21 CFR 117.35(c): What Auditors Actually Evaluate vs. What Facilities Think

Let me start with the actual regulatory text, because it matters more than most facilities realize.

21 CFR 117.35(c) states: "Effective measures must be taken to exclude pests from the manufacturing, processing, packing, and holding areas and to protect against the contamination of food on the premises by pests."

Read that again. The standard is effective measures. Not documented measures. Not contracted measures. Effective measures.

That single word — effective — is the source of most pest-related compliance failures in food facilities.

What Facilities Think Compliance Looks Like

In 25 years of working at the intersection of pest management and food safety, I have seen the same misunderstanding repeat across hundreds of facilities:

⚠️ Common Misconception

Most QA managers believe they comply with 21 CFR 117.35(c) if they can show: a signed pest control contract, monthly service visits, monitoring devices on a map, and service reports on file. That belief is incomplete — and dangerous.

Those elements are necessary. They are not sufficient. An FDA inspector or GFSI auditor evaluating 21 CFR 117.35(c) compliance is not checking whether you have a pest control program. They are checking whether your pest control program is working.

What Auditors Actually Evaluate

Based on documented FDA inspection patterns and GFSI audit protocols, here is what auditors are actually assessing when they review your pest control program:

1. Evidence of Effectiveness, Not Evidence of Activity

The pest control contractor's service report documents what was done. What the auditor wants to see is whether what was done actually worked. That requires trend data — device capture rates over time, frequency of findings by location, patterns that show the program is identifying and addressing issues before they escalate.

A facility that shows the same finding in the same location across three consecutive service reports, with no documented escalation, is not demonstrating effective measures. It is demonstrating a reactive program that is failing to prevent recurrence.

2. Corrective Action Closure, Not Corrective Action Documentation

Many facilities document corrective actions. Few facilities document corrective action closure — verified evidence that the action was taken, that it was effective, and that the finding did not recur.

Under 21 CFR 117.150 (Corrective Actions and Corrections), when a preventive control — which includes sanitation controls that encompass pest management — is not properly implemented or is found to be ineffective, the facility must identify and correct the problem and prevent it from recurring. That last part requires documented verification, not just a note that the PCO was called.

3. Root Cause Analysis, Not Symptom Response

Finding rodent droppings and increasing trap frequency is symptom response. Finding rodent droppings, identifying the entry point, sealing it, verifying the seal, and confirming no recurrence over the following 30 days is root cause resolution.

Auditors distinguish between these two approaches. FDA inspectors look for them explicitly in your corrective action records.

4. Multi-Department Ownership, Not Single-Function Accountability

Pest findings rarely have a single cause. A fruit fly finding near production drains involves sanitation (drain cleaning frequency), maintenance (drain integrity), operations (organic material management), and pest control (monitoring and treatment). When corrective action ownership is assigned only to pest control, the systemic factors go unaddressed — and the finding recurs.

Auditors look for evidence that pest findings triggered cross-departmental response, not just a PCO service call.

FSAI360 PCI Intelligence · Regulatory Interpretation Framework

The Four Dimensions of 21 CFR 117.35(c) Compliance

Dimension 1: Prevention

Structural exclusion, sanitation controls, harborage elimination. Evidence: maintenance records, exclusion assessments.

Dimension 2: Detection

Monitoring program with appropriate frequency, device placement rationale, trend tracking. Evidence: service reports, device maps, catch data.

Dimension 3: Response

Root cause investigation, cross-department corrective action, verified closure. Evidence: corrective action logs with verification dates.

Dimension 4: Improvement

Trend analysis, program review, escalation procedures. Evidence: quarterly reviews, management reporting, program updates.

How This Maps to GFSI Schemes

For facilities certified under GFSI-recognized schemes, the 21 CFR 117.35(c) framework maps directly to specific scheme requirements — with some schemes requiring even more:

SQF 11.4.1 requires a documented pest management program covering all ten elements including device maps, monitoring procedures, and trend documentation.

SQF 11.4.3 requires that all pest control activities be documented, including evidence that corrective actions from previous findings have been closed.

BRCGS 4.14 is particularly specific about site responsibility — the facility, not the PCO contractor, is accountable for ensuring that all PCO recommendations are acted upon. A PCO recommendation that was not implemented is a BRCGS non-conformance.

FSSC 22000 PAS 220 10.5 requires that when pest evidence is found, the pest management PRP (Prerequisite Program) must be reviewed for effectiveness. This is a mandatory step that many facilities skip — and auditors know to check for it.

The Question That Exposes Most Gaps

When I am working with a food facility on audit readiness, I ask one question that immediately reveals the state of their pest management compliance:

"Show me the last three pest findings at this facility, the corrective actions taken, and the evidence that those actions were effective."

The answers I get fall into three categories:

Category A (rare): They hand me a corrective action log with findings documented, actions assigned to specific owners with due dates, closure notes with dates, and follow-up inspection results confirming no recurrence. This facility will pass an audit on pest management.
Category B (common): They show me PCO service reports. The reports document that the PCO found activity and treated it. There is no facility-level corrective action record. The same area shows activity across multiple reports. This facility has significant exposure.
Category C (most common): They are not sure where those records are. The pest control company keeps the records. The facility has service reports on file but has not reviewed them for trends. This facility will receive a citation if FDA or a GFSI auditor arrives tomorrow.

What Actual Compliance Requires

Moving from Category C or B to Category A requires understanding that pest management compliance is a facility management function, not a contractor function. The PCO provides expertise and service. The facility owns the compliance system.

That means:

Reviewing every PCO service report within 48 hours of receipt and assigning facility-level corrective actions for every finding
Maintaining a corrective action register — separate from PCO reports — that tracks findings, assigned owners, due dates, and closure verification
Conducting quarterly trend reviews with QA, maintenance, sanitation, and operations to identify patterns and adjust the program
Keeping the pest device map current — not the original installation map, but the current map reflecting actual device locations after all additions and relocations
Documenting structural assessments as part of each service visit, with maintenance work orders generated for any identified gaps, penetrations, or harborage conditions

💡 PCI Insight — Juan Prieto, ACE · PCQI

The most common statement I hear from QA managers after a pest-related citation is: "But we had pest control." That statement reflects a fundamental misunderstanding of what 21 CFR 117.35(c) requires. Having pest control is the starting point. Demonstrating that pest control is effective — with documented evidence — is the standard. The distance between those two positions is exactly where FDA and GFSI auditors find non-conformances.

The Practical Implication

If an FDA inspector arrived at your facility today and asked you to demonstrate effectiveness of your pest control program under 21 CFR 117.35(c), what would you hand them?

If the answer is service reports and a contract, you have work to do.

If the answer is a corrective action register with verified closures, trend analysis showing program performance over time, a current device map, and documentation of cross-departmental response to findings — you are in a defensible position.

The gap between those two answers is the compliance gap that 21 CFR 117.35(c) was written to address.

Map any finding to its regulatory requirements instantly

FSAI360's free Audit Finding Translator identifies the exact regulations, root causes, corrective actions, and auditor guidance for any pest finding — with scheme-specific guidance for SQF, BRCGS, FSSC 22000, and more.

Try the Translator — Free →