regulation requires installation and inspection procedures (including testing where appropriate) as well as documentation of inspection and testing to demonstrate proper installation and configuration. (See 21 CFR §820.170.) Likewise, manufacturing equipment must meet specified requirements, and automated systems must be validated for their intended use. (See 21 CFR §820.70(g) and 21 CFR §820.70(i), respectively.)
What Compliance as Code (CaC) actually does
Compliance as Code (CaC) (Azure Blueprints, AWS Conformance Packs, etc.) provides a general-purpose compliance framework designed to configure security, operational, or cost-optimization governance checks using managed or custom configuration rules and remediation actions. While CaC helps you assess compliance with the configuration, there often is not a one-to-one or complete match between a configured control and one or more regulatory requirements. Compliance in CaC refers only to the configuration itself; it doesn't ensure you're fully compliant with all regulatory requirements.
CaC is simply configuration templates (versus manually configuring the system from a configuration specification document); they are not designed to fully ensure compliance with specific governance or compliance standards. CaC is a part of your overall compliance responsibilities, ensuring the configuration of the system meets your intended use and other applicable legal and regulatory requirements.
The key distinction: CaC tells you whether your environment matches a configuration template. It does not tell you whether that configuration satisfies a specific regulatory requirement such as 21 CFR Part 11. Mapping configured controls to regulatory intent, and proving that mapping, remains your responsibility.
Compliance in CaC refers only to the configuration itself; it doesn't ensure you're fully compliant with all regulatory requirements.
Configuration verification is essential to software validation
Verifying the configuration (whether via CaC or manual) is essential to software validation. Reviewing and approving the configuration prior to provisioning and the subsequent testing of the provisioned and configured environment must be completed. A risk-based, Computer Software Assurance (CSA) approach helps you focus that testing effort where patient safety and product quality risk is highest, rather than treating every control equally. USDM initial qualification and Cloud Assurance services take care of that for you.
From configuration to validated, compliant environment
- Configure — Use CaC (Azure Blueprints, AWS Conformance Packs) to apply security, operational, and cost-governance controls as code.
- Map — Trace each configured control to the regulatory and quality requirements it is intended to satisfy. The security checks CaC enforces should align with your broader life sciences cybersecurity posture.
- Verify — Review and approve the configuration before provisioning, then test the provisioned environment to confirm intended use.
- Sustain — Keep the environment in a validated, compliant state as the cloud platform changes over time.
USDM Cloud Assurance services
USDM's Cloud Assurance services for AWS or Azure include:
- Vendor Assurance Report
- Qualification Plan
- Configuration Specification – Review and supplement AWS/Azure Conformance Pack
- Functional Specification & Risk Assessment
- Automated Execution Configuration Verification
- Automated Execution High-Risk Test Scripts
- Automated Summary Report with Trace Matrix
- 12 months of USDM Cloud Assurance™ continuous compliance
As governance frameworks increasingly extend to AI and automated decision systems, the same principle applies: configuration and policy are inputs, not proof. A structured approach to AI governance and compliance brings the same verify-and-validate discipline to emerging technologies.
FAQ: Compliance as Code in regulated environments
Does using Azure Blueprints or AWS Conformance Packs make my system compliant?
No. Blueprints and Conformance Packs apply configuration templates and assess whether your environment matches them. That is valuable, but compliance in CaC refers only to the configuration itself. It does not, on its own, demonstrate full compliance with all applicable regulatory requirements.
What is the difference between Compliance as Code and regulatory compliance?
CaC is a general-purpose framework for configuring security, operational, and cost-governance checks as code. There often is not a one-to-one match between a configured control and a specific regulatory requirement. Regulatory compliance requires mapping those controls to requirements, validating the system for its intended use, and documenting the evidence.
Why is configuration verification part of software validation?
The Quality System regulation requires installation and inspection procedures and documentation that demonstrate proper installation and configuration. Whether the configuration is applied via CaC or manually, it must be reviewed, approved before provisioning, and tested in the provisioned environment to confirm intended use.
How does USDM help with cloud compliance?
USDM provides initial qualification and Cloud Assurance services for AWS and Azure, including a Vendor Assurance Report, qualification plan, configuration specification review, functional specification and risk assessment, automated configuration verification and high-risk test scripts, an automated summary report with trace matrix, and 12 months of continuous compliance.
Talk to USDM about validating your cloud environment
Compliance as Code accelerates how you configure governance controls, but it is one part of a larger validation and compliance responsibility. USDM helps you verify configurations, validate systems for intended use, and keep regulated cloud environments compliant over time. Contact us to discuss your AWS or Azure environment and how USDM Cloud Assurance can help.