General secure communications requirements and encryption of data at rest/in transit from existing design controls — cryptographic controls formalize algorithm selection, validation, and key management requirements.
FDA Appendix 1.C requires FIPS 140-3 or equivalent strength, explicit prohibition of deprecated algorithms, documented key management preventing cross-device compromise, and prohibition of serial-number-based key derivation.
Algorithm selection (current vs. deprecated), key management architecture (master-key and serial-number key patterns), and protocol downgrade controls — improper cryptographic implementation is a leading cause of exploitable vulnerabilities in otherwise protected devices.
Maps to
FDA Cybersecurity: §Appendix 1.C Cryptography
Requirement text
FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026) recommends that cryptographic algorithms and protocols be implemented to achieve secure-by-design objectives. Manufacturers should select industry-standard cryptographic algorithms and protocols, use current NIST recommended standards (e.g., FIPS 140-3) or equivalent-strength cryptographic protection, and design system architectures that prevent full compromise of any single device from revealing keys for other devices. Deprecated or disallowed cryptographic algorithms should not be implemented.
Why this clause exists
Cryptography is the technical foundation on which authentication, integrity, and confidentiality controls are built — and FDA Appendix 1.C was prompted by the regulatory finding that many medical devices incorporating cryptographic protections had exploitable vulnerabilities due to improper configurations or implementations, even when using otherwise sound algorithms. The specific prohibition on deprecated algorithms and the requirement for FIPS 140-3 or equivalent strength reflect a structural problem in medical device development: devices have 10-15 year market lifespans, during which cryptographic standards evolve; a device deployed with 2010-era cryptography in 2025 may expose patients to attacks using then-current cryptanalysis. The master-key prohibition — preventing full compromise of one device from yielding keys for all others — directly addresses the multi-patient harm risk posed by cryptographic architectures that use shared or device-identifier-derived keys, a finding FDA observed in network-connected infusion pump ecosystems. The prohibition on device serial numbers as keys reflects that serial numbers are disclosed during recalls, creating a correlation between regulatory disclosure and cryptographic compromise.
What changed
FDA's September 2023 final guidance (updated February 2026) Appendix 1.C elevated cryptographic controls from general best-practice references to specific, documented design requirements. The explicit references to FIPS 140-3 (superseding FIPS 140-2), NIST SP 800-131A for transition guidance, and the prohibition on master-key architectures are new. The guidance recognizes that commercial products with cryptographic protections have demonstrated exploitable vulnerabilities due to improper configuration — not algorithmic weakness — making implementation validation a regulatory focus alongside algorithm selection.
Common gaps (what we see in audits)
- Use of deprecated cryptographic algorithms or improper key derivation — Submissions frequently identify cryptographic protections without confirming algorithm currency — devices may implement algorithms with 'legacy use' or deprecated status in current NIST standards. FDA Appendix 1.C requires confirmation that all implemented algorithms are current NIST-recommended or FIPS 140-3 validated and that key derivation does not rely on identifiers (such as serial numbers) that may be publicly disclosed.