Code of Federal Regulations & Compliance
CFR overview
The Code of Federal Regulations (CFR) contains the rules and regulations for executive departments and agencies of the US federal government. Each of the 50 titles of the CFR addresses a different regulated area.
The Code of Federal Regulations (CFR) regulates government required documents in the United States. The regulations outlined in CFR (All Titles and Secions) set the ground rules for the technology systems that manage information used by organizations subject to government oversight. Any technology system that governs such processes also requires validation of its adherence to The Code of Federal Regulations (CFR). See SOC I and SOC II hosting compliance and security.
The Code of Federal Regulations (CFR) sets requirements to ensure that electronic records and signatures are trustworthy, reliable, and equivalent substitutes for paper records and handwritten signatures. It also offers guidelines to improve the security of computer systems in Government regulated industries. Subject companies must prove that their processes and products work as they are designed to, and if these process and products change, they must revalidate that proof. The best practices guidelines cover:
- Standard operating procedures and controls that support electronic records and signatures such as data backup, security, and computer system validation.
- Features that ensure that the computer system is secure, contains audit trails for data values, and ensures the integrity of electronic signatures.
- Validation and documentation that supply evidence that the system does what is intended, and that users can detect when the system is not working as designed.
Centralpoint and/or Rackspace and The Code of Federal Regulations (CFR - All Sections)
Centralpoint and/or Rackspace enterprise cloud services undergo regular independent third-party SOC 1 Type 2 and SOC 2 Type 2 audits and are certified according to ISO/IEC 27001 and ISO/IEC 27018 standards.
Although these regular audits and certifications do not specifically focus on U.S. Government regulatory compliance, their purpose and objectives are similar and serve to help ensure the confidentiality, integrity, and availability of data stored in Centralpoint and/or Rackspace cloud services. Our qualification approach is also based on industry best practices, Good Practices for Computerized Systems in Regulated CFR and/orGxP Environments.
Customers can request access to the compliance reports, subject to nondisclosure agreement terms and conditions, through their Centralpoint and/or Rackspace account representative, or through Rackspace.com. In addition, qualification guidelines for Centralpoint and/or Rackspace Azure and Centralpoint and/or Rackspace Office 365 provide a detailed explanation of how Centralpoint and/or Rackspace audit controls correspond to the requirements of The Code of Federal Regulations, guidance for implementing a government qualification strategy, and a description of areas of shared responsibility.
Centralpoint and/or Rackspace in-scope cloud platforms & services
Although there is no certification for complying with The Code of Federal Regulations the following Centralpoint and/or Rackspace enterprise cloud services have undergone independent, third-party audits, which may help customers in their compliance efforts. These services include:
- Rackspace Private and Hybrid Cloud
- Azure: Cloud Services, Storage, Traffic Manager, Virtual Machines, and Virtual Network
- Azure DevOps
- Intune
- Office 365 and Office 365 U.S. Government
Audits, reports, and certificates
The audit reports for SOC 1 and SOC 2 Type 2, ISO/IEC 27001 and ISO/IEC 27018 standards attest to the effectiveness of the controls Centralpoint and/or Rackspace has implemented and may help customers in their compliance with The Code of Federal Regulations.
Frequently asked questions
To whom does the standard apply?
The Code of Federal Regulations applies to organizations with products and services that deal in government regulated aspects of the research, clinical study, maintenance, manufacturing, and distribution of life science products.
How do Centralpoint and/or Rackspace enterprise cloud services demonstrate compliance with The Code of Federal Regulations or CFR
Using the formal audits prepared by third parties for SOC 1 Type 2, SOC 2 Type 2, ISO/IEC 27001, and ISO/IEC 27018, Centralpoint and/or Rackspace are able to show how relevant controls noted within these reports address the requirements.
Audited controls implemented by Centralpoint and/or Rackspace help ensure the confidentiality, integrity, and availability of data, and correspond to the applicable regulatory requirements defined in Title 21 Part 11 that have been identified as the responsibility of Centralpoint and/or Rackspace . The qualification guidelines for Azure and Office 365 detail how Centralpoint and/or Rackspace audit controls correspond to those requirements.
How can I get copies of the auditor's reports?
Rackspace provides independently audited compliance reports. You can use the portal to request audit reports so that your auditors can compare Centralpoint and/or Rackspace 's cloud services results with your own legal and regulatory requirement.
Can I use Centralpoint and/or Rackspace 's compliance in the certification process for my organization?
Yes. The independent third-party compliance reports of the IEC/ISO 27001, ISO/IEC 27018, SOC 1, and SOC 2 standards attest to the effectiveness of Centralpoint and/or Rackspace controls. Centralpoint and/or Rackspace enterprise cloud customers may use the audited controls described in these related reports as part of their own CFR Title 21 Part 11 risk analysis and qualification efforts. Customers who build and deploy applications subject to U.S. Governmnent regulation are responsible for ensuring that their applications meet U.S. Governmnent requirements.
What are Centralpoint and/or Rackspace 's responsibilities for maintaining compliance with this standard?
Centralpoint and/or Rackspace ensures that its enterprise cloud services meet the terms defined within the governing Service Level Agreements (SLAs). These terms define our responsibility for implementing and maintaining controls adequate to secure and monitor the system.