ONC's "21st Century Cures Act" Misses the Mark on Encryption

A month ago, ONC shared a draft of the "21st Century Cures Act" in advance of the public comment period. I responded on Twitter with concerns about their peculiar stance on encryption.

Now the public comment portal is open, and I encourage you to add your voice to the conversation!

My comment:

Regarding
IV. Updates to the 2015 Edition Certification Criteria
B. Revised and New 2015 Edition Criteria
6. Privacy and Security Transparency Attestations Criteria
b. Encrypt Authentication Credentials

Self-attestation to be "capable" of encrypting to FIPS 140-2 cryptographic standards is not enough and not aligned with the intention of NIST's cryptographic benchmarking program. Validation of FIPS 140-2 encryption standards via NIST has evolved and is no longer a prohibitive process. There is no reason that it should not be an explicit requirement, just as it is for every other federal agency. The HITECH Act and other healthcare legislation has consistently referred all cryptographic requirements to NIST, referencing FIPS 140-2 validation. Even in this very proposed rule, it states that "We posit that FIPS Publication 140-2 is the seminal, comprehensive, and most appropriate standard." And yet, the rule pivots to "self-attestation" instead of enforcing the very benchmarking test that FIPS 140-2 itself was written to make explicit.

Self-attestation of "capability" means nothing. The FIPS 140-2 standard says that any encryption not tested and validated to meet the standard is considered to be no better than plaintext. Self-attestation would fall squarely into that bucket.

Again, please weigh in on the "21st Century Cures Act", whether specific to encryption or otherwise. While I'm focused on the contradictory stance they have proposed, to reference but not actually follow FIPS 140-2, it's critically important for all points of view to be represented. The deadline is Friday, May 3, 2019 at 11:59 PM Eastern. I also welcome dialogue on Twitter!